azorult | 29c5fe0bdfef87eb7264654ac1cd1de22310ff9d02fe3637e818a0cde51b0bed

Analysis

max time kernel
1575s
max time network
1800s
platform
windows10_x64
resource
win10v20201028
submitted
02-04-2021 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
Size

4.8MB
MD5

98e0552e7c661d3f84c5ca691bb58b60
SHA1

f8747cbd9256e9587e45b1feeded6b082b098e5d
SHA256

23e30d6f1d505e6a0cf1672ec7420d28af81975a9832f1af2eae8a3233a09eb4
SHA512

d767b09e6d24ce96ce95e7cbcb248b93373f7dcbad3a96ba249a3c54df9511567c4ff2bfd8393492a0f90ae8bf5ab37c1cf71f75092ad81dde7a7a7a5f7e76da

Score

10^/10

azorult xmrig discovery evasion infostealer miner persistence spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/5000-89-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/5000-90-0x00000001402CA898-mapping.dmp	xmrig
behavioral4/memory/5000-93-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral4/memory/5000-94-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

67 5000 msiexec.exe

flow	pid	process
67	5000	msiexec.exe

Executes dropped EXE 30 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exesetups.exeaskinstall20.exesetups.tmpfile.exe7758.tmp.exe77E6.tmp.exe7893.tmp.exemd2_2efs.exe7758.tmp.exeBTRSetp.exe8441342.exe5684678.exe8568804.exe2928718.exe5342057.exegcttt.exeWindows Host.exejfiag3g_gg.exejfiag3g_gg.exe8568804.exe8568804.exe2928718.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
4068	keygen-pr.exe
4044	keygen-step-1.exe
2056	keygen-step-3.exe
4512	keygen-step-4.exe
1460	key.exe
1768	Setup.exe
4640	setups.exe
4256	askinstall20.exe
188	setups.tmp
1240	file.exe
4440	7758.tmp.exe
1908	77E6.tmp.exe
2264	7893.tmp.exe
2432	md2_2efs.exe
4652	7758.tmp.exe
5116	BTRSetp.exe
4744	8441342.exe
4740	5684678.exe
3640	8568804.exe
3860	2928718.exe
3144	5342057.exe
4024	gcttt.exe
372	Windows Host.exe
216	jfiag3g_gg.exe
4620	jfiag3g_gg.exe
2668	8568804.exe
4796	8568804.exe
4716	2928718.exe
1800	jfiag3g_gg.exe
96	jfiag3g_gg.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setups.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp
Loads dropped DLL 7 IoCs

Processes:

setups.tmp

pid process

188 setups.tmp
188 setups.tmp
188 setups.tmp
188 setups.tmp
188 setups.tmp
188 setups.tmp
188 setups.tmp
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

77E6.tmp.exe5684678.exegcttt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	77E6.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	77E6.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	5684678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md2_2efs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

62 api.ipify.org
119 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

flow	ioc
62	api.ipify.org
119	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

7758.tmp.exe77E6.tmp.exe8568804.exe2928718.exe

description	pid	process	target process
PID 4440 set thread context of 4652	4440	7758.tmp.exe	7758.tmp.exe
PID 1908 set thread context of 4676	1908	77E6.tmp.exe	msiexec.exe
PID 1908 set thread context of 5000	1908	77E6.tmp.exe	msiexec.exe
PID 3640 set thread context of 4796	3640	8568804.exe	8568804.exe
PID 3860 set thread context of 4716	3860	2928718.exe	2928718.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7758.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7758.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7758.tmp.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4408 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1080 taskkill.exe

