amadey | a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c

Analysis

max time kernel
300s
max time network
302s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
Size

1.8MB
MD5

b60d82b8244e964110f66e7ad34dc37b
SHA1

413eb99c2ab5ea8f43d651b0100e76fc53aeba70
SHA256

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c
SHA512

0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4
SSDEEP

49152:+cGpBBa72Cb7j7sMC8uB5cOtr9OwGlFN:61ab33y5c0r9OvL

Score

10^/10

amadey redline smokeloader xmrig 123 e76b71 backdoor discovery evasion execution infostealer miner persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://movlat.com/tmp/

http://llcbc.org/tmp/

http://lindex24.ru/tmp/

http://qeqei.xyz/tmp/

rc4.i32

Extracted

Family

redline

Botnet

123

185.215.113.67:40960

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe family_redline
behavioral1/memory/1156-330-0x00000000003B0000-0x0000000000400000-memory.dmp family_redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe	family_redline
behavioral1/memory/1156-330-0x00000000003B0000-0x0000000000400000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3036-556-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-557-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-559-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-562-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-561-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-560-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-563-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-565-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3036-566-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1284 powershell.exe
1736 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1284	powershell.exe
1736	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 8 IoCs

Processes:

axplong.exeNewLatest.exeHkbsse.exe1.exe123.exeFirstZ.exereakuqnanrkn.exe

pid process

2620 axplong.exe
1616 NewLatest.exe
2028 Hkbsse.exe
1228 1.exe
1156 123.exe
2172 FirstZ.exe
480
1492 reakuqnanrkn.exe

pid	process
2620	axplong.exe
1616	NewLatest.exe
2028	Hkbsse.exe
1228	1.exe
1156	123.exe
2172	FirstZ.exe
480
1492	reakuqnanrkn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	axplong.exe

Loads dropped DLL 9 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeNewLatest.exeHkbsse.exe

pid process

2028 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
2620 axplong.exe
1616 NewLatest.exe
2028 Hkbsse.exe
2028 Hkbsse.exe
2620 axplong.exe
2028 Hkbsse.exe
2028 Hkbsse.exe
480
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3036-551-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-556-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-557-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-554-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-553-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-555-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-552-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-559-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-562-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-561-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-560-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-563-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-565-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3036-566-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

24 bitbucket.org
25 bitbucket.org
59 pastebin.com
60 pastebin.com
62 bitbucket.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

1616 powercfg.exe
1088 powercfg.exe
2176 powercfg.exe
952 powercfg.exe
1360 powercfg.exe
2464 powercfg.exe
2472 powercfg.exe
1816 powercfg.exe

flow	ioc
24	bitbucket.org
25	bitbucket.org
59	pastebin.com
60	pastebin.com
62	bitbucket.org

pid	process
1616	powercfg.exe
1088	powercfg.exe
2176	powercfg.exe
952	powercfg.exe
1360	powercfg.exe
2464	powercfg.exe
2472	powercfg.exe
1816	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeFirstZ.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exe

pid process

2028 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
2620 axplong.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

reakuqnanrkn.exe

description pid process target process

PID 1492 set thread context of 2484 1492 reakuqnanrkn.exe conhost.exe
PID 1492 set thread context of 3036 1492 reakuqnanrkn.exe explorer.exe

description	pid	process	target process
PID 1492 set thread context of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 set thread context of 3036	1492	reakuqnanrkn.exe	explorer.exe

Drops file in Windows directory 4 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeNewLatest.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

452 sc.exe
2500 sc.exe
964 sc.exe
1932 sc.exe
2400 sc.exe
3020 sc.exe
112 sc.exe
1792 sc.exe
2100 sc.exe
2676 sc.exe
2920 sc.exe
3012 sc.exe
2004 sc.exe
2412 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
452	sc.exe
2500	sc.exe
964	sc.exe
1932	sc.exe
2400	sc.exe
3020	sc.exe
112	sc.exe
1792	sc.exe
2100	sc.exe
2676	sc.exe
2920	sc.exe
3012	sc.exe
2004	sc.exe
2412	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

explorer.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 003fbcaee7c8da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Hkbsse.exeaxplong.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Hkbsse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exe1.exe

pid	process
2028	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
2620	axplong.exe
1228	1.exe
1228	1.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1.exe

