njrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe(4).exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

njrat phorphiex vidar xmrig hacked credential_access discovery evasion execution loader miner persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
l9ll8dd6x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

phorphiex

http://185.215.113.84

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2256-280-0x0000000000400000-0x0000000002459000-memory.dmp	family_vidar_v7
behavioral1/memory/2256-283-0x0000000000400000-0x0000000002459000-memory.dmp	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysvplervcs.exe

Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000016cd7-179.dat	family_phorphiex
behavioral1/files/0x0007000000016cf5-190.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2528 created 1224	2528	2383929885.exe	21
PID 2528 created 1224	2528	2383929885.exe	21
PID 2368 created 1224	2368	winupsecvmgr.exe	21
PID 2368 created 1224	2368	winupsecvmgr.exe	21
PID 2368 created 1224	2368	winupsecvmgr.exe	21

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe

Xmrig family
xmrig
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2368-638-0x000000013FC50000-0x00000001401E7000-memory.dmp	xmrig
behavioral1/memory/2164-651-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
2900	powershell.exe
1716	powershell.exe
2844	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 23 IoCs

pid	Process
1452	InstallerPack_20.1.23770_win64.exe
2256	build_2024-07-27_00-41.exe
2456	11.exe
1868	r.exe
2624	t.exe
2464	sysarddrvs.exe
2552	sysvplervcs.exe
3016	Server.exe
964	1188%E7%83%88%E7%84%B0.exe
1292	libcurl-addon.exe
2992	stail.exe
2212	stail.tmp
2052	tckplayer.exe
1492	229816441.exe
2816	2877830485.exe
1076	214852748.exe
1040	2441514975.exe
1936	1381527864.exe
1544	81926254.exe
2528	2383929885.exe
2368	winupsecvmgr.exe
2924	591630655.exe
1048	1984721984.exe

Loads dropped DLL 37 IoCs

pid	Process
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
1908	WerFault.exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2176	4363463463464363463463463.exe(4).exe
2992	stail.exe
2212	stail.tmp
2212	stail.tmp
2212	stail.tmp
2212	stail.tmp
2464	sysarddrvs.exe
2464	sysarddrvs.exe
2464	sysarddrvs.exe
2552	sysvplervcs.exe
2464	sysarddrvs.exe
2552	sysvplervcs.exe
1076	214852748.exe
2912	taskeng.exe
2552	sysvplervcs.exe
2552	sysvplervcs.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com
59	bitbucket.org
62	bitbucket.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2368 set thread context of 1072	2368	winupsecvmgr.exe	105
PID 2368 set thread context of 2164	2368	winupsecvmgr.exe	106