pid	process
4408	timeout.exe

pid	process
1080	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\communication.netflowcorp. = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "32"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\priority.netflowcorp.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\report.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 20c46e1ef727d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{865D534D-CD06-44B9-88E0-4AA53530AE39} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 75056e1fc627d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 066e8685c727d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\click.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\declaration.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "7"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "24"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\24.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\onlinecasinoground.nl\NumberO = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\communication.netflowcorp.com = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\traction.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 59b460dbc427d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\directive.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\late.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "15"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "28"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "37"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\critical.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1bf2d221871814ba0ecf7de67e0d509000000000200000000001066000000010000200000005f864e42adafc2098ca286e79a8c06cb8e9f85926da656620e83b04af311edbd000000000e800000000200002000000081fdeb155fe84c9de43ac4a76ef75b5e4bceb3aef12e7749953d9a58cfdfafc9400d0000980ad75ba28a6f466b51a0082a7f9eb9d6afa88f948c4e050895c1e3af14c42a1dab0cdbd07bd1ae6e1549057d0da90e405fb394708b27226d21be4aab810d306c38477de0bfce603e3b8de5376fdce6f511272e641bde05941e35c837fe40861ec218c71445c26328364d90a01a05b259c45d9afd3d901fc03b8553d62e4764e1cda66ee4f65af40bcb922bbd89dc7af189e0f6eafe7f51777e4eb5256a2e2a670604348e1b9613aedac22b94c6856ec794f42a3226980e80485daebaac43ca7c3c7426104c48b9275fcb877bf9c666ac6548d2a30cb4e5ad467b06daabaf4a5f1bfbba5695d47bd4cf3b75a3c2f8efd3c084c8ca7ef90f0cab56d95fefc096b057b8aa017fed13bf1704b37f33e6dfac710be9ef624d3fd3bd365c75b2701ccd0b63cf752813ae07b7a0ca38f23b862297708937361438f48820a207fe948b167719a04f68fa679ae6f3a07b513387eb57d213d24f2dde520806398f7fe80d75c5adfe071914ce5380fc2b58ae69296428eb18126e2f5ba8f97b2827eeb2844f3844cb526a31f2e64fd5b9f5c9edc99653884819b2fa5d12d770791d202693034a6b46741ea6a98deea95d5d00605e1403b40f24a5e64f0137c6a529f7bf1ccf369bad01023ccedb93fb62abde87d9ced39e2afefbc1f5d431e94f5d2992e82fe8bd42d817cd1f58f094a4628b809fc36711a8a8f3378f46e3c96fad736fc3d27d741e4d79c55b30270286aeba24c6a78e0bd1d78e3fc64b5be5b1c636fafcd320657b22721bc7daf96469bfd5fbd847d2baa28d98113f6660d729ace0531593d99bbdb6bc50d6296e62d626a0e05e6abe912c1efd10b90ecf53cc85cb7ed10e7c813e42f030722ff0c1deaf0ed65ee3f547f8ec1a477aa21fc6161a0999f1553c3504880395591e097b46c405f92428b7d60968c24b21a4560dbe1950383c1b5b43c84d2b8f32114cf7946b6f09180bf2248612c3b2b50761405fbebca0e2b2f5788ae9bbddec4f02c3c655eaf7db36273ba0d977ddb3e40390189bb818ca27359d109603e57e6967c74368f64a7510b4d10d6257ce09c3dc91d8582bdcfb5f9a463e0f5a1a2ddadecdfb443214bc0b8241f8f6269c2427373b4c77ddd4992c5fdbc9fa26196ce23122efbd12aff7ae1065e96a12f094dbe284404462d5a9f3c55a96eaed0450913fc94480e0c4597aac25ef782cdf0345776167aee8bdf3eae96ffa2ac5ccceed8ef14b0d2043473a73739c78638e52962bb1801e36cbfcdfd8bd53fc3942b0440495f499aca4a7665c0c563c688ee2d1369f1a49bc98b16a1593187b4859ce15c375c34dcbca1d8490915df29f389cd9d4039c04c54542f86a378da5e65312e86303a5affc6fceb05ec86ebf2aa4481f3d835faa90c1fa76d10703bb35df3d300a345504cb9d907f874d85bc63e72ab9ff6176289b2f21eb0e1ffddc904ab2b7c334875787039f656f6f327d7bcb4c3fd2452e04b6c2bee39b3d4e11e7eb67288e93e2857984bbf9e09f0564da2c24cdf493927e0cb8d6549677a9e2570dec5dace774bfcf9e8e5ba6e88cee0473fc0fcfc97d91e1f0df6929639a06d37cd21ce728b519c5ddd5391bc6b73abdede13e6c2ee73f3e213468b3a868750e30e9fc030b7bdfdf69b76c1bbfc90f02235dff8dcac91e51873c1883ea5a238c68e767f9bd328978b3600323be4f5195f64607eee026eb2063061f8db7c006e61d78a270468d45cd25b1d543a1f49fc8ced6e726af1ac7e6d094a2e02a0d10fe4cc1a2c0e3ea64ff51e9cc4dc31286b9c52042a42b08af7c5b9c918809c041189a3bbde13ff8227de1b130f89826a815447c2ddf25915436d42f194510205ef0ae341f5bfee7d9d413f0c26415d815ae2fedf424242c5b15807812c9bcd2845f5d4bc857f2e1658d670e1be38444eb41445e2d8c5ebeb63d6c86fdae6eb34b2b1d6c8e9af9eecbd4a45f58ea4221584f184cea786f13234e28d0679b24486cc43a8c65c7888185043f2ab96ef0305d782b0e47826028a38d3e767f6e78a17df4e9eec3b705954202f317ef7078d8707b7460f2bc83eccbec0df682bc74011998282f52bca30b69b6c22292ad57aa6eb01e1a0a886655c8260b05f76808623f9f37642c984663b3e39fb6f021f14d9cc9e10f235a1e32fca6e9919adc6365ce5dcba7b9c8a0545e211560ed341695a02cc159144bc5ce2642885a49b8cdc12c7243c23aaa809ef8859fd82697894343baab3c4e00fa9f30e5bdbc1e9fcfbbd4bdc74a54ab3dd519950d7142b2f02eaeab471c5de78631a5bceba42d87b62b0c0805e19750dcc3fe5ad80d5aec407383994ba015a24b1bf802e67f7bbdda401e5035de267d75eb893ee148212aea27402e69480c40be564214f1c95fc0adb7733a58b4aa9b926b5acc7750b1b74b7c06ea73e4d6fb6d75a2ee8a1102bd290ee56f2424c4dd6ccd2493c6b411bcc61fb59f4f89f5e9853d1765acc529e4bfa727e6b646a9d2d25d9929ade4fe61f588fca769ab123fc18be0626047df43de8352e76afe08b0b557573e98ebdaedef9686e51aa0f0a8a14d22e0980db16a0029d1ccd4215fd53f73c894d68b858efb1df6aa11cc94204e24c2989e7c75ce854ab15e529ea493944c7e8a18ae437d43a342ee6ee8eb4368750c3ce97ace409500a514a9c85123f29ddfbf92c4e3f5ee1255008335e422d031c3d9ef2c498c785dec208d6ec55ae7765aca61fce64920a32988183379d4a7296816762112d848e52cc9429ab19070342ea2cdf110d036b59fbce21eb4cf86b3a3cb82039a7b47ee3e611fbeba4c3149008fcb2cb3f8508a36f07e749f78eee0a5efec1eda3ddd880f125f35d173bf1ce0cd363e2e683578c6fb6197db05c2d54a7b7c0f83d2cd9dd19cb2b0a975f61658ced5ce6b92a0b5f38f9df861f3aa5d08746e6a1b726590a3542a4487ccf85537dc619c6fb1dd89974c7b5032a1cbc331968d8a6165d5b2c21f78d5041520e2d52e6c329d35238cdc61fcc406fa0f0411707c9dc2eb7c1b2607cfb89bda63a3bf1beabcf5cbf877ff2a330b31ab17247c35132cd29a5471acd81a14af957dd9e5e8d694e6940054466e2dd7e6cdb76647060289f4507f45b2186e6350a13bb677ea00f55a12f8f07d445d80030fc8382bca2143a9d3c1fd5a5d0d948158e7b91c2921434cd0b8be7015c2a7a30fc7f2dfe1979c5518565d14acab064c80d9bfaa025a001f444f459862f7423aa3c4c9b21b9f5af59fb43253675ae1ecfb62497fc54beebb19181ea450f6700e50f421802afd168564477c3b8872ac911ce73d772575a1cdafdbb9adc39a022b41099e5f7dc6d12dc69083573b1be2d508f38c19d5f1e38fc314b64898dbf88917bf350bf247b229279d44d470f5f7d64215052f35154b5cbb072c3855cff515ed69b068246d84caf0b6c25fa0f32c2f2b135a3083c701fc2341d0036b70472ebd623606616c02342abb46c0b7044c0d528f9ea0a1a0bb3066ee2f84123e57190677f743dc75c31398a2880c57363abf8ca8eb7a19fb9d3dcc014611471ab4239428bc152a865180bb5e9c44154f07b6e891e203891bf49d38a9488c6230211b83fe6074b3a42b45a2ccd19c1d0cb0ebc8fdc90509d5491d1af7a0a7a9f9f7b62d41f0697764f78b353c4d783c5322487cc5c21bd9d4eaefc02ac572a6bf066cb342c3c6836a8097bf5c345f458472d6186d132e659dc0641bd56d44c390354a68fe5406c9a72348f4a0416f60250265a1b7846d48c67a9d024c1073c84148462d43ef064c1ac267aa171e86c0edad07ea3dabe52b18edccdf67b965b1ed4f4f3f5e3f838cd08e9dc70da3cc744e23f6c7a75761e3c314b54b02ad9ec5c07fc02eecc637a77b965dea97147149aebd2b1b77476dfd93765093ec06db35d482fe5aad8c726ba3a33805ce143425a60653b81897aa7a599cab34a93e77aecbd4fad630762bd92d6aa704721aace1909e3df20e84ccd6e4f506add9e7f1ea81c1a0e9302cbfe99af043ea7eabfc3c86b2aa68f03b04140325b3ad76999a54ea68a931c91b486002fb9e6577371f3c2fa40eece3a7d35783c3e65c27ab95d5ffa40ccdf25807902fec00eba7663f2a73f497e2518b61c44d55f51081717ad42c281fb20f1567b8795111f293e2e2ecc5f27208adaa458d0e3dddd48606f2437f9168a8efebce648e344292c699715b5a9f86306dc7b14114fc1a008bdbf3414bd9b4d4f4f97378d90e5c54a08c2498e5d2be9df56f6b5ad2122d94f4139a7bdc13a222830977c225c77261d1c93b21d538c7a8f8a24c8eb862630d441d6a107d7c2f9b7e755161e05ce6e059ba21064b23e6c8e1b1d19270b02d5863a4987b8fbad03d329ab8c8e531fda4cabe8029bd5d9295fb8e64ad4c92186f9684ffb3c5fd275b06fde732d831d1492be79ae90da1a005edd778921f142e58a1107272553c48111cb4f37569e8f444f4857017749a513a46eba17b002cbfa5b2eed877333044514c6ebf1a006d4329a4ea7a154d4ca186fdeab2072ebe3bb1cb0a00790785a1b5105c8642b9a73e8cde49ad6aa2841b7e094b60c07723c2549dcdf1b7ebb11e8502e7b374cad4c4eebb92f9de6e2756f3e6ddffef118d125605e2ab8bff2ad0d6913466689d5e242c3adc07e0a87a512a06c0398b1d5e0b1d51c974b36dfa4e4d16e825c128512dae5d39c0daead46fabc1db9b1335d179699785d579e7d2e2165695ca3637d0027c89cf8df004326e6db32e82ab09b9104156966742c18c3941f10920968b1e400000008d9c37bc6fcd160c4682330f5497de64d513be23da96d4e5f04b6de4cc4a7e55d7f7bcb3ccab8810ebe84cdeb122bd26c47b96d7052cc5713c957e06b7c356e2	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\feminine.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "91"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "27"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\approval.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\organize.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "324135363"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "84"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdo = "33"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\message.netflowcorp.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\readnow.netflowcorp.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\release.netflowcorp.com	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