pid process

1228 1.exe

pid	process
1228	1.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe123.exe

description	pid	process
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeShutdownPrivilege	952	powercfg.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	1088	powercfg.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeShutdownPrivilege	2464	powercfg.exe
Token: SeShutdownPrivilege	1616	powercfg.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeLockMemoryPrivilege	3036	explorer.exe
Token: SeDebugPrivilege	1156	123.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeNewLatest.exe

pid process

2028 a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
1616 NewLatest.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exeaxplong.exeNewLatest.exeHkbsse.execmd.execmd.exereakuqnanrkn.exe

description	pid	process	target process
PID 2028 wrote to memory of 2620	2028	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe	axplong.exe
PID 2028 wrote to memory of 2620	2028	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe	axplong.exe
PID 2028 wrote to memory of 2620	2028	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe	axplong.exe
PID 2028 wrote to memory of 2620	2028	a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe	axplong.exe
PID 2620 wrote to memory of 1616	2620	axplong.exe	NewLatest.exe
PID 2620 wrote to memory of 1616	2620	axplong.exe	NewLatest.exe
PID 2620 wrote to memory of 1616	2620	axplong.exe	NewLatest.exe
PID 2620 wrote to memory of 1616	2620	axplong.exe	NewLatest.exe
PID 1616 wrote to memory of 2028	1616	NewLatest.exe	Hkbsse.exe
PID 1616 wrote to memory of 2028	1616	NewLatest.exe	Hkbsse.exe
PID 1616 wrote to memory of 2028	1616	NewLatest.exe	Hkbsse.exe
PID 1616 wrote to memory of 2028	1616	NewLatest.exe	Hkbsse.exe
PID 2028 wrote to memory of 1228	2028	Hkbsse.exe	1.exe
PID 2028 wrote to memory of 1228	2028	Hkbsse.exe	1.exe
PID 2028 wrote to memory of 1228	2028	Hkbsse.exe	1.exe
PID 2028 wrote to memory of 1228	2028	Hkbsse.exe	1.exe
PID 2620 wrote to memory of 1156	2620	axplong.exe	123.exe
PID 2620 wrote to memory of 1156	2620	axplong.exe	123.exe
PID 2620 wrote to memory of 1156	2620	axplong.exe	123.exe
PID 2620 wrote to memory of 1156	2620	axplong.exe	123.exe
PID 2028 wrote to memory of 2172	2028	Hkbsse.exe	FirstZ.exe
PID 2028 wrote to memory of 2172	2028	Hkbsse.exe	FirstZ.exe
PID 2028 wrote to memory of 2172	2028	Hkbsse.exe	FirstZ.exe
PID 2028 wrote to memory of 2172	2028	Hkbsse.exe	FirstZ.exe
PID 1168 wrote to memory of 708	1168	cmd.exe	wusa.exe
PID 1168 wrote to memory of 708	1168	cmd.exe	wusa.exe
PID 1168 wrote to memory of 708	1168	cmd.exe	wusa.exe
PID 768 wrote to memory of 3052	768	cmd.exe	wusa.exe
PID 768 wrote to memory of 3052	768	cmd.exe	wusa.exe
PID 768 wrote to memory of 3052	768	cmd.exe	wusa.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 2484	1492	reakuqnanrkn.exe	conhost.exe
PID 1492 wrote to memory of 3036	1492	reakuqnanrkn.exe	explorer.exe
PID 1492 wrote to memory of 3036	1492	reakuqnanrkn.exe	explorer.exe
PID 1492 wrote to memory of 3036	1492	reakuqnanrkn.exe	explorer.exe
PID 1492 wrote to memory of 3036	1492	reakuqnanrkn.exe	explorer.exe
PID 1492 wrote to memory of 3036	1492	reakuqnanrkn.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe
"C:\Users\Admin\AppData\Local\Temp\a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1228

C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
6⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
7⤵
- Drops file in Windows directory
PID:708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
6⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
6⤵
- Launches sc.exe
PID:1792

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
6⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
6⤵
- Launches sc.exe
PID:452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
6⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
6⤵
- Launches sc.exe
PID:2500

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
6⤵
- Launches sc.exe
PID:964

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
6⤵
- Launches sc.exe
PID:2412

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
6⤵
- Launches sc.exe
PID:1932

C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
"C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:3052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3012

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2676

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2484

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cec5e82702f6ad8556b3ecab7b8f1283