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0015000000016c88-297.dat	upx
behavioral1/memory/964-306-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/964-426-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral1/memory/964-603-0x0000000000400000-0x0000000000516000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe
File created	C:\Windows\sysvplervcs.exe	r.exe
File opened for modification	C:\Windows\sysvplervcs.exe	r.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2892	sc.exe
2812	sc.exe
2544	sc.exe
2724	sc.exe
2056	sc.exe
2376	sc.exe
2160	sc.exe
1532	sc.exe
3020	sc.exe
2616	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	1452	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build_2024-07-27_00-41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysvplervcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1381527864.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1188%E7%83%88%E7%84%B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe(4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tckplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	214852748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallerPack_20.1.23770_win64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build_2024-07-27_00-41.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build_2024-07-27_00-41.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2120	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	1188%E7%83%88%E7%84%B0.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(4).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe(4).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(4).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(4).exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1452	InstallerPack_20.1.23770_win64.exe
2256	build_2024-07-27_00-41.exe
1716	powershell.exe
2844	powershell.exe
2256	build_2024-07-27_00-41.exe
2256	build_2024-07-27_00-41.exe
2212	stail.tmp
2212	stail.tmp
1492	229816441.exe
1040	2441514975.exe
2528	2383929885.exe
2528	2383929885.exe
1600	powershell.exe
2528	2383929885.exe
2528	2383929885.exe
2368	winupsecvmgr.exe
2368	winupsecvmgr.exe
2900	powershell.exe
2368	winupsecvmgr.exe
2368	winupsecvmgr.exe
2368	winupsecvmgr.exe
2368	winupsecvmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Server.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2552	sysvplervcs.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	4363463463464363463463463.exe(4).exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: SeDebugPrivilege	1492	229816441.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: SeDebugPrivilege	1040	2441514975.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeLockMemoryPrivilege	2164	dwm.exe
Token: SeLockMemoryPrivilege	2164	dwm.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe
Token: 33	3016	Server.exe
Token: SeIncBasePriorityPrivilege	3016	Server.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2212	stail.tmp
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe
2164	dwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
964	1188%E7%83%88%E7%84%B0.exe
964	1188%E7%83%88%E7%84%B0.exe
964	1188%E7%83%88%E7%84%B0.exe
964	1188%E7%83%88%E7%84%B0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 1452	2176	4363463463464363463463463.exe(4).exe	32
PID 2176 wrote to memory of 2256	2176	4363463463464363463463463.exe(4).exe	33
PID 2176 wrote to memory of 2256	2176	4363463463464363463463463.exe(4).exe	33
PID 2176 wrote to memory of 2256	2176	4363463463464363463463463.exe(4).exe	33
PID 2176 wrote to memory of 2256	2176	4363463463464363463463463.exe(4).exe	33
PID 2176 wrote to memory of 2456	2176	4363463463464363463463463.exe(4).exe	34
PID 2176 wrote to memory of 2456	2176	4363463463464363463463463.exe(4).exe	34
PID 2176 wrote to memory of 2456	2176	4363463463464363463463463.exe(4).exe	34
PID 2176 wrote to memory of 2456	2176	4363463463464363463463463.exe(4).exe	34
PID 2176 wrote to memory of 1868	2176	4363463463464363463463463.exe(4).exe	35
PID 2176 wrote to memory of 1868	2176	4363463463464363463463463.exe(4).exe	35
PID 2176 wrote to memory of 1868	2176	4363463463464363463463463.exe(4).exe	35
PID 2176 wrote to memory of 1868	2176	4363463463464363463463463.exe(4).exe	35
PID 2176 wrote to memory of 2624	2176	4363463463464363463463463.exe(4).exe	36
PID 2176 wrote to memory of 2624	2176	4363463463464363463463463.exe(4).exe	36
PID 2176 wrote to memory of 2624	2176	4363463463464363463463463.exe(4).exe	36
PID 2176 wrote to memory of 2624	2176	4363463463464363463463463.exe(4).exe	36
PID 2456 wrote to memory of 2464	2456	11.exe	37
PID 2456 wrote to memory of 2464	2456	11.exe	37
PID 2456 wrote to memory of 2464	2456	11.exe	37
PID 2456 wrote to memory of 2464	2456	11.exe	37
PID 1868 wrote to memory of 2552	1868	r.exe	38
PID 1868 wrote to memory of 2552	1868	r.exe	38
PID 1868 wrote to memory of 2552	1868	r.exe	38
PID 1868 wrote to memory of 2552	1868	r.exe	38
PID 1452 wrote to memory of 1908	1452	InstallerPack_20.1.23770_win64.exe	39
PID 1452 wrote to memory of 1908	1452	InstallerPack_20.1.23770_win64.exe	39
PID 1452 wrote to memory of 1908	1452	InstallerPack_20.1.23770_win64.exe	39
PID 1452 wrote to memory of 1908	1452	InstallerPack_20.1.23770_win64.exe	39
PID 2464 wrote to memory of 576	2464	sysarddrvs.exe	41
PID 2464 wrote to memory of 576	2464	sysarddrvs.exe	41
PID 2464 wrote to memory of 576	2464	sysarddrvs.exe	41
PID 2464 wrote to memory of 576	2464	sysarddrvs.exe	41
PID 2464 wrote to memory of 1044	2464	sysarddrvs.exe	43
PID 2464 wrote to memory of 1044	2464	sysarddrvs.exe	43
PID 2464 wrote to memory of 1044	2464	sysarddrvs.exe	43
PID 2464 wrote to memory of 1044	2464	sysarddrvs.exe	43
PID 576 wrote to memory of 1716	576	cmd.exe	45
PID 576 wrote to memory of 1716	576	cmd.exe	45
PID 576 wrote to memory of 1716	576	cmd.exe	45
PID 576 wrote to memory of 1716	576	cmd.exe	45
PID 1044 wrote to memory of 1532	1044	cmd.exe	46
PID 1044 wrote to memory of 1532	1044	cmd.exe	46
PID 1044 wrote to memory of 1532	1044	cmd.exe	46
PID 1044 wrote to memory of 1532	1044	cmd.exe	46
PID 1044 wrote to memory of 2160	1044	cmd.exe	47
PID 1044 wrote to memory of 2160	1044	cmd.exe	47
PID 1044 wrote to memory of 2160	1044	cmd.exe	47
PID 1044 wrote to memory of 2160	1044	cmd.exe	47
PID 1044 wrote to memory of 2616	1044	cmd.exe	48
PID 1044 wrote to memory of 2616	1044	cmd.exe	48
PID 1044 wrote to memory of 2616	1044	cmd.exe	48
PID 1044 wrote to memory of 2616	1044	cmd.exe	48
PID 1044 wrote to memory of 2376	1044	cmd.exe	49
PID 1044 wrote to memory of 2376	1044	cmd.exe	49
PID 1044 wrote to memory of 2376	1044	cmd.exe	49
PID 1044 wrote to memory of 2376	1044	cmd.exe	49
PID 1044 wrote to memory of 2056	1044	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(4).exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(4).exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\Files\InstallerPack_20.1.23770_win64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\InstallerPack_20.1.23770_win64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 948
      4⤵
      Loads dropped DLL
      Program crash
      PID:1908
- - C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe" & rd /s /q "C:\ProgramData\BAFCGIJDAFBK" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1292
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2120
- - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\sysarddrvs.exe
      C:\Windows\sysarddrvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1532
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2160
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2616
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2376
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2056
    - - C:\Users\Admin\AppData\Local\Temp\229816441.exe
        