askinstall20.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2456 PING.EXE
4028 PING.EXE

pid	process
2456	PING.EXE
4028	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

setups.tmp7758.tmp.exe8441342.exe5342057.exejfiag3g_gg.exe8568804.exe8568804.exe2928718.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
188	setups.tmp
188	setups.tmp
4652	7758.tmp.exe
4652	7758.tmp.exe
4744	8441342.exe
4744	8441342.exe
4744	8441342.exe
3144	5342057.exe
3144	5342057.exe
4620	jfiag3g_gg.exe
4620	jfiag3g_gg.exe
3640	8568804.exe
3640	8568804.exe
4796	8568804.exe
4796	8568804.exe
4716	2928718.exe
4716	2928718.exe
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp
1800	jfiag3g_gg.exe
1800	jfiag3g_gg.exe
188	setups.tmp
188	setups.tmp
188	setups.tmp
188	setups.tmp
96	jfiag3g_gg.exe
96	jfiag3g_gg.exe
188	setups.tmp
188	setups.tmp

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exeaskinstall20.exetaskkill.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemsiexec.exemd2_2efs.exeMicrosoftEdgeCP.exeBTRSetp.exe8441342.exe2928718.exe5342057.exe8568804.exe8568804.exe2928718.exeMicrosoftEdgeCP.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1768	Setup.exe
Token: SeCreateTokenPrivilege	4256	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	4256	askinstall20.exe
Token: SeLockMemoryPrivilege	4256	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	4256	askinstall20.exe
Token: SeMachineAccountPrivilege	4256	askinstall20.exe
Token: SeTcbPrivilege	4256	askinstall20.exe
Token: SeSecurityPrivilege	4256	askinstall20.exe
Token: SeTakeOwnershipPrivilege	4256	askinstall20.exe
Token: SeLoadDriverPrivilege	4256	askinstall20.exe
Token: SeSystemProfilePrivilege	4256	askinstall20.exe
Token: SeSystemtimePrivilege	4256	askinstall20.exe
Token: SeProfSingleProcessPrivilege	4256	askinstall20.exe
Token: SeIncBasePriorityPrivilege	4256	askinstall20.exe
Token: SeCreatePagefilePrivilege	4256	askinstall20.exe
Token: SeCreatePermanentPrivilege	4256	askinstall20.exe
Token: SeBackupPrivilege	4256	askinstall20.exe
Token: SeRestorePrivilege	4256	askinstall20.exe
Token: SeShutdownPrivilege	4256	askinstall20.exe
Token: SeDebugPrivilege	4256	askinstall20.exe
Token: SeAuditPrivilege	4256	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	4256	askinstall20.exe
Token: SeChangeNotifyPrivilege	4256	askinstall20.exe
Token: SeRemoteShutdownPrivilege	4256	askinstall20.exe
Token: SeUndockPrivilege	4256	askinstall20.exe
Token: SeSyncAgentPrivilege	4256	askinstall20.exe
Token: SeEnableDelegationPrivilege	4256	askinstall20.exe
Token: SeManageVolumePrivilege	4256	askinstall20.exe
Token: SeImpersonatePrivilege	4256	askinstall20.exe
Token: SeCreateGlobalPrivilege	4256	askinstall20.exe
Token: 31	4256	askinstall20.exe
Token: 32	4256	askinstall20.exe
Token: 33	4256	askinstall20.exe
Token: 34	4256	askinstall20.exe
Token: 35	4256	askinstall20.exe
Token: SeDebugPrivilege	1080	taskkill.exe
Token: SeDebugPrivilege	3400	MicrosoftEdge.exe
Token: SeDebugPrivilege	3400	MicrosoftEdge.exe
Token: SeDebugPrivilege	3400	MicrosoftEdge.exe
Token: SeDebugPrivilege	3400	MicrosoftEdge.exe
Token: SeDebugPrivilege	1212	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1212	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1212	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1212	MicrosoftEdgeCP.exe
Token: SeLockMemoryPrivilege	5000	msiexec.exe
Token: SeLockMemoryPrivilege	5000	msiexec.exe
Token: SeManageVolumePrivilege	2432	md2_2efs.exe
Token: SeManageVolumePrivilege	2432	md2_2efs.exe
Token: SeManageVolumePrivilege	2432	md2_2efs.exe
Token: SeDebugPrivilege	3140	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3140	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5116	BTRSetp.exe
Token: SeDebugPrivilege	4744	8441342.exe
Token: SeDebugPrivilege	3860	2928718.exe
Token: SeDebugPrivilege	3144	5342057.exe
Token: SeDebugPrivilege	3640	8568804.exe
Token: SeDebugPrivilege	4796	8568804.exe
Token: SeDebugPrivilege	4716	2928718.exe
Token: SeDebugPrivilege	3400	MicrosoftEdge.exe
Token: SeShutdownPrivilege	332	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	332	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	332	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	332	MicrosoftEdgeCP.exe
Token: 33	2764	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

setups.exesetups.tmpMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4640	setups.exe
188	setups.tmp
3400	MicrosoftEdge.exe
4468	MicrosoftEdgeCP.exe
4468	MicrosoftEdgeCP.exe
3452	MicrosoftEdge.exe
1224	MicrosoftEdgeCP.exe
1224	MicrosoftEdgeCP.exe
4728	MicrosoftEdge.exe
4176	MicrosoftEdgeCP.exe
4176	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DBF.Viewer.Pro.3.11.crack.by.F4CG.execmd.exekeygen-pr.exekeygen-step-4.exekey.exekeygen-step-3.execmd.exeSetup.exesetups.exeaskinstall20.execmd.exefile.exe7758.tmp.exe

description	pid	process	target process
PID 4684 wrote to memory of 3892	4684	DBF.Viewer.Pro.3.11.crack.by.F4CG.exe	cmd.exe
PID 4684 wrote to memory of 3892	4684	DBF.Viewer.Pro.3.11.crack.by.F4CG.exe	cmd.exe
PID 4684 wrote to memory of 3892	4684	DBF.Viewer.Pro.3.11.crack.by.F4CG.exe	cmd.exe
PID 3892 wrote to memory of 4068	3892	cmd.exe	keygen-pr.exe
PID 3892 wrote to memory of 4068	3892	cmd.exe	keygen-pr.exe
PID 3892 wrote to memory of 4068	3892	cmd.exe	keygen-pr.exe
PID 3892 wrote to memory of 4044	3892	cmd.exe	keygen-step-1.exe
PID 3892 wrote to memory of 4044	3892	cmd.exe	keygen-step-1.exe
PID 3892 wrote to memory of 4044	3892	cmd.exe	keygen-step-1.exe
PID 3892 wrote to memory of 2056	3892	cmd.exe	keygen-step-3.exe
PID 3892 wrote to memory of 2056	3892	cmd.exe	keygen-step-3.exe
PID 3892 wrote to memory of 2056	3892	cmd.exe	keygen-step-3.exe
PID 3892 wrote to memory of 4512	3892	cmd.exe	keygen-step-4.exe
PID 3892 wrote to memory of 4512	3892	cmd.exe	keygen-step-4.exe
PID 3892 wrote to memory of 4512	3892	cmd.exe	keygen-step-4.exe
PID 4068 wrote to memory of 1460	4068	keygen-pr.exe	key.exe
PID 4068 wrote to memory of 1460	4068	keygen-pr.exe	key.exe
PID 4068 wrote to memory of 1460	4068	keygen-pr.exe	key.exe
PID 4512 wrote to memory of 1768	4512	keygen-step-4.exe	Setup.exe
PID 4512 wrote to memory of 1768	4512	keygen-step-4.exe	Setup.exe
PID 1460 wrote to memory of 2212	1460	key.exe	key.exe
PID 1460 wrote to memory of 2212	1460	key.exe	key.exe
PID 1460 wrote to memory of 2212	1460	key.exe	key.exe
PID 2056 wrote to memory of 2292	2056	keygen-step-3.exe	cmd.exe
PID 2056 wrote to memory of 2292	2056	keygen-step-3.exe	cmd.exe
PID 2056 wrote to memory of 2292	2056	keygen-step-3.exe	cmd.exe
PID 2292 wrote to memory of 2456	2292	cmd.exe	PING.EXE
PID 2292 wrote to memory of 2456	2292	cmd.exe	PING.EXE
PID 2292 wrote to memory of 2456	2292	cmd.exe	PING.EXE
PID 1768 wrote to memory of 4640	1768	Setup.exe	setups.exe
PID 1768 wrote to memory of 4640	1768	Setup.exe	setups.exe
PID 1768 wrote to memory of 4640	1768	Setup.exe	setups.exe
PID 4512 wrote to memory of 4256	4512	keygen-step-4.exe	askinstall20.exe
PID 4512 wrote to memory of 4256	4512	keygen-step-4.exe	askinstall20.exe
PID 4512 wrote to memory of 4256	4512	keygen-step-4.exe	askinstall20.exe
PID 4640 wrote to memory of 188	4640	setups.exe	setups.tmp
PID 4640 wrote to memory of 188	4640	setups.exe	setups.tmp
PID 4640 wrote to memory of 188	4640	setups.exe	setups.tmp
PID 4256 wrote to memory of 3916	4256	askinstall20.exe	cmd.exe
PID 4256 wrote to memory of 3916	4256	askinstall20.exe	cmd.exe
PID 4256 wrote to memory of 3916	4256	askinstall20.exe	cmd.exe
PID 3916 wrote to memory of 1080	3916	cmd.exe	taskkill.exe
PID 3916 wrote to memory of 1080	3916	cmd.exe	taskkill.exe
PID 3916 wrote to memory of 1080	3916	cmd.exe	taskkill.exe
PID 4512 wrote to memory of 1240	4512	keygen-step-4.exe	file.exe
PID 4512 wrote to memory of 1240	4512	keygen-step-4.exe	file.exe
PID 4512 wrote to memory of 1240	4512	keygen-step-4.exe	file.exe
PID 1240 wrote to memory of 4440	1240	file.exe	7758.tmp.exe
PID 1240 wrote to memory of 4440	1240	file.exe	7758.tmp.exe
PID 1240 wrote to memory of 4440	1240	file.exe	7758.tmp.exe
PID 1240 wrote to memory of 1908	1240	file.exe	77E6.tmp.exe
PID 1240 wrote to memory of 1908	1240	file.exe	77E6.tmp.exe
PID 1240 wrote to memory of 2264	1240	file.exe	7893.tmp.exe
PID 1240 wrote to memory of 2264	1240	file.exe	7893.tmp.exe
PID 1240 wrote to memory of 2264	1240	file.exe	7893.tmp.exe
PID 1240 wrote to memory of 2452	1240	file.exe	cmd.exe
PID 1240 wrote to memory of 2452	1240	file.exe	cmd.exe
PID 1240 wrote to memory of 2452	1240	file.exe	cmd.exe
PID 4512 wrote to memory of 2432	4512	keygen-step-4.exe	md2_2efs.exe
PID 4512 wrote to memory of 2432	4512	keygen-step-4.exe	md2_2efs.exe
PID 4512 wrote to memory of 2432	4512	keygen-step-4.exe	md2_2efs.exe
PID 4440 wrote to memory of 4652	4440	7758.tmp.exe	7758.tmp.exe
PID 4440 wrote to memory of 4652	4440	7758.tmp.exe	7758.tmp.exe
PID 4440 wrote to memory of 4652	4440	7758.tmp.exe	7758.tmp.exe

C:\Users\Admin\AppData\Local\Temp\DBF.Viewer.Pro.3.11.crack.by.F4CG.exe
"C:\Users\Admin\AppData\Local\Temp\DBF.Viewer.Pro.3.11.crack.by.F4CG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:2456

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe
"C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe" ll
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp" /SL5="$701D0,635399,250368,C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe" ll
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:188

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Roaming\7758.tmp.exe
"C:\Users\Admin\AppData\Roaming\7758.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Roaming\7758.tmp.exe
"C:\Users\Admin\AppData\Roaming\7758.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Users\Admin\AppData\Roaming\77E6.tmp.exe
"C:\Users\Admin\AppData\Roaming\77E6.tmp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1908

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:4676

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Roaming\7893.tmp.exe
"C:\Users\Admin\AppData\Roaming\7893.tmp.exe"
5⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\7893.tmp.exe
6⤵
PID:1940

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
7⤵
- Delays execution with timeout.exe
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:2452

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4028

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\ProgramData\8441342.exe
"C:\ProgramData\8441342.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\ProgramData\5684678.exe
"C:\ProgramData\5684678.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4740

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:372

C:\ProgramData\8568804.exe
"C:\ProgramData\8568804.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\ProgramData\8568804.exe
"{path}"
6⤵
- Executes dropped EXE
PID:2668

C:\ProgramData\8568804.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\ProgramData\2928718.exe
"C:\ProgramData\2928718.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\ProgramData\2928718.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\ProgramData\5342057.exe
"C:\ProgramData\5342057.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4024

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:216

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:96

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4108

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2928718.exe
MD5
01edc2fbbaa528d1a6109e1f36591053

SHA1
699a0d692aa99be460e16bca6b43e905e2f916e9

SHA256
6fad56f8cc5f3c2430072def37feaba35424f26416e27fa960fef3028b893a9a

SHA512
d90d00c7a0afe67acb8939167b60dfa5316cc4aa2a3178d8b12a7f5191f4baf71de8c90729bc78f6f0f6f0979cb80d512667d2eb09ca4557bb1bdebb509a0b1f

