redline | fb58621fe07c9c86655bd41a9e643fd98f1d3f0aad7fcc3a39f6c83421ebacac

Analysis

max time kernel
149s
max time network
159s
platform
windows10_x64
resource
win10v20210410
submitted
14-07-2021 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb84d9bebb65cd72ed36cef22e59b8c.exe
Size

485KB
MD5

1cb84d9bebb65cd72ed36cef22e59b8c
SHA1

5c76d0b4d2b723e7d757a539e3f9e257c11162ef
SHA256

fb58621fe07c9c86655bd41a9e643fd98f1d3f0aad7fcc3a39f6c83421ebacac
SHA512

50af1279252f4afa12a13a73f78d55330fed0121a38942218ca4f8f50ff964000c35f8002f051d0f25925ac763745036582e42ff3097fbe51d946ad43a0b4b0e

Score

10^/10

redline 1 agilenet discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

ynabrdosmc.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4924-136-0x0000000001230000-0x000000000124B000-memory.dmp	family_redline
behavioral2/memory/4924-138-0x0000000003180000-0x0000000003199000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Updater.exeUpdater.exeUpdater.exe

pid process

3044 Updater.exe
4912 Updater.exe
4924 Updater.exe

pid	process
3044	Updater.exe
4912	Updater.exe
4924	Updater.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3044-127-0x00000000028A0000-0x00000000028A7000-memory.dmp	agile_net

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Updater.exe

description pid process target process

PID 3044 set thread context of 4924 3044 Updater.exe Updater.exe

description	pid	process	target process
PID 3044 set thread context of 4924	3044	Updater.exe	Updater.exe

Drops file in Program Files directory 7 IoCs

Processes:

1cb84d9bebb65cd72ed36cef22e59b8c.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.exe	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File created	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Uninstall.ini	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\Toner-Recover.exe	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg	1cb84d9bebb65cd72ed36cef22e59b8c.exe
File opened for modification	C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat	1cb84d9bebb65cd72ed36cef22e59b8c.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8f4f1f20cc78d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000007d4c203e4ded8dbfc706693c26c65b45556427e3d1f548fa52fd0654ceb254d7652e041296e79b71093892cb968a2c68d20ea51ceff3d001c86e	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "332441720"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OpenSearch\OpenSearchDescriptionData = baffc49ee383374a8abf67e99635ea1e0100000053b06a1abe27334898108231552c52911f000000260000007700770077002e0067006f006f0067006c0065002e0063006f006d0000001f0000007e000000680074007400700073003a002f002f007700770077002e0067006f006f0067006c0065002e0063006f006d002f0073006500610072006300680064006f006d00610069006e0063006800650063006b003f0066006f0072006d00610074003d006f00700065006e0073006500610072006300680000001f0000002400000047006f006f0067006c00650020007a006f0065006b0065006e0000001f0000000a000000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000006aaba77d84c4f5120ca5075d277f8de04a7db971d8de2c6839a65c4f1f8cdfa0732610236f73825464388f032ee58fa9b9ea47e335b64a9d73c0743ba25e56c20e4e2e7f571be2bacae0c1304240d5f6667d4c4fc63c0c4bfb1a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

4124 regedit.exe
4168 regedit.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4208 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe

pid	process
4124	regedit.exe
4168	regedit.exe

pid	process
4208	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeUpdater.exeUpdater.exe

description	pid	process
Token: SeDebugPrivilege	3184	MicrosoftEdge.exe
Token: SeDebugPrivilege	3184	MicrosoftEdge.exe
Token: SeDebugPrivilege	3184	MicrosoftEdge.exe
Token: SeDebugPrivilege	3184	MicrosoftEdge.exe
Token: SeDebugPrivilege	4284	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4284	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4284	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4284	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4776	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3044	Updater.exe
Token: SeDebugPrivilege	4924	Updater.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3184 MicrosoftEdge.exe
4208 MicrosoftEdgeCP.exe
4208 MicrosoftEdgeCP.exe

pid	process
3184	MicrosoftEdge.exe
4208	MicrosoftEdgeCP.exe
4208	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

1cb84d9bebb65cd72ed36cef22e59b8c.execmd.exeMicrosoftEdgeCP.exeUpdater.exe

description	pid	process	target process
PID 2016 wrote to memory of 4012	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	cmd.exe
PID 2016 wrote to memory of 4012	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	cmd.exe
PID 2016 wrote to memory of 4012	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	cmd.exe
PID 2016 wrote to memory of 3044	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	Updater.exe
PID 2016 wrote to memory of 3044	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	Updater.exe
PID 2016 wrote to memory of 3044	2016	1cb84d9bebb65cd72ed36cef22e59b8c.exe	Updater.exe
PID 4012 wrote to memory of 3592	4012	cmd.exe	explorer.exe
PID 4012 wrote to memory of 3592	4012	cmd.exe	explorer.exe
PID 4012 wrote to memory of 3592	4012	cmd.exe	explorer.exe
PID 4012 wrote to memory of 4124	4012	cmd.exe	regedit.exe
PID 4012 wrote to memory of 4124	4012	cmd.exe	regedit.exe
PID 4012 wrote to memory of 4124	4012	cmd.exe	regedit.exe
PID 4012 wrote to memory of 4168	4012	cmd.exe	regedit.exe
PID 4012 wrote to memory of 4168	4012	cmd.exe	regedit.exe
PID 4012 wrote to memory of 4168	4012	cmd.exe	regedit.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4208 wrote to memory of 4284	4208	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3044 wrote to memory of 4912	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4912	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4912	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe
PID 3044 wrote to memory of 4924	3044	Updater.exe	Updater.exe

C:\Users\Admin\AppData\Local\Temp\1cb84d9bebb65cd72ed36cef22e59b8c.exe
"C:\Users\Admin\AppData\Local\Temp\1cb84d9bebb65cd72ed36cef22e59b8c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\explorer.exe
explorer https://iplogger.org/2BD837
3⤵
PID:3592

C:\Windows\SysWOW64\regedit.exe
regedit /s adj.reg
3⤵
- Runs .reg file with regedit
PID:4124

C:\Windows\SysWOW64\regedit.exe
regedit /s adj2.reg
3⤵
- Runs .reg file with regedit
PID:4168

C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
3⤵
- Executes dropped EXE
PID:4912

C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
"C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3184

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
MD5
7429da7c02ddd73d0d070f9ef56b7a8d

SHA1
88242efec692579178de8de851cf885b39d91ee8

SHA256
a4ff4c9fd29f03ff5d2d455863948fb841656eff5595e765e44cf5b2f79d27b8

SHA512
4db4d712aaf48b2ff84ba4f4489db270ef6858d29de51544e3502f46f1cf864b8cbf06c50398c085c273e3e3b3c10af542490d54fef86e1836fefed0861822ed

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
MD5
7429da7c02ddd73d0d070f9ef56b7a8d

SHA1
88242efec692579178de8de851cf885b39d91ee8

SHA256
a4ff4c9fd29f03ff5d2d455863948fb841656eff5595e765e44cf5b2f79d27b8

SHA512
4db4d712aaf48b2ff84ba4f4489db270ef6858d29de51544e3502f46f1cf864b8cbf06c50398c085c273e3e3b3c10af542490d54fef86e1836fefed0861822ed

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
MD5
7429da7c02ddd73d0d070f9ef56b7a8d

SHA1
88242efec692579178de8de851cf885b39d91ee8

SHA256
a4ff4c9fd29f03ff5d2d455863948fb841656eff5595e765e44cf5b2f79d27b8

SHA512
4db4d712aaf48b2ff84ba4f4489db270ef6858d29de51544e3502f46f1cf864b8cbf06c50398c085c273e3e3b3c10af542490d54fef86e1836fefed0861822ed

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\Updater.exe
MD5
7429da7c02ddd73d0d070f9ef56b7a8d

SHA1
88242efec692579178de8de851cf885b39d91ee8

SHA256
a4ff4c9fd29f03ff5d2d455863948fb841656eff5595e765e44cf5b2f79d27b8

SHA512
4db4d712aaf48b2ff84ba4f4489db270ef6858d29de51544e3502f46f1cf864b8cbf06c50398c085c273e3e3b3c10af542490d54fef86e1836fefed0861822ed

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj.reg
MD5
d47d2f19c6485d61826df03b0b6efd7d

SHA1
a3285ea2c8072a5c9b7b2ff0e255343baab2d81e

SHA256
f702cbfc518787caec26189a065e1dfd92c62597d8cd22c58e889151e45a635f

SHA512
17fa33c12395da633deb03181bf383e56cb3f40ef0f2fcc4802d0f46829dbce0e65528f4b6b5dfdd88d28aa40502df8a826894ff21a12e18558cd0cc4fe7bf94

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\adj2.reg
MD5
81b371bfb7d48f53e6dce6a3b05f76ba

SHA1
a073408555dfd110183313e2b1d41c3a8dfdd4ee

SHA256
0fd594d185676181e86c3fb81be116069acb86b6c5839a73b9d5fb197924fd94

SHA512
34bf59556bf238e0d15d6f934c8caf28c3313bbadad984370e1f912d2a1e4a1ce6b3e06f7bc5af01df28a2e321b43bfc100f61330c89ec4270dbb4120e5764cc

Download Submit
C:\Program Files (x86)\EverestSoftrade\TonerRecover\log.bat
MD5
a9cffbd384bdfe7f60627cefff2dc5cc

SHA1
2c3bd0931a087e0966002a9464609d74e59b0102

SHA256
82bc4bf80ed2b2ffddb0be5be9848feb0d891e14672e7be70e580a5ee3190b16

SHA512
d4c7737b7f422a4de76c1f99a595f1aae6bfbd7278e9fc7a2244406bc1d28b5f8719e11d6038b59f9e59025511d45be44330a73ae3fb0b8f714e7b31cd1d25d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updater.exe.log
MD5
7438b57da35c10c478469635b79e33e1

SHA1
5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5

SHA256
b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70

SHA512
5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

Download Submit
memory/3044-118-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3044-127-0x00000000028A0000-0x00000000028A7000-memory.dmp

Filesize
28KB

Download
memory/3044-128-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3044-129-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3044-130-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3044-115-0x0000000000000000-mapping.dmp

Download
memory/3592-121-0x0000000000000000-mapping.dmp

Download
memory/4012-114-0x0000000000000000-mapping.dmp

Download
memory/4124-122-0x0000000000000000-mapping.dmp

Download
memory/4168-124-0x0000000000000000-mapping.dmp

Download
memory/4924-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4924-133-0x000000000040CD2F-mapping.dmp

Download
memory/4924-136-0x0000000001230000-0x000000000124B000-memory.dmp

Filesize
108KB

Download
memory/4924-137-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4924-138-0x0000000003180000-0x0000000003199000-memory.dmp

Filesize
100KB

Download
memory/4924-139-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/4924-140-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/4924-141-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/4924-142-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/4924-144-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/4924-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4924-145-0x00000000032B2000-0x00000000032B3000-memory.dmp

Filesize
4KB

Download
memory/4924-146-0x00000000032B3000-0x00000000032B4000-memory.dmp

Filesize
4KB

Download
memory/4924-147-0x00000000032B4000-0x00000000032B6000-memory.dmp

Filesize
8KB

Download
memory/4924-148-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download