        C:\Users\Admin\AppData\Local\Temp\229816441.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:1716
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2960
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\2877830485.exe
        
        C:\Users\Admin\AppData\Local\Temp\2877830485.exe
        5⤵
        Executes dropped EXE
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\214852748.exe
        
        C:\Users\Admin\AppData\Local\Temp\214852748.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\2383929885.exe
        
        C:\Users\Admin\AppData\Local\Temp\2383929885.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\1381527864.exe
        
        C:\Users\Admin\AppData\Local\Temp\1381527864.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
- - C:\Users\Admin\AppData\Local\Temp\Files\r.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\sysvplervcs.exe
      C:\Windows\sysvplervcs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:2552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2812
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2544
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2724
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\2441514975.exe
        
        C:\Users\Admin\AppData\Local\Temp\2441514975.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:2220
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2204
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2032
    - - C:\Users\Admin\AppData\Local\Temp\81926254.exe
        
        C:\Users\Admin\AppData\Local\Temp\81926254.exe
        5⤵
        Executes dropped EXE
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\591630655.exe
        
        C:\Users\Admin\AppData\Local\Temp\591630655.exe
        5⤵
        Executes dropped EXE
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\1984721984.exe
        
        C:\Users\Admin\AppData\Local\Temp\1984721984.exe
        5⤵
        Executes dropped EXE
        
        PID:1048
- - C:\Users\Admin\AppData\Local\Temp\Files\t.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\Files\libcurl-addon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\libcurl-addon.exe"
    3⤵
    - Executes dropped EXE
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\Files\stail.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\is-RR071.tmp\stail.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RR071.tmp\stail.tmp" /SL5="$5022C,3983289,54272,C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2212
    - - C:\Users\Admin\AppData\Local\TCKPlayer\tckplayer.exe
        
        "C:\Users\Admin\AppData\Local\TCKPlayer\tckplayer.exe" -i
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2892
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2636
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1072
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2164

C:\Windows\system32\taskeng.exe
taskeng.exe {E4F6B71C-5102-46D8-9C55-F9BE1B93F954} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2912
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a236675c467539ceda7d370c5812b38

SHA1
0d2edb45f7b83b625c6a4d5636319f8d26a93fc9

SHA256
16bf8e7c93a5e9e315a35b14750f2e4671a89c6620272bcc5287f8a4acdf62cb

SHA512
06aab6f5a5eea006d70c1537376d700906af49eb2ba76d8c4550c2685f0ea18a07035707cd33863d162679a84e7d3603983b4050d3b1c588797ad2be23d1d023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dada091fbc38d7ce5e4bdb74d9c0b4fe

SHA1
4f44f7814fee98016f484c59bc7b23a7eeececb3

SHA256
2da9ecdd7c3677f7a5429564cd8ec9b05ae4fb53adeaa3b95f61737dc1b24302

SHA512
c81b5243adce56959421513aab30cf197c2465fab71edcd8016ec0296bafc574edb94949f63ef3a622cbe8429c5314d1a68e5bfece66ed7807a85ed5013f0f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a593e0cf63c9027a5c091754bc7737e

SHA1
40117311ad372fbf73a5b9f13c931c7a07d5f1ab

SHA256
921966c6f5131dc2e4a6b8c8d64064add40262f2e831b04260669123d2be6672

SHA512
eb8cd142bee9412d1423e4e6aa0b31626e2eab5f24d2a5a0d140d9ebff8d3b35c72eca933dbfd0815c0b7f4dc202ab8244c872f051bc8b8b48830056332e1f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15567aa737cb80f71c71123cb6a0beff

SHA1
b539a70a0e467124f6a8df67d111c001b7b9a5e0

SHA256
753c22d91315968ee0631883deaa6d88d400735112d5f0d080d1dba4f1115f84

SHA512
77638fa00c73351c0bf6817b3adfcb7b40298d6ba36f44810d4b61d3461bdeed822d4557089c822811afdadcc6a80c854d56515bf345e295312670ff8f739635

Download Submit
C:\Users\Admin\AppData\Local\Temp\1790219166.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1984721984.exe

Filesize
13KB

MD5
5a0d146f7a911e98da8cc3c6de8acabf

SHA1
4ec56b14a08c897a5e9e85f5545b6c976a0be3c1

SHA256
bf61e77b7c49ce3346a28d8bc084c210618ea6ec5f3cfa9ae8f4aa4d64e145f1

SHA512
6d1526a5f467535d51b7f9b3a7af2d54512526e2523e3048082277b83b6e1a1f0d7e3c617405898f240ae84a16163bc47886d8541a016b31c51dfadf9da713e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\r.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC400.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c49210eb

Filesize
5.8MB

MD5
6321268230dbba37143ec80139348e3f

SHA1
9487fdb3231e1a932bc1ea5a84adbdc6ad7bca44

SHA256
13a119fa2216d25d8255efb07451e42d55c4a581f48cd69ed6b81f366f0f0dd2

SHA512
c2842982cad2219db36d3eabb7c9fb7aeae94ae8e06a70ba595eb842e4526a570baee512e3e88478d8dd9149ada9c10860378cdb8b0e761b77f60cea8b319bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HK6AX45ADNMEEQ8GEE9B.temp

Filesize
7KB

MD5
2302f3d72b27a6925f4bb5979506f5eb

SHA1
4ede61d7c156aec2cae16ce85ff39f48594b65fe

SHA256
e6350c5dcc0dd21afed3239a63504166a6b56593227113f2f51b62cc7b03b709

SHA512
b83155097eb43317e5a59934b51f12444d9f73889f8f8f19148ec0f7aaacf5030914325c6b215b3f251cd0da07e2ec5f566629ccc5efa8b53d41b2c216eae54b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9d5956d301a5e8a3e2b9f9f8ebbdd84a

SHA1
71703e3c4f161d3ac5df13358c02734bddd6b38e

SHA256
7fb5e02df065518237d3ab71000e4a32b5630f72ce42f95d926d8badf1e4afdf

SHA512
49763778f7b38f93b27df41821e06dbad9b3d21c3e51ddf55e3e4d8a8f6086a706a609039fade4445290cd4010d17a97a5bfe51483fdd63c8d9b1decd4a2140a

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
b212df1dfbf03f226cb3a2a7153c97a4

SHA1
ef15cebd343a8cf4df0ad6fb97b2586db7d250d2

SHA256
3069d99ab572231cd0b0f1e0eea8428d6dcb026e92bc14d054fd7b7910894802

SHA512
f05cc8ec9a742e1f4e601c6f87558eba7c9d039216c00912094a071ad01622573712bca607368d4ea0253512de9243a3a3f32f4bf3399d4e4980531b1ac3cd39

Download Submit
\Users\Admin\AppData\Local\TCKPlayer\tckplayer.exe

Filesize
2.6MB

MD5
b9b421681d311cbdc9967a7a6c83d4cf

SHA1
b99594b1224b53565e3bcb365bb0496630187ec3

SHA256
48fb39c4a25ce5ba2d9bddb153335b1bf2673e133dbd7120e83da9499d4f52b5

SHA512
5ab4cb50f493383c1f5c0c951b0ece89e8d02bd0eb9d53266641b827e16e8acaeab4433c2073b78b8ad5589f0cc819c27652a3e8caadc0484f30f208b3b54635

Download Submit
\Users\Admin\AppData\Local\Temp\214852748.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
\Users\Admin\AppData\Local\Temp\229816441.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
\Users\Admin\AppData\Local\Temp\2877830485.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe

Filesize
550KB

MD5
88783a57777926114b5c5c95af4c943c

SHA1
6f57492bd78ebc3c3900919e08e039fbc032268a

SHA256
94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a

SHA512
167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\InstallerPack_20.1.23770_win64.exe

Filesize
3.2MB

MD5
d4e494aac738b34231cb341acb16b961

SHA1
4cdaf5333250193c1e8939c807728a804e9dd4ad

SHA256
eda401786b61b9b555596c6f88f1ea858c8946491b6a37688d6c7c859cb3a04a

SHA512
b490cd7dd1e1861ab723856417a9c60fb379e5adc0acbe9aceffa0cd6f4cb79493522282a1e799071bd53372fc22cadfec1bacfcba0eeda6b8392177c3cd0f8e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Server.exe

Filesize
43KB

MD5
4df91688458d5a32f5a2bc93b6c81094

SHA1
43866e87b1cb0e5c7f52b91eeabfb6816698b070

SHA256
e0e8a7c2ce540f674aea4fb7d880a16021dfd15552897b01bfdfa2d0981b9aed

SHA512
a9e28b1cea690e7774d6f5a102237cad0882615e066f6dbe0e2b9da8dbd3ae2a29e63ea73bd083409771108ce1d2cb1845271e0fe4a9a71f9dcb46bec62da491

Download Submit
\Users\Admin\AppData\Local\Temp\Files\build_2024-07-27_00-41.exe

Filesize
255KB

MD5
112da2a1307ac2d4bd4f3bdb2b3a8401

SHA1
694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f

SHA256
217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b

SHA512
8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7

Download Submit
\Users\Admin\AppData\Local\Temp\Files\libcurl-addon.exe

Filesize
1.8MB

MD5
62624adf7c2e075994e97908e81e92be

SHA1
3e43242b05d431e07338abdac0a3fe2ee3c64616

SHA256
169ec083889cd7a7bc2afbdf9d82fb4339da2418b84ec39e15f5aca047316788

SHA512
d7025bfc658c7e39ad82e753b1dcbe099d912e467a230e7c5c3c0731618c0d93ca8407fa5e94ec52673b01fe1e910905aad7b68eeaa5450692054928cc9b6b5b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\stail.exe

Filesize
4.1MB

MD5
543d67d96e4393710b98008b0d2420e4

SHA1
d63205d66575ef37f4247014d586b6c83a1cfd11

SHA256
0719826ecf10c8045577d0f01548b8f34388e331a190f8cbcd76e4bab3cbee92

SHA512
bf7c6607eeac85b1db08f2693142ffca5e3f5785880a8dbfa193a9da38f50678e1e27a762eec9895589050c41975518b3c6df4040cfde6568e8084e90cd13901

Download Submit
\Users\Admin\AppData\Local\Temp\is-9DOIE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-9DOIE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-RR071.tmp\stail.tmp

Filesize
689KB

MD5
3ff56ef2905740c40e7303bdb7ea7422

SHA1
915219ec936439a957918f78cc2b54d3cca74a28

SHA256
8118b337ced36c7ee538634766c09645a15b628f84dad9f5ef69042579c8e029

SHA512
13e40eb75adab475e2950cc4b05f49969a431c2856cdbc8f881c66d224a8a58c58784621e437e55ce0d8c7503b5aaa7fdc3c734352543b6c246472134a31f0ef

Download Submit
memory/964-306-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/964-426-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/964-603-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1040-588-0x000000013F900000-0x000000013F906000-memory.dmp

Filesize
24KB

Download
memory/1072-650-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1452-162-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1492-542-0x000000013F560000-0x000000013F566000-memory.dmp

Filesize
24KB

Download
memory/1600-620-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/1600-621-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2052-545-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-557-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-529-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-530-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-648-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-613-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2052-596-0x0000000000400000-0x000000000069C000-memory.dmp

Filesize
2.6MB

Download
memory/2164-651-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2164-637-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2176-304-0x0000000005610000-0x0000000005726000-memory.dmp

Filesize
1.1MB

Download
memory/2176-423-0x0000000005610000-0x0000000005726000-memory.dmp

Filesize
1.1MB

Download
memory/2176-235-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/2176-2-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2176-258-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-305-0x0000000005610000-0x0000000005726000-memory.dmp

Filesize
1.1MB

Download
memory/2176-424-0x0000000005610000-0x0000000005726000-memory.dmp

Filesize
1.1MB

Download
memory/2212-544-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2212-527-0x0000000003580000-0x000000000381C000-memory.dmp

Filesize
2.6MB

Download
memory/2256-283-0x0000000000400000-0x0000000002459000-memory.dmp

Filesize
32.3MB

Download
memory/2256-280-0x0000000000400000-0x0000000002459000-memory.dmp

Filesize
32.3MB

Download
memory/2368-638-0x000000013FC50000-0x00000001401E7000-memory.dmp

Filesize
5.6MB

Download
memory/2528-623-0x000000013F4D0000-0x000000013FA67000-memory.dmp

Filesize
5.6MB

Download
memory/2900-632-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2900-633-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2992-543-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2992-446-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3016-292-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download