Download Submit
C:\ProgramData\2928718.exe
MD5
01edc2fbbaa528d1a6109e1f36591053

SHA1
699a0d692aa99be460e16bca6b43e905e2f916e9

SHA256
6fad56f8cc5f3c2430072def37feaba35424f26416e27fa960fef3028b893a9a

SHA512
d90d00c7a0afe67acb8939167b60dfa5316cc4aa2a3178d8b12a7f5191f4baf71de8c90729bc78f6f0f6f0979cb80d512667d2eb09ca4557bb1bdebb509a0b1f

Download Submit
C:\ProgramData\5342057.exe
MD5
7bf6050927666cf6652952e8948db7f0

SHA1
f07a24c916d1d9d2acbf81cbf573d9e7b9887c8a

SHA256
9d2b96a90d4b52e166ad30c91c414ab1893ed0dbf0df1bfc39ee1b5034413188

SHA512
c38cbdd660533cb97fa48542b079febb90adc0c3ba4d34b92064211eb02655581fcf2e07d63964b7276736a7d8d45245c4a2b6f4a2ac9146c95274c2294494d8

Download Submit
C:\ProgramData\5342057.exe
MD5
7bf6050927666cf6652952e8948db7f0

SHA1
f07a24c916d1d9d2acbf81cbf573d9e7b9887c8a

SHA256
9d2b96a90d4b52e166ad30c91c414ab1893ed0dbf0df1bfc39ee1b5034413188

SHA512
c38cbdd660533cb97fa48542b079febb90adc0c3ba4d34b92064211eb02655581fcf2e07d63964b7276736a7d8d45245c4a2b6f4a2ac9146c95274c2294494d8

Download Submit
C:\ProgramData\5684678.exe
MD5
1a81ba9ad78461d110a7a41c4f18f74a

SHA1
bd73c51eeac5e4c6fb43bb76b333cdb4ce37a1d8

SHA256
16695ae20f9aec7860d7cd4f06a098817eb7cb65a31442b17d02e2a7bbad330f

SHA512
a95281dc103a0ff44673e91082b04d265df201581d0929e4e3f634667645ef0d64025233097b0e05b399c82ccdd5117531b202f614b2b40958c5b6810cecb5dd

Download Submit
C:\ProgramData\5684678.exe
MD5
1a81ba9ad78461d110a7a41c4f18f74a

SHA1
bd73c51eeac5e4c6fb43bb76b333cdb4ce37a1d8

SHA256
16695ae20f9aec7860d7cd4f06a098817eb7cb65a31442b17d02e2a7bbad330f

SHA512
a95281dc103a0ff44673e91082b04d265df201581d0929e4e3f634667645ef0d64025233097b0e05b399c82ccdd5117531b202f614b2b40958c5b6810cecb5dd

Download Submit
C:\ProgramData\8441342.exe
MD5
8824352e053aeb97edf972bf16d39dbf

SHA1
4ef26fb3d96df3ac455d697240730f78e7cd56dd

SHA256
c750314a41b07bc0d0d8044ff1b965c293e44f3368e59a4497aabae59d3fda88

SHA512
ea5fe864ea6f4e2dcb73ded6f0c4ca76a64a7d7fa419c04dc3fd79c6b7ebb4774b5aa794d560633fba42493d6e70836ee4cc62601cd29dd1f75d0a72bf98f998

Download Submit
C:\ProgramData\8441342.exe
MD5
8824352e053aeb97edf972bf16d39dbf

SHA1
4ef26fb3d96df3ac455d697240730f78e7cd56dd

SHA256
c750314a41b07bc0d0d8044ff1b965c293e44f3368e59a4497aabae59d3fda88

SHA512
ea5fe864ea6f4e2dcb73ded6f0c4ca76a64a7d7fa419c04dc3fd79c6b7ebb4774b5aa794d560633fba42493d6e70836ee4cc62601cd29dd1f75d0a72bf98f998

Download Submit
C:\ProgramData\8568804.exe
MD5
bacf7135270eb0428c6238894c6e8652

SHA1
5ce91cdbfc5103381f18a53d1fd085e55f0430c6

SHA256
688a124a4808ee16306b71e0d707ec18723551650b933b73dbd84269479a8c43

SHA512
fca47eff8b5462229a503071a3bc2ea1cd974aeeab46dcf072e30e833e4087a5546687e6ac1787ae0028907e4d048f701b303033ef43693fc331da3f7968d662

Download Submit
C:\ProgramData\8568804.exe
MD5
bacf7135270eb0428c6238894c6e8652

SHA1
5ce91cdbfc5103381f18a53d1fd085e55f0430c6

SHA256
688a124a4808ee16306b71e0d707ec18723551650b933b73dbd84269479a8c43

SHA512
fca47eff8b5462229a503071a3bc2ea1cd974aeeab46dcf072e30e833e4087a5546687e6ac1787ae0028907e4d048f701b303033ef43693fc331da3f7968d662

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
1a81ba9ad78461d110a7a41c4f18f74a

SHA1
bd73c51eeac5e4c6fb43bb76b333cdb4ce37a1d8

SHA256
16695ae20f9aec7860d7cd4f06a098817eb7cb65a31442b17d02e2a7bbad330f

SHA512
a95281dc103a0ff44673e91082b04d265df201581d0929e4e3f634667645ef0d64025233097b0e05b399c82ccdd5117531b202f614b2b40958c5b6810cecb5dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
588e23d5136318e8f42b77e9da021462

SHA1
cd02352608e8641f4b6574123ca6780faa799e2f

SHA256
34198731d9ce3519d92e0c56e37650bcad6f84f8572ea87c23683b1e99e08ff9

SHA512
ea98ec130eab03fd1f083e4cb08d2b0d506c5985ebe903cd8d82c738eac4c538dffc275ab8490fb4326c19ab732e0732c101ca894537fed8bafbbbeafc00cd0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
e60b745cbb1dd6cf5bcd77ed9589616d

SHA1
6f7e8057181d4c2dbe1d982755a7e32326c1d9fc

SHA256
688259776c24f7429af206422a4dd79a62aa5b4e5d2af923be74edbb9c6dc2ac

SHA512
527ef23ed6c390ac7d328ba7ffc393151d33bbc99293e6b8f6047ae39b93f6f5d22fa5d8dda9ac76f2732f9af0dcfe90b5f5327a16a906fdbff343762f42c9cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
f8e8cecf0e7b87ca9655876c74e4448f

SHA1
81cbbc8e89acc2b46ce23b876d68af4e4ea6e984

SHA256
5be90bfc1b0198d64016dabee198906523ce5b9719fb57233f0b4f9738e3bf36

SHA512
9c4d3e8fcd76e0886ada78d131c713ce038ed2fba350d43f63c123d08b824c1c38f93ebd5ab25d715947765e1f88c4d7264701c37d2ef514136b76c53b03f2b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
b97932f5bfaa8e747312b55f763cc270

SHA1
d02654d080c3d711f558b0165d35946d3920aa3a

SHA256
fe5a0006fde17b639ad9e97677a2a364f12c60a3a9cae4a7c9c9649142d92a2c

SHA512
9d40a09d99831674bf625720c734bf365f2c86eb0c6a510d51225491a203f4ac061a4329b622684a1d6e3f882805b9bfd70730dd2fc6a18a4f2a9cc8eb78474f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5
bcaa88e79255ae6a57d104551fb3801f

SHA1
5de779bc4168bd7c78cfaf56d7fa8c9bc285f5e8

SHA256
caed8ae9c71f7b534475df5838e2c24dfecc6344d441e4151c7fb617922f7c7d

SHA512
4e15ec4bac644d292c024d8ece83fe6662d9a25bb65687c454023a5c416268783b683acb559e2e3e75d6ca3f82aa0ff26350723f7394f1a782b0bfb99f7e899c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
daa2c46b9fc09c85d75e864543e551a2

SHA1
3e072edc9e597eaa162c010c9a4394a9dbee185c

SHA256
e14eaf981af7b71d9558203edaab518f56f578f9a93749dcaff9494b3b06905b

SHA512
cd0f269e088157308470252dd68e56c178d9644903c05cfcd2eb3d82c779c01566ea6a9175eb389236d0ebaf06b8578150ccb9a4f908a22d60a31c516264b903

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\8ZXVMB50.cookie
MD5
0cb8a89049b521dcdea62c383b9ca955

SHA1
440f4975713437c91ff89cf70b027ea9f5690939

SHA256
69f42a5c08de858d5cdfb5afacb8492bbe4a3c5ec13716b31f1ecd7336060797

SHA512
db1e599bf8bd2d7ff31772e9217de963e54c5dd5157dd91159951d608dcf482775a6801d6cbf2b9b314d8eece2ecebca518bd8f173f898e4ba4e458fd76c67b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9L2492VY.cookie
MD5
8de1bd06022494b67841edfd1d1a1d56

SHA1
b4c000746e113aa3e52dea7776303d425d8174c6

SHA256
3491378cd9290595ff6dc8e8e30176302ee614f7f060f42c57afa9f7167d0230

SHA512
0e1e66b7fe162d50910702ea687ddbd536c80c1da0b7776f70b412df663af9a31208295818881cc1015685b5af8a5c4fe24e043ad250747581df3e6812f09ecf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\F772OE8R.cookie
MD5
7bec047a42121ee4cca6942f3b31a4d2

SHA1
f4b4790fa2aaab79edd286c4d28ee364c632a743

SHA256
be8c632ebfe9ee2c2defbfa699005ac2a5fd6427db139eec6a3f2aab5452d8f8

SHA512
8308c263a5e127abedf0c013fadf3ffac19afdf7b6fa404e0e91f839d8bb25799608220b89e0029035058b6148aff2d04da89141f17d3ebe07d024201e6c12b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\I4B01OA9.cookie
MD5
d34b708a36fb56d286aec77612bee09b

SHA1
509840cfc2ad4955cfe11cc3fcbfa9a821c3a03e

SHA256
3aecbc9fb188364d5251959186ad0e3fc12d0b549b31baeffa99db89dd0287b4

SHA512
fbb72a6f8e8b0f3098566edb08176d4fc017f21212cb6d83493185f0f86d716ea537aae34ac97697b30252f825c24764ab0400018ad646363472afda54749a31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\XIUI1DDR.cookie
MD5
985a5be55cd9e6cc885b7cf9d3989ef7

SHA1
45a4cf42848355da9d3e6e4be75497a9a378419d

SHA256
7d82066b1d5c265444479e96eb5cdbb14bd2a99a4f7b06ab7175c2948f3096c1

SHA512
c2696a5972d5a733bae26816c27e06390800d31f048daaf1c446e0877cba179eeaf92b12a595529b19d95d4b8b526382250ef95dfc362fe6fadf498f0234ddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe
MD5
b990e93a4386c13768f8f3285a0ca37d

SHA1
5bcbe2f8ad3c72190d5553c084aa3e47d810a495

SHA256
231ff2dfc7be6eb47f9b0c6393ea4fceb71bf66f67b00d3dffea0e58b44b5603

SHA512
7360395347094ef69a509ddf3040afcd8083907c1539b1af12b0ea08bf6835b600e765916ee6dc18242f85e1a038adf6aaecab15487076a52b8a02e89874bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRNAARQMSF\setups.exe
MD5
b990e93a4386c13768f8f3285a0ca37d

SHA1
5bcbe2f8ad3c72190d5553c084aa3e47d810a495

SHA256
231ff2dfc7be6eb47f9b0c6393ea4fceb71bf66f67b00d3dffea0e58b44b5603

SHA512
7360395347094ef69a509ddf3040afcd8083907c1539b1af12b0ea08bf6835b600e765916ee6dc18242f85e1a038adf6aaecab15487076a52b8a02e89874bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
53c3782f7cee8f21aab4083a34b7b6e5

SHA1
1a9826544b8d4ba2489202deebda8ab0c0c1350a

SHA256
3d75e7b503029b1605e21a5dd3aadb73d0423b260e6281bb345c774ff0f1283a

SHA512
71c417517acac68f3c6cf83802721ffa75a7f1eb25d08fb77e325304ffa7609934705e916b4df259846afd5e44b284c5cbca7e6b408f632fd5813fddd9ecadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
53c3782f7cee8f21aab4083a34b7b6e5

SHA1
1a9826544b8d4ba2489202deebda8ab0c0c1350a

SHA256
3d75e7b503029b1605e21a5dd3aadb73d0423b260e6281bb345c774ff0f1283a

SHA512
71c417517acac68f3c6cf83802721ffa75a7f1eb25d08fb77e325304ffa7609934705e916b4df259846afd5e44b284c5cbca7e6b408f632fd5813fddd9ecadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
MD5
5a8212889d0c460c0104c58680d92097

SHA1
5b9b1d72a81a39f68470f564d6776a0b2d5f2b4c

SHA256
dd9861fda825a389b65826d408afeeca98ad712fe74c021e6637b08b63f2e276

SHA512
9de34ba79fa51de4f6b0f8c76a7f91ed98575ddd07f20f1e79176d05746cd3ece484123f42838801cbfdde2d673cdad18bb9fd684f348d1f3a41d1469dab8b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
MD5
5a8212889d0c460c0104c58680d92097

SHA1
5b9b1d72a81a39f68470f564d6776a0b2d5f2b4c

SHA256
dd9861fda825a389b65826d408afeeca98ad712fe74c021e6637b08b63f2e276

SHA512
9de34ba79fa51de4f6b0f8c76a7f91ed98575ddd07f20f1e79176d05746cd3ece484123f42838801cbfdde2d673cdad18bb9fd684f348d1f3a41d1469dab8b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
8f7668daa62c43194f1cd7446e2059d7

SHA1
a601f41c760543aa62fbea422687576ddbe0e9a7

SHA256
0ef40fcd48d7200ac3afb82a159e0fedb7d281aa8c45b7c6eb1368937324d8de

SHA512
1b20dda2db6f3627d12df804f45d102baec62875d29f27405ad843776713d44089b979c7c03785b51b8b47131896375c561234c26e534bead534da7087e07e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
MD5
8f7668daa62c43194f1cd7446e2059d7

SHA1
a601f41c760543aa62fbea422687576ddbe0e9a7

SHA256
0ef40fcd48d7200ac3afb82a159e0fedb7d281aa8c45b7c6eb1368937324d8de

SHA512
1b20dda2db6f3627d12df804f45d102baec62875d29f27405ad843776713d44089b979c7c03785b51b8b47131896375c561234c26e534bead534da7087e07e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
MD5
6a3fa5991b1302bb1259422e8ffeae42

SHA1
274ca44587f68925056e619cbd077197b32ba81d

SHA256
25c4f24796841f34eb57f229962d2f1b4db7ab5eca2d36c6a22e0f69930aad89

SHA512
ef8b0395bb3fe92bc440e3365f670fb2d8ecc9c48a9880b3e1df108e8df20a202e0cd141664bc52bebb429cdd5494884a32aa61fdb1378d83f5516ebce20c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
MD5
6a3fa5991b1302bb1259422e8ffeae42

SHA1
274ca44587f68925056e619cbd077197b32ba81d

SHA256
25c4f24796841f34eb57f229962d2f1b4db7ab5eca2d36c6a22e0f69930aad89

SHA512
ef8b0395bb3fe92bc440e3365f670fb2d8ecc9c48a9880b3e1df108e8df20a202e0cd141664bc52bebb429cdd5494884a32aa61fdb1378d83f5516ebce20c9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
MD5
1743533d63a8ba25142ffa3efc59b50b

SHA1
c770a27df5e4f002039528bf639cca1ce564b8f5

SHA256
e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e

SHA512
c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
MD5
60ecade3670b0017d25075b85b3c0ecc

SHA1
52b10f266b86bde95ddb10bb5ea71b8ee0c91a56

SHA256
fcb7e4ef69e4738ccae7181384b4eb27fbea2330224ac5b8c3fada06644cd0af

SHA512
559d200db1d11d7ff4375e4075a1d0d5cb26650255b0dfab605bdb1e314f5274bb5e62f5799eb1171d74d67d7893bc5c558a44bc0b6510c81a9ea888674393a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
MD5
60ecade3670b0017d25075b85b3c0ecc

SHA1
52b10f266b86bde95ddb10bb5ea71b8ee0c91a56

SHA256
fcb7e4ef69e4738ccae7181384b4eb27fbea2330224ac5b8c3fada06644cd0af

SHA512
559d200db1d11d7ff4375e4075a1d0d5cb26650255b0dfab605bdb1e314f5274bb5e62f5799eb1171d74d67d7893bc5c558a44bc0b6510c81a9ea888674393a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
MD5
e8fefc7a1bf76df943d6d43962f2f486

SHA1
d99c373dab301167bd0e4f1a4d2b1dcb3c32c7ac

SHA256
df196b2615b4f23fd269f1d8dab0194a7a58cb2d6576c4056b8832b9fa6dcf16

SHA512
b031cee26265c452872e70638b65941a5ec6777239827ad61098598767f4e0e2ce6d1438ddfc1d87785981b3dd203096dcf2c6066f020f4a1431b62ef3eb2f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
MD5
e8fefc7a1bf76df943d6d43962f2f486

SHA1
d99c373dab301167bd0e4f1a4d2b1dcb3c32c7ac

SHA256
df196b2615b4f23fd269f1d8dab0194a7a58cb2d6576c4056b8832b9fa6dcf16

SHA512
b031cee26265c452872e70638b65941a5ec6777239827ad61098598767f4e0e2ce6d1438ddfc1d87785981b3dd203096dcf2c6066f020f4a1431b62ef3eb2f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp
MD5
281cb782d80e5eb1fca8953057ca35c8

SHA1
7995ee678ad793e1d0911c5d2ad3273b519bc33b

SHA256
0a59e8d6352f23c46930b36e7359072fe56bfb119fe610b5a4b256b152468c40

SHA512
a940254c76352a476651333eb046376a847711e1be8bf7855461863bcea21f28c7fcacfab70d54b3abdb2c02e2fcc413489d23dca146a0a7bad9fd4acd76cd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LLIL5.tmp\setups.tmp
MD5
281cb782d80e5eb1fca8953057ca35c8

SHA1
7995ee678ad793e1d0911c5d2ad3273b519bc33b

SHA256
0a59e8d6352f23c46930b36e7359072fe56bfb119fe610b5a4b256b152468c40

SHA512
a940254c76352a476651333eb046376a847711e1be8bf7855461863bcea21f28c7fcacfab70d54b3abdb2c02e2fcc413489d23dca146a0a7bad9fd4acd76cd82

Download Submit
C:\Users\Admin\AppData\Roaming\7758.tmp.exe
MD5
767ebe67e22004b0dd19a61058961183

SHA1
519e0baad6b70d73066e8db991bed476cf9111a8

SHA256
c1736aac7142a5d1886f504d91284efcb352ae6e51536bf3d865d511ede27585

SHA512
e07df6305870bb7b98510ee5c06ee004e0fffe5f444ec067f7e569352ab433242e345e0a0d26456f22dbda1fcd6ab335e94ac5062d205fc30d79dd9dd7baca24

Download Submit
C:\Users\Admin\AppData\Roaming\7758.tmp.exe
MD5
767ebe67e22004b0dd19a61058961183

SHA1
519e0baad6b70d73066e8db991bed476cf9111a8

SHA256
c1736aac7142a5d1886f504d91284efcb352ae6e51536bf3d865d511ede27585

SHA512
e07df6305870bb7b98510ee5c06ee004e0fffe5f444ec067f7e569352ab433242e345e0a0d26456f22dbda1fcd6ab335e94ac5062d205fc30d79dd9dd7baca24

Download Submit
C:\Users\Admin\AppData\Roaming\7758.tmp.exe
MD5
767ebe67e22004b0dd19a61058961183

SHA1
519e0baad6b70d73066e8db991bed476cf9111a8

SHA256
c1736aac7142a5d1886f504d91284efcb352ae6e51536bf3d865d511ede27585

SHA512
e07df6305870bb7b98510ee5c06ee004e0fffe5f444ec067f7e569352ab433242e345e0a0d26456f22dbda1fcd6ab335e94ac5062d205fc30d79dd9dd7baca24

Download Submit
C:\Users\Admin\AppData\Roaming\77E6.tmp.exe
MD5
01e6cae5a0f506d2b3b01162bcc7b078

SHA1
6e6d05630da0163a38a70865280fcad42ab1c74d

SHA256
25e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1

SHA512
ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea

Download Submit
C:\Users\Admin\AppData\Roaming\77E6.tmp.exe
MD5
01e6cae5a0f506d2b3b01162bcc7b078

SHA1
6e6d05630da0163a38a70865280fcad42ab1c74d

SHA256
25e36c95be9a4255ae41717a89b4f3749bc438640fc48be7b7560cd1afb855d1

SHA512
ee4fa60e70f6532896633a6c2f683405fa2f4246b9e4336a9a0171124e21761153c859f2ca69207e0e1a4f8979d192727c0b6c05879f4676646c1c12010a77ea

Download Submit
C:\Users\Admin\AppData\Roaming\7893.tmp.exe
MD5
98d0976214fb5720a6b2c23ba035b741

SHA1
1eb4da1f7de4ca6718d75c6ac713b6324948ad6c

SHA256
553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144

SHA512
4a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925

Download Submit
C:\Users\Admin\AppData\Roaming\7893.tmp.exe
MD5
98d0976214fb5720a6b2c23ba035b741

SHA1
1eb4da1f7de4ca6718d75c6ac713b6324948ad6c

SHA256
553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144

SHA512
4a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\idp.dll
MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\itdownload.dll
MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\psvince.dll
MD5
d726d1db6c265703dcd79b29adc63f86