SHA1
f39154b934b13899cff9f5b8fe726da9b3893094

SHA256
3386467991bea3646c94b5d1ca1852d84d33831f20923f7097f4928c8526e841

SHA512
42371b0678deed330ad0aeaeed5c91ccbcad0b206700cf29edc3c38e9c4c46fcb87c4883901b052e04cb28de020da22538021e2de855ec6aaebe91fc57f116f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3cf36ef367ac23daa548c8ba6321d7e2

SHA1
e8057373052b75beafa4fa0d09c649c79d7ebd11

SHA256
aefe933e2adb0a35846910e9c4328cea9146983d801de8569f2d452d908e3078

SHA512
e09a283f41a0407112325989b681cd7a62def5f52ef33c2573c5cbb13bdf9a8e51dd258fb7318c5f736d74657b79f5e6c887ba2e64230f56ef9976877fa3e35f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e7e07b16f675d249bed9d62cfb40d4de

SHA1
8434c69acddc875a2795618b22867d9d18cee24b

SHA256
ea17c2b95f14da03b1a83beca1691f816ab2a5d4851c693d85fb2a0b162c7e4c

SHA512
b474bb1ee0bb09756de86517efe963d4d989f99cad9aed4b03a0b82aa0543b916b18c8fc6bc22f4bec6125b9d5531df9580af4d2056effbac3a5fae251dd9b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
1a4fc2f6570c2df9acbbaadbf57c03a1

SHA1
d99afeb6d5356c31ac893af65a0a3ce37588222b

SHA256
73ede31523eb1f880dca8c3d2b020e60e0b70bf1805e37e84ac97fe8cdfc94b4

SHA512
80379417cd6d5fb3f69432373b40f242c04cbfb2178f95f8dbfa47517fbd7a4671e087aff52f3bc3009efc81ceb4b232faa252ed0cb775f8eef3d341f285532b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
Filesize
317KB

MD5
e1b59d2805b38262b9967bce3e719dbf

SHA1
4081416cfaa76941981c34518d45b60e8d4b2013

SHA256
d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173

SHA512
bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
297KB

MD5
cd581d68ed550455444ee6e099c44266

SHA1
f131d587578336651fd3e325b82b6c185a4b6429

SHA256
a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

SHA512
33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
b60d82b8244e964110f66e7ad34dc37b

SHA1
413eb99c2ab5ea8f43d651b0100e76fc53aeba70

SHA256
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c

SHA512
0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AE8.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1156-330-0x00000000003B0000-0x0000000000400000-memory.dmp

Filesize
320KB

Download
memory/1204-312-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download
memory/1228-313-0x0000000000400000-0x000000000236B000-memory.dmp

Filesize
31.4MB

Download
memory/1284-531-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/1284-532-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/1736-540-0x0000000019F90000-0x000000001A272000-memory.dmp

Filesize
2.9MB

Download
memory/1736-541-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2028-0-0x0000000001350000-0x00000000017EA000-memory.dmp

Filesize
4.6MB

Download
memory/2028-15-0x0000000001350000-0x00000000017EA000-memory.dmp

Filesize
4.6MB

Download
memory/2028-5-0x0000000001350000-0x00000000017EA000-memory.dmp

Filesize
4.6MB

Download
memory/2028-3-0x0000000001350000-0x00000000017EA000-memory.dmp

Filesize
4.6MB

Download
memory/2028-2-0x0000000001351000-0x000000000137F000-memory.dmp

Filesize
184KB

Download
memory/2028-1-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/2484-543-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2484-549-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2484-542-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2484-544-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2484-545-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2484-546-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2620-293-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-580-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-31-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-262-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-17-0x0000000002500000-0x0000000002502000-memory.dmp

Filesize
8KB

Download
memory/2620-290-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-291-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-292-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-575-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-18-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/2620-311-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-19-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2620-20-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2620-21-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2620-22-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2620-331-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-23-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2620-24-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2620-355-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-25-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2620-512-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-516-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-564-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-248-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-37-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-29-0x0000000000C11000-0x0000000000C3F000-memory.dmp

Filesize
184KB

Download
memory/2620-589-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-28-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2620-588-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-586-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-585-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-584-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-583-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-582-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-99-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-98-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-32-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-33-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-16-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-34-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-581-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-27-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2620-579-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-578-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-577-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/2620-26-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2620-576-0x0000000000C10000-0x00000000010AA000-memory.dmp

Filesize
4.6MB

Download
memory/3036-558-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/3036-566-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-565-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-563-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-560-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-561-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-562-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-559-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-552-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-555-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-553-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-554-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-557-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-556-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3036-551-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download