redline | 3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b

Analysis

max time kernel
153s
max time network
157s
platform
windows7_x64
resource
win7-ja-20211014
submitted
21-10-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software-update-patc_612604768.exe
Size

4.7MB
MD5

567ab95af9696f0d0cea101efbd344f9
SHA1

78544ed738d9929e68b735448276c93166b61c37
SHA256

3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b
SHA512

36d16b04d74d41ef11b8dcef4c5e705d6660a0bb34c72abbd59fad36f37bde069b80af270dbd208b0956f1b8bd4abcb87cdb05a32265a6d4aeae2266dc7709bf

Score

10^/10

redline vidar 223 lllolly666123 discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

223

https://mas.to/@xeroxxx

Attributes

profile_id
223

Extracted

Family

redline

Botnet

lllolly666123

87.251.71.82:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-196-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2248-197-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2248-198-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/2248-199-0x000000000041B23E-mapping.dmp	family_redline
behavioral1/memory/2248-200-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1136-158-0x0000000000400000-0x00000000009A4000-memory.dmp	family_vidar

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
57	1208	MsiExec.exe
60	1208	MsiExec.exe
61	1208	MsiExec.exe
65	1208	MsiExec.exe
67	1208	MsiExec.exe
70	1208	MsiExec.exe
72	1208	MsiExec.exe
73	1208	MsiExec.exe
74	1208	MsiExec.exe
75	1208	MsiExec.exe
77	1208	MsiExec.exe
78	1208	MsiExec.exe
79	1208	MsiExec.exe
80	1208	MsiExec.exe
82	1208	MsiExec.exe
83	1208	MsiExec.exe
84	1208	MsiExec.exe
85	1208	MsiExec.exe
86	1208	MsiExec.exe
87	1208	MsiExec.exe
88	1208	MsiExec.exe
90	1208	MsiExec.exe
91	1208	MsiExec.exe
92	1208	MsiExec.exe
93	1208	MsiExec.exe
94	1208	MsiExec.exe
95	1208	MsiExec.exe
96	1208	MsiExec.exe
97	1208	MsiExec.exe
98	1208	MsiExec.exe
100	1208	MsiExec.exe
101	1208	MsiExec.exe
102	1208	MsiExec.exe
103	1208	MsiExec.exe
105	1208	MsiExec.exe
106	1208	MsiExec.exe
107	1208	MsiExec.exe
108	1208	MsiExec.exe
109	1208	MsiExec.exe
110	1208	MsiExec.exe
111	1208	MsiExec.exe
112	1208	MsiExec.exe
113	1208	MsiExec.exe
114	1208	MsiExec.exe
115	1208	MsiExec.exe
117	1208	MsiExec.exe
118	1208	MsiExec.exe
119	1208	MsiExec.exe
120	1208	MsiExec.exe
121	1208	MsiExec.exe
122	1208	MsiExec.exe
123	1208	MsiExec.exe
124	1208	MsiExec.exe
125	1208	MsiExec.exe
126	1208	MsiExec.exe
127	1208	MsiExec.exe
128	1208	MsiExec.exe
132	1208	MsiExec.exe
133	1208	MsiExec.exe
134	1208	MsiExec.exe
135	1208	MsiExec.exe
136	1208	MsiExec.exe
137	1208	MsiExec.exe
138	1208	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeQcDIZx6q.exeFTxEfaSIb.exeZembra.exenmf1aPaRyDs4GOpB.exenmf1aPaRyDs4GOpB.exeZembraBro.exeZembraBro.exe

pid	process
1684	Software-update-patc_612604768.tmp
812	Quibusdam.exe
1948	QcDIZx6q.exe
1388	FTxEfaSIb.exe
1136	Zembra.exe
2788	nmf1aPaRyDs4GOpB.exe
2808	nmf1aPaRyDs4GOpB.exe
3052	ZembraBro.exe
2248	ZembraBro.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zembra.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zembra.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine Zembra.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Wine	Zembra.exe

Loads dropped DLL 43 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exeFTxEfaSIb.exeMsiExec.exeQcDIZx6q.exeMsiExec.exeMsiExec.exenmf1aPaRyDs4GOpB.exeZembra.exeZembraBro.exe

pid	process
360	Software-update-patc_612604768.exe
1684	Software-update-patc_612604768.tmp
1684	Software-update-patc_612604768.tmp
1684	Software-update-patc_612604768.tmp
1684	Software-update-patc_612604768.tmp
812	Quibusdam.exe
812	Quibusdam.exe
1388	FTxEfaSIb.exe
1388	FTxEfaSIb.exe
1388	FTxEfaSIb.exe
1692	MsiExec.exe
1948	QcDIZx6q.exe
1948	QcDIZx6q.exe
1692	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1208	MsiExec.exe
1388	FTxEfaSIb.exe
1208	MsiExec.exe
1208	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
1208	MsiExec.exe
812	Quibusdam.exe
812	Quibusdam.exe
2788	nmf1aPaRyDs4GOpB.exe
1136	Zembra.exe
1136	Zembra.exe
1136	Zembra.exe
1136	Zembra.exe
1948	QcDIZx6q.exe
3052	ZembraBro.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Zembra.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Zembra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zembra.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

FTxEfaSIb.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	FTxEfaSIb.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	FTxEfaSIb.exe
File opened (read-only)	\??\P:	FTxEfaSIb.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	FTxEfaSIb.exe
File opened (read-only)	\??\U:	FTxEfaSIb.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	FTxEfaSIb.exe
File opened (read-only)	\??\Z:	FTxEfaSIb.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	FTxEfaSIb.exe
File opened (read-only)	\??\X:	FTxEfaSIb.exe
File opened (read-only)	\??\N:	FTxEfaSIb.exe
File opened (read-only)	\??\Q:	FTxEfaSIb.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	FTxEfaSIb.exe
File opened (read-only)	\??\I:	FTxEfaSIb.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	FTxEfaSIb.exe
File opened (read-only)	\??\R:	FTxEfaSIb.exe
File opened (read-only)	\??\F:	FTxEfaSIb.exe
File opened (read-only)	\??\L:	FTxEfaSIb.exe
File opened (read-only)	\??\O:	FTxEfaSIb.exe
File opened (read-only)	\??\V:	FTxEfaSIb.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	FTxEfaSIb.exe
File opened (read-only)	\??\B:	FTxEfaSIb.exe
File opened (read-only)	\??\Y:	FTxEfaSIb.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	FTxEfaSIb.exe
File opened (read-only)	\??\T:	FTxEfaSIb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Zembra.exe

pid process

1136 Zembra.exe

pid	process
1136	Zembra.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

nmf1aPaRyDs4GOpB.exeZembraBro.exe

description	pid	process	target process
PID 2788 set thread context of 2808	2788	nmf1aPaRyDs4GOpB.exe	nmf1aPaRyDs4GOpB.exe
PID 3052 set thread context of 2248	3052	ZembraBro.exe	ZembraBro.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe	autoit_exe

Drops file in Program Files directory 22 IoCs

Processes:

Software-update-patc_612604768.tmpmsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Dolore\minus\is-JCPJP.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-6LLGR.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-BVS3D.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quia\is-OLRNU.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quos\is-31PSU.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\Dolore\consectetur\is-M9HSG.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-NDL2S.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\minus\is-QSNJ9.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-EI043.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\consectetur\is-QEEFF.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\quia\is-HL6CJ.tmp	Software-update-patc_612604768.tmp
File opened for modification	C:\Program Files (x86)\Dolore\unins000.dat	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Dolore\quia\Quibusdam.exe	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\is-B2JPM.tmp	Software-update-patc_612604768.tmp
File created	C:\Program Files (x86)\Dolore\in\is-LU7T3.tmp	Software-update-patc_612604768.tmp

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI6909.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6492.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI780D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI788B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AB1.tmp	msiexec.exe
File created	C:\Windows\Installer\f775afc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6378.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7388.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A33.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI682D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f775afe.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI656D.tmp	msiexec.exe
File created	C:\Windows\Installer\f775afe.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7928.tmp	msiexec.exe
File created	C:\Windows\Installer\f775b00.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f775afc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7377.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79A6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zembra.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zembra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zembra.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3032 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2980 taskkill.exe
2120 taskkill.exe
2076 taskkill.exe

pid	process
3032	timeout.exe

pid	process
2980	taskkill.exe
2120	taskkill.exe
2076	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CAD3581-327E-11EC-BF70-46166E0FD2EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies data under HKEY_USERS 4 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\6CF876C7	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

FTxEfaSIb.exeQcDIZx6q.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	FTxEfaSIb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FTxEfaSIb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QcDIZx6q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QcDIZx6q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FTxEfaSIb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FTxEfaSIb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FTxEfaSIb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FTxEfaSIb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	FTxEfaSIb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	QcDIZx6q.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2384 PING.EXE

pid	process
2384	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Software-update-patc_612604768.tmpQuibusdam.exeMsiExec.exeZembra.exeMsiExec.exemsiexec.exe

pid	process
1684	Software-update-patc_612604768.tmp
1684	Software-update-patc_612604768.tmp
812	Quibusdam.exe
812	Quibusdam.exe
812	Quibusdam.exe
1692	MsiExec.exe
1136	Zembra.exe
1208	MsiExec.exe
1208	MsiExec.exe
1796	msiexec.exe
1796	msiexec.exe
1136	Zembra.exe
1136	Zembra.exe
1136	Zembra.exe
1136	Zembra.exe
812	Quibusdam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeFTxEfaSIb.exe

description	pid	process
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeSecurityPrivilege	1796	msiexec.exe
Token: SeCreateTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeAssignPrimaryTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeLockMemoryPrivilege	1388	FTxEfaSIb.exe
Token: SeIncreaseQuotaPrivilege	1388	FTxEfaSIb.exe
Token: SeMachineAccountPrivilege	1388	FTxEfaSIb.exe
Token: SeTcbPrivilege	1388	FTxEfaSIb.exe
Token: SeSecurityPrivilege	1388	FTxEfaSIb.exe
Token: SeTakeOwnershipPrivilege	1388	FTxEfaSIb.exe
Token: SeLoadDriverPrivilege	1388	FTxEfaSIb.exe
Token: SeSystemProfilePrivilege	1388	FTxEfaSIb.exe
Token: SeSystemtimePrivilege	1388	FTxEfaSIb.exe
Token: SeProfSingleProcessPrivilege	1388	FTxEfaSIb.exe
Token: SeIncBasePriorityPrivilege	1388	FTxEfaSIb.exe
Token: SeCreatePagefilePrivilege	1388	FTxEfaSIb.exe
Token: SeCreatePermanentPrivilege	1388	FTxEfaSIb.exe
Token: SeBackupPrivilege	1388	FTxEfaSIb.exe
Token: SeRestorePrivilege	1388	FTxEfaSIb.exe
Token: SeShutdownPrivilege	1388	FTxEfaSIb.exe
Token: SeDebugPrivilege	1388	FTxEfaSIb.exe
Token: SeAuditPrivilege	1388	FTxEfaSIb.exe
Token: SeSystemEnvironmentPrivilege	1388	FTxEfaSIb.exe
Token: SeChangeNotifyPrivilege	1388	FTxEfaSIb.exe
Token: SeRemoteShutdownPrivilege	1388	FTxEfaSIb.exe
Token: SeUndockPrivilege	1388	FTxEfaSIb.exe
Token: SeSyncAgentPrivilege	1388	FTxEfaSIb.exe
Token: SeEnableDelegationPrivilege	1388	FTxEfaSIb.exe
Token: SeManageVolumePrivilege	1388	FTxEfaSIb.exe
Token: SeImpersonatePrivilege	1388	FTxEfaSIb.exe
Token: SeCreateGlobalPrivilege	1388	FTxEfaSIb.exe
Token: SeCreateTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeAssignPrimaryTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeLockMemoryPrivilege	1388	FTxEfaSIb.exe
Token: SeIncreaseQuotaPrivilege	1388	FTxEfaSIb.exe
Token: SeMachineAccountPrivilege	1388	FTxEfaSIb.exe
Token: SeTcbPrivilege	1388	FTxEfaSIb.exe
Token: SeSecurityPrivilege	1388	FTxEfaSIb.exe
Token: SeTakeOwnershipPrivilege	1388	FTxEfaSIb.exe
Token: SeLoadDriverPrivilege	1388	FTxEfaSIb.exe
Token: SeSystemProfilePrivilege	1388	FTxEfaSIb.exe
Token: SeSystemtimePrivilege	1388	FTxEfaSIb.exe
Token: SeProfSingleProcessPrivilege	1388	FTxEfaSIb.exe
Token: SeIncBasePriorityPrivilege	1388	FTxEfaSIb.exe
Token: SeCreatePagefilePrivilege	1388	FTxEfaSIb.exe
Token: SeCreatePermanentPrivilege	1388	FTxEfaSIb.exe
Token: SeBackupPrivilege	1388	FTxEfaSIb.exe
Token: SeRestorePrivilege	1388	FTxEfaSIb.exe
Token: SeShutdownPrivilege	1388	FTxEfaSIb.exe
Token: SeDebugPrivilege	1388	FTxEfaSIb.exe
Token: SeAuditPrivilege	1388	FTxEfaSIb.exe
Token: SeSystemEnvironmentPrivilege	1388	FTxEfaSIb.exe
Token: SeChangeNotifyPrivilege	1388	FTxEfaSIb.exe
Token: SeRemoteShutdownPrivilege	1388	FTxEfaSIb.exe
Token: SeUndockPrivilege	1388	FTxEfaSIb.exe
Token: SeSyncAgentPrivilege	1388	FTxEfaSIb.exe
Token: SeEnableDelegationPrivilege	1388	FTxEfaSIb.exe
Token: SeManageVolumePrivilege	1388	FTxEfaSIb.exe
Token: SeImpersonatePrivilege	1388	FTxEfaSIb.exe
Token: SeCreateGlobalPrivilege	1388	FTxEfaSIb.exe
Token: SeCreateTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeAssignPrimaryTokenPrivilege	1388	FTxEfaSIb.exe
Token: SeLockMemoryPrivilege	1388	FTxEfaSIb.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Software-update-patc_612604768.tmpFTxEfaSIb.exeiexplore.exe

pid process

1684 Software-update-patc_612604768.tmp
1388 FTxEfaSIb.exe
2332 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2332 iexplore.exe
2332 iexplore.exe
2520 IEXPLORE.EXE
2520 IEXPLORE.EXE

pid	process
2332	iexplore.exe
2332	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpQuibusdam.exemsiexec.exeQcDIZx6q.exeFTxEfaSIb.exeMsiExec.exenmf1aPaRyDs4GOpB.exe

description	pid	process	target process
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 360 wrote to memory of 1684	360	Software-update-patc_612604768.exe	Software-update-patc_612604768.tmp
PID 1684 wrote to memory of 812	1684	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1684 wrote to memory of 812	1684	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1684 wrote to memory of 812	1684	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 1684 wrote to memory of 812	1684	Software-update-patc_612604768.tmp	Quibusdam.exe
PID 812 wrote to memory of 1948	812	Quibusdam.exe	QcDIZx6q.exe
PID 812 wrote to memory of 1948	812	Quibusdam.exe	QcDIZx6q.exe
PID 812 wrote to memory of 1948	812	Quibusdam.exe	QcDIZx6q.exe
PID 812 wrote to memory of 1948	812	Quibusdam.exe	QcDIZx6q.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 812 wrote to memory of 1388	812	Quibusdam.exe	FTxEfaSIb.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1692	1796	msiexec.exe	MsiExec.exe
PID 1948 wrote to memory of 1136	1948	QcDIZx6q.exe	Zembra.exe
PID 1948 wrote to memory of 1136	1948	QcDIZx6q.exe	Zembra.exe
PID 1948 wrote to memory of 1136	1948	QcDIZx6q.exe	Zembra.exe
PID 1948 wrote to memory of 1136	1948	QcDIZx6q.exe	Zembra.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1388 wrote to memory of 1676	1388	FTxEfaSIb.exe	msiexec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 1208	1796	msiexec.exe	MsiExec.exe
PID 1208 wrote to memory of 2076	1208	MsiExec.exe	taskkill.exe
PID 1208 wrote to memory of 2076	1208	MsiExec.exe	taskkill.exