65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

Ultra.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 7 IoCs

Processes:

Install.tmpUltra.exeultramediaburner.exeultramediaburner.tmpUltraMediaBurner.exePynigaexalo.exeBaesumaeraeve.exe

pid	process
5020	Install.tmp
3268	Ultra.exe
1800	ultramediaburner.exe
4168	ultramediaburner.tmp
4264	UltraMediaBurner.exe
1720	Pynigaexalo.exe
4336	Baesumaeraeve.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Pynigaexalo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Pynigaexalo.exe

Loads dropped DLL 1 IoCs

Processes:

Install.tmp

pid process

5020 Install.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ultra.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Kaviqyzhaele.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

Processes:

Ultra.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-0AA68.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\MSBuild\Kaviqyzhaele.exe	Ultra.exe
File created	C:\Program Files (x86)\MSBuild\Kaviqyzhaele.exe.config	Ultra.exe
File created	C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-7RN3N.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "e8rg8z5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f32afe8b693bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8b0a3495693bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{6098DBB1-6589-455C-982D-7F75C56F9773} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = baa89ca46b3bd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "326296126"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{2BABD1EE-38AE-40CB-83E9-4E8FFD887388}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Pynigaexalo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Pynigaexalo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Pynigaexalo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpBaesumaeraeve.exe

pid	process
4168	ultramediaburner.tmp
4168	ultramediaburner.tmp
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe
4336	Baesumaeraeve.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

3668 MicrosoftEdgeCP.exe
3668 MicrosoftEdgeCP.exe
3236 MicrosoftEdgeCP.exe
3236 MicrosoftEdgeCP.exe

pid	process
3668	MicrosoftEdgeCP.exe
3668	MicrosoftEdgeCP.exe
3236	MicrosoftEdgeCP.exe
3236	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Ultra.exePynigaexalo.exeBaesumaeraeve.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3268	Ultra.exe
Token: SeDebugPrivilege	1720	Pynigaexalo.exe
Token: SeDebugPrivilege	4336	Baesumaeraeve.exe
Token: SeDebugPrivilege	2108	MicrosoftEdge.exe
Token: SeDebugPrivilege	2108	MicrosoftEdge.exe
Token: SeDebugPrivilege	2108	MicrosoftEdge.exe
Token: SeDebugPrivilege	2108	MicrosoftEdge.exe
Token: SeDebugPrivilege	2188	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2188	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2188	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2188	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2108	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ultramediaburner.tmp

pid process

4168 ultramediaburner.tmp
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2108 MicrosoftEdge.exe
3668 MicrosoftEdgeCP.exe
3668 MicrosoftEdgeCP.exe
3196 MicrosoftEdge.exe
3236 MicrosoftEdgeCP.exe
3236 MicrosoftEdgeCP.exe

pid	process
2108	MicrosoftEdge.exe
3668	MicrosoftEdgeCP.exe
3668	MicrosoftEdgeCP.exe
3196	MicrosoftEdge.exe
3236	MicrosoftEdgeCP.exe
3236	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Install.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4436 wrote to memory of 5020	4436	Install.exe	Install.tmp
PID 4436 wrote to memory of 5020	4436	Install.exe	Install.tmp
PID 4436 wrote to memory of 5020	4436	Install.exe	Install.tmp
PID 5020 wrote to memory of 3268	5020	Install.tmp	Ultra.exe
PID 5020 wrote to memory of 3268	5020	Install.tmp	Ultra.exe
PID 3268 wrote to memory of 1800	3268	Ultra.exe	ultramediaburner.exe
PID 3268 wrote to memory of 1800	3268	Ultra.exe	ultramediaburner.exe
PID 3268 wrote to memory of 1800	3268	Ultra.exe	ultramediaburner.exe
PID 1800 wrote to memory of 4168	1800	ultramediaburner.exe	ultramediaburner.tmp
PID 1800 wrote to memory of 4168	1800	ultramediaburner.exe	ultramediaburner.tmp
PID 1800 wrote to memory of 4168	1800	ultramediaburner.exe	ultramediaburner.tmp
PID 3268 wrote to memory of 1720	3268	Ultra.exe	Pynigaexalo.exe
PID 3268 wrote to memory of 1720	3268	Ultra.exe	Pynigaexalo.exe
PID 4168 wrote to memory of 4264	4168	ultramediaburner.tmp	UltraMediaBurner.exe
PID 4168 wrote to memory of 4264	4168	ultramediaburner.tmp	UltraMediaBurner.exe
PID 3268 wrote to memory of 4336	3268	Ultra.exe	Baesumaeraeve.exe
PID 3268 wrote to memory of 4336	3268	Ultra.exe	Baesumaeraeve.exe
PID 3668 wrote to memory of 2188	3668	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3668 wrote to memory of 2188	3668	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3668 wrote to memory of 2188	3668	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3236 wrote to memory of 2716	3236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\is-5K6EE.tmp\Install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5K6EE.tmp\Install.tmp" /SL5="$30164,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\is-QV3JS.tmp\Ultra.exe
"C:\Users\Admin\AppData\Local\Temp\is-QV3JS.tmp\Ultra.exe" /S /UID=burnerch1
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268