SHA1
f471234fa142c8ece647122095f7ff8ea87cf423

SHA256
0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

SHA512
8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

Download Submit
\Users\Admin\AppData\Local\Temp\is-Q2FMC.tmp\psvince.dll
MD5
d726d1db6c265703dcd79b29adc63f86

SHA1
f471234fa142c8ece647122095f7ff8ea87cf423

SHA256
0afdfed86b9e8193d0a74b5752a693604ab7ca7369d75136899ff8b08b8c5692

SHA512
8cccbff39939bea7d6fe1066551d65d21185cef68d24913ea43f24b8f4e08a5581a9f662061611b15b5248f5f0d541e98d6f70164aaaad14d0856e76fabbfaa4

Download Submit
memory/96-242-0x0000000000000000-mapping.dmp

Download
memory/188-51-0x00000000021E1000-0x00000000021E8000-memory.dmp

Filesize
28KB

Download
memory/188-39-0x0000000000000000-mapping.dmp

Download
memory/188-52-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/188-48-0x00000000032F1000-0x000000000331C000-memory.dmp

Filesize
172KB

Download
memory/188-44-0x00000000007D1000-0x00000000007D3000-memory.dmp

Filesize
8KB

Download
memory/216-185-0x0000000000000000-mapping.dmp

Download
memory/372-177-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/372-171-0x0000000000000000-mapping.dmp

Download
memory/372-187-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1080-54-0x0000000000000000-mapping.dmp

Download
memory/1240-74-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1240-58-0x0000000000B20000-0x0000000000B2D000-memory.dmp

Filesize
52KB

Download
memory/1240-55-0x0000000000000000-mapping.dmp

Download
memory/1460-26-0x0000000002900000-0x0000000002A9C000-memory.dmp

Filesize
1.6MB

Download
memory/1460-18-0x0000000000000000-mapping.dmp

Download
memory/1768-27-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1768-31-0x000000001BB60000-0x000000001BB62000-memory.dmp

Filesize
8KB

Download
memory/1768-25-0x00007FFEE8270000-0x00007FFEE8C5C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-22-0x0000000000000000-mapping.dmp

Download
memory/1800-241-0x0000000000000000-mapping.dmp

Download
memory/1908-68-0x0000000000000000-mapping.dmp

Download
memory/1940-103-0x0000000000000000-mapping.dmp

Download
memory/2056-12-0x0000000000000000-mapping.dmp

Download
memory/2264-97-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/2264-96-0x0000000007530000-0x000000000C9AC000-memory.dmp

Filesize
84.5MB

Download
memory/2264-71-0x0000000000000000-mapping.dmp

Download
memory/2292-29-0x0000000000000000-mapping.dmp

Download
memory/2432-78-0x0000000000000000-mapping.dmp

Download
memory/2452-75-0x0000000000000000-mapping.dmp

Download
memory/2456-30-0x0000000000000000-mapping.dmp

Download
memory/3144-186-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3144-158-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3144-172-0x0000000002B50000-0x0000000002B8B000-memory.dmp

Filesize
236KB

Download
memory/3144-165-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3144-178-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3144-153-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/3144-148-0x0000000000000000-mapping.dmp

Download
memory/3640-169-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/3640-126-0x0000000000000000-mapping.dmp

Download
memory/3640-199-0x0000000009270000-0x0000000009316000-memory.dmp

Filesize
664KB

Download
memory/3640-200-0x000000000B910000-0x000000000B971000-memory.dmp

Filesize
388KB

Download
memory/3640-166-0x0000000008DD0000-0x0000000008E65000-memory.dmp

Filesize
596KB

Download
memory/3640-140-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3640-137-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/3640-133-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3640-168-0x0000000005B50000-0x0000000005B55000-memory.dmp

Filesize
20KB

Download
memory/3640-131-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/3640-159-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/3640-150-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/3860-138-0x0000000000000000-mapping.dmp

Download
memory/3860-173-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3860-175-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3860-208-0x0000000000B20000-0x0000000000B7E000-memory.dmp

Filesize
376KB

Download
memory/3860-155-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3860-207-0x0000000009060000-0x0000000009104000-memory.dmp

Filesize
656KB

Download
memory/3860-146-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/3892-4-0x0000000000000000-mapping.dmp

Download
memory/3916-53-0x0000000000000000-mapping.dmp

Download
memory/4024-157-0x0000000000000000-mapping.dmp

Download
memory/4028-88-0x0000000000000000-mapping.dmp

Download
memory/4044-8-0x0000000000000000-mapping.dmp

Download
memory/4068-6-0x0000000000000000-mapping.dmp

Download
memory/4256-36-0x0000000000000000-mapping.dmp

Download
memory/4408-104-0x0000000000000000-mapping.dmp

Download
memory/4440-65-0x0000000000000000-mapping.dmp

Download
memory/4440-86-0x00000000047F0000-0x0000000004837000-memory.dmp

Filesize
284KB

Download
memory/4440-76-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/4512-15-0x0000000000000000-mapping.dmp

Download
memory/4620-197-0x0000000000000000-mapping.dmp

Download
memory/4640-32-0x0000000000000000-mapping.dmp

Download
memory/4640-35-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/4652-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-87-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4652-81-0x0000000000401480-mapping.dmp

Download
memory/4676-84-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4676-85-0x00000001401FBC30-mapping.dmp

Download
memory/4676-91-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/4716-210-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4716-212-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4716-211-0x0000000000429792-mapping.dmp

Download
memory/4716-216-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4740-125-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/4740-123-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4740-132-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/4740-154-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4740-118-0x0000000000000000-mapping.dmp

Download
memory/4740-139-0x0000000002330000-0x0000000002344000-memory.dmp

Filesize
80KB

Download
memory/4740-136-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4744-117-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4744-189-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4744-134-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4744-142-0x000000000AD10000-0x000000000AD44000-memory.dmp

Filesize
208KB

Download
memory/4744-127-0x0000000003080000-0x0000000003081000-memory.dmp

Filesize
4KB

Download
memory/4744-122-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4744-149-0x000000000AD70000-0x000000000AD71000-memory.dmp

Filesize
4KB

Download
memory/4744-114-0x0000000000000000-mapping.dmp

Download
memory/4796-206-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4796-219-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/4796-230-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/4796-229-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/4796-222-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4796-221-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4796-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4796-202-0x0000000000429782-mapping.dmp

Download
memory/4796-203-0x0000000071680000-0x0000000071D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4796-220-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/4796-218-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/4796-217-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4796-209-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/5000-89-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5000-198-0x000002217D200000-0x000002217D220000-memory.dmp

Filesize
128KB

Download
memory/5000-93-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5000-94-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/5000-95-0x000002217BA20000-0x000002217BA40000-memory.dmp

Filesize
128KB

Download
memory/5000-90-0x00000001402CA898-mapping.dmp

Download
memory/5000-92-0x000002217B7E0000-0x000002217B7F4000-memory.dmp

Filesize
80KB

Download
memory/5116-119-0x00000000013F0000-0x00000000013F2000-memory.dmp

Filesize
8KB

Download
memory/5116-105-0x0000000000000000-mapping.dmp

Download
memory/5116-108-0x00007FFEE7070000-0x00007FFEE7A5C000-memory.dmp

Filesize
9.9MB

Download
memory/5116-109-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/5116-113-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/5116-111-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/5116-112-0x00000000013B0000-0x00000000013CD000-memory.dmp

Filesize
116KB

Download