C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe
"C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\is-1VTEJ.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1VTEJ.tmp\ultramediaburner.tmp" /SL5="$200FA,281924,62464,C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4168

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\Temp\fe-3b3b7-0a8-26ab0-e31ea8cb37e7b\Pynigaexalo.exe
"C:\Users\Admin\AppData\Local\Temp\fe-3b3b7-0a8-26ab0-e31ea8cb37e7b\Pynigaexalo.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\e2-c482d-435-8728f-e879c80255385\Baesumaeraeve.exe
"C:\Users\Admin\AppData\Local\Temp\e2-c482d-435-8728f-e879c80255385\Baesumaeraeve.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\VideoLAN\NSXIKIZTZG\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
d1b1f562e42dd37c408c0a3c7ccfe189

SHA1
c01e61a5c5f44fb038228b7e542f6a8d7c8c283d

SHA256
7f468f04fe5a1b0616685f157a4285090b6ed3858d4cd9efe915aaeed83c158e

SHA512
404d279fabd4886008e47e9138f799cf398f0aa4c8556192d6e45dbcde99eac2cd65c47b9e0b88bd6d3a6529818f6048a23a197a913fb917b19dffbbd5d75850

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6F5AC3E88228423792AAC8245F6E27FA
MD5
8eddf904a00fd2973e32f80890cbe29e

SHA1
dd71c31a141815d3c922734eeed78abaa93ac242

SHA256
ef36635790e419ad9a4c0e0494f47c6b24210e05f8eb9d5b7476aa3604a1326a

SHA512
b8e16e47b7b972984c1c9dff1f574708614bff51e3c2b8ab1a23f591fa9387012319718c4b71849cbf7b9f53415de1633545acd050ccf0b834afb7c199274332

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
MD5
54eec546ffe6956ac5df6e262a9a0437

SHA1
4fd95c26f690caa675c09633e980eef118c3d205

SHA256
0bc52fd7f910139130e3fe77faa6006716b4c59a327f93f823dd55b6f18cc038

SHA512
da651d088d34b36fac4a6a885e99eebebcc8ccbab217d9f1f744efc3e490fba79d2eed2b9cfaac5488147e82b5fe114a9514c32e3aeca40fc4e8ae245e147a5b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
ad6a890870ab139530e8ec727fb6bd7a

SHA1
4d082ea43b94709fd220c41b4f2fd4028b3b0808

SHA256
0115b2053ed9f43f534ad36e17f7fb9daf451fbb20051c0525ec8c2ce0de3801

SHA512
ffa0e4de14898106ff34dcc6817294a5283b93b818f3baadd0a9957f7757b3ee4e73e2bebaea2d6cfc606a44e6eef5a6ff5dc96c0f6241d43d08fda6f6c9e75a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6F5AC3E88228423792AAC8245F6E27FA
MD5
dba62830d51aaf40b663b8e31b558b40

SHA1
4aad314c0d4aba7e104ec12d3ffc9ac3694bb1d5

SHA256
dd2557efdb1a6f256292ddcdc3a267e022f42e1658a5dd948fb97031aa39032c

SHA512
bcb575dbdfb818c7f449aad31313fef2d6b9fc51c4485c1db1dce398f1f7f631f9d3d99044ee864aa6443d80ed7c0adea3bfe9cf1f9b56022d1043044e05c79c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
MD5
9536d825e2e5ed39a11862dc9eeaea9f

SHA1
1bcb1fa1bc5f696ac357f2207f819f85a4b1f80e

SHA256
b93fb0418add0e85e6fc052365e26c67fce8997cbdb006133cb5d56468c624d3

SHA512
aeed80eb6bc2975943bc76c6adcf50a1e3288770c69147ab2c7bf027118644de062331fc8afdb1dae2f501fbe55912d9f3b8ce310ef525c892b02b6215bed9df

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
43a8297f483c7f565ce416518e9dc9b2

SHA1
b6b8aeeceadf78fb2d91e7b24d4c3f9eda9de4f9

SHA256
54a1453673f0654df5134fa705d0e3c893bdfd66d2ac85d423965fefc938d4bb

SHA512
568c245f1c4d7072d39edf7e8fe2ee90bf7f46325bd4803d341c4247f33f963b367224b403ee9eb75edbe32a4cb4470d9f37920252eb14ae5385399b7dff2976

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
3f678065ac9cc948fbd8a0af3d589c16

SHA1
e5762eb8b42f1db543552a3fd54abc16d9c50d76

SHA256
625082781e302124195e5c9f551a145354dcf2a4084509ca5c28f61d2bc88da7

SHA512
4cd387524d2fea479b04e97cc17b801bcf6972cf62173461c58f7105448e83ee3d65c59c394a871b91f240cbe214ab2616160a1164fec29ec0aa354f3af590dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
69f5f5be0f0e396bb91c630da3cda3e4

SHA1
067dbe05431b8e6f8cfdef3646aa4923d5befcac

SHA256
af8835393cd21470a05a149d795c04df2da822c401a8f72b6383ebb5377d81da

SHA512
f6a79c303cac3450d84e1387d229326f3b6941d439bacf3e85ef1f3341d44b0ff504ce314b657cb119a6784fa1b221954079fbeac86fcecabb786680ab769b02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
d165d188f9a9d989fc5d65ea201f5d73

SHA1
5d290828648c788a18c15f4c09936500d3881f05

SHA256
24b078a8acca1c0686a704b217f5c190916451ab3ac15f9169df2bf4cfc6bcca

SHA512
b8511ad41057f04ac5a1dd3dc1cbad4e71d9e8325b0c6af4fe00afd008001d4a429fe449657d7ae54a0f1fb18f615695449cba5bd436bf29c6a15d6cdb06b432

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{077ABF2B-2DF4-4D59-8F70-E12332B7DDA7}.dat
MD5
d09fa40226ea84b49a70e81b11f49998

SHA1
3c02d598e040883032db56d1198d73f1f2234628

SHA256
44885ac810320fe3714c90e4dea8860c527fb2ec80050605945b8b46761deee5

SHA512
7720096dec62fce75717ea20539583d0fbd63817f80f197d19d04cdb0a1205cfbf7221f661cbe9587c4c4e89a318297563a763b269e9879906592309110add0c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{7E6423B6-9F47-465A-AA4B-C7C7DE3DC14D}.dat
MD5
8b1d28b432859505e7d88e1516a34fb9

SHA1
c69cff3bedc6b5d8e3d092269df24ec65816c6bd

SHA256
370d9611a8ce153dadd95dc604ba2a394e8bc5a548cf4f7df1ab17275a135165

SHA512
4a5e139515e6ea07d63a5daea5481675b98d9c451d7ec43121033c5acd73085fd1147ea07869346c5d5969dfd3fe9ec866084e4b2f29554118e5f053da8ec5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E3596640-5D23-42F0-8E77-C905CB878847}.dat
MD5
0edc04c3656de22fb9a427a53e6528b9

SHA1
dd670235db41a0f8f8570834b7c4e24ed3559e99

SHA256
9a73c8a56bccc948c5c57f1fdebda49599d8684eb6ed76848d9770d4eb638a63

SHA512
d7998a1909da01db72982666fbb5688f784566b6f830f9fa62ce6549fee7127aaaf248c53cc72926beb1843b8c9a46fe826f2ca22fa7283b56d8c3b2fa9c5f9c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
d1b1f562e42dd37c408c0a3c7ccfe189

SHA1
c01e61a5c5f44fb038228b7e542f6a8d7c8c283d

SHA256
7f468f04fe5a1b0616685f157a4285090b6ed3858d4cd9efe915aaeed83c158e

SHA512
404d279fabd4886008e47e9138f799cf398f0aa4c8556192d6e45dbcde99eac2cd65c47b9e0b88bd6d3a6529818f6048a23a197a913fb917b19dffbbd5d75850

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\6F5AC3E88228423792AAC8245F6E27FA
MD5
8eddf904a00fd2973e32f80890cbe29e

SHA1
dd71c31a141815d3c922734eeed78abaa93ac242

SHA256
ef36635790e419ad9a4c0e0494f47c6b24210e05f8eb9d5b7476aa3604a1326a

SHA512
b8e16e47b7b972984c1c9dff1f574708614bff51e3c2b8ab1a23f591fa9387012319718c4b71849cbf7b9f53415de1633545acd050ccf0b834afb7c199274332

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
086798153a397fd67a778087cef4a7aa

SHA1
b98fac2ae32e7d79fb1f8b2ae05d14798e84eb44

SHA256
06b5374c31d95049995d9000383681d8c12c38d0973ec977f5ddbd74088f9214

SHA512
7da6d8b02c4f78ab5ed5538bbc53eb8dc0c3f846982da9561bcdb04173463fffa673ea2636c07d11781bbd9e929d95760f9e0d2c14715a6838b2c6cb5c9bca7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\6F5AC3E88228423792AAC8245F6E27FA
MD5
2489377a3ef2fb7b44a6306f301465f6

SHA1
e6434d38eb92d2198f4a9585bad821b2cdd9df14

SHA256
e3df8b4d52b13fa4c3809a69d7f61c4227d667476d28ba0ce905d719bbd49cb2

SHA512
9c495ed1b6b72f8926caced678dc1d54f7ad3268cdb1f064e82b949cb029978e058cd02e06b427a50ef77a05df4a090df254749de2a6b8250a6f19074058a2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2-c482d-435-8728f-e879c80255385\Baesumaeraeve.exe
MD5
c1671cfbdbd5de53b60feb041f290a7d

SHA1
7d8c20bf34a7d970f98a2d339d022e2e143b5c58

SHA256
53637bf7daa6b5edf35a77767d903da429e0b9a3a6705194f137925f44c1522a

SHA512
751b869a9903939b6a3dd208b428656d694969fcf475bb0a28e1b9b2e7f22c0575b6b9b1b6ee5e661589812004d48c81e02fdaf8981440a59c1995cd0f3acceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2-c482d-435-8728f-e879c80255385\Baesumaeraeve.exe
MD5
c1671cfbdbd5de53b60feb041f290a7d

SHA1
7d8c20bf34a7d970f98a2d339d022e2e143b5c58

SHA256
53637bf7daa6b5edf35a77767d903da429e0b9a3a6705194f137925f44c1522a

SHA512
751b869a9903939b6a3dd208b428656d694969fcf475bb0a28e1b9b2e7f22c0575b6b9b1b6ee5e661589812004d48c81e02fdaf8981440a59c1995cd0f3acceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2-c482d-435-8728f-e879c80255385\Baesumaeraeve.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe-3b3b7-0a8-26ab0-e31ea8cb37e7b\Pynigaexalo.exe
MD5
b13abfab75b4ac0c6d13856bf66cdced

SHA1
54e54f12d4b0904c37385dbd9e7d14664ef43248

SHA256
ba8578d0f769689646a0f5a70f72bf9c397fa2908325a5b264da8d1d36c17940

SHA512
c0c1ff455193e331ce3c21dd80d9529d692d0bdf02f15c36a918256830bed82277f347731940ecc237526c2653ce976d8c96e1123f5d42dcbfb3e8b5380fc7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe-3b3b7-0a8-26ab0-e31ea8cb37e7b\Pynigaexalo.exe
MD5
b13abfab75b4ac0c6d13856bf66cdced

SHA1
54e54f12d4b0904c37385dbd9e7d14664ef43248

SHA256
ba8578d0f769689646a0f5a70f72bf9c397fa2908325a5b264da8d1d36c17940

SHA512
c0c1ff455193e331ce3c21dd80d9529d692d0bdf02f15c36a918256830bed82277f347731940ecc237526c2653ce976d8c96e1123f5d42dcbfb3e8b5380fc7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe-3b3b7-0a8-26ab0-e31ea8cb37e7b\Pynigaexalo.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1VTEJ.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1VTEJ.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5K6EE.tmp\Install.tmp
MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QV3JS.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QV3JS.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
\Users\Admin\AppData\Local\Temp\is-QV3JS.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1720-141-0x0000000002C70000-0x0000000002C72000-memory.dmp

Filesize
8KB

Download
memory/1720-131-0x0000000000000000-mapping.dmp

Download
memory/1800-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1800-124-0x0000000000000000-mapping.dmp

Download
memory/3196-157-0x000001E4B7020000-0x000001E4B7030000-memory.dmp

Filesize
64KB

Download
memory/3268-120-0x0000000000000000-mapping.dmp

Download
memory/3268-123-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

Filesize
8KB

Download
memory/4168-128-0x0000000000000000-mapping.dmp

Download
memory/4168-134-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4264-148-0x0000000002A74000-0x0000000002A75000-memory.dmp

Filesize
4KB

Download
memory/4264-147-0x0000000002A72000-0x0000000002A74000-memory.dmp

Filesize
8KB

Download
memory/4264-132-0x0000000000000000-mapping.dmp

Download
memory/4264-140-0x0000000002A70000-0x0000000002A72000-memory.dmp

Filesize
8KB

Download
memory/4264-150-0x0000000002A75000-0x0000000002A77000-memory.dmp

Filesize
8KB

Download
memory/4336-142-0x0000000000000000-mapping.dmp

Download
memory/4336-146-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/4336-149-0x00000000008F2000-0x00000000008F4000-memory.dmp

Filesize
8KB

Download
memory/4436-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5020-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5020-115-0x0000000000000000-mapping.dmp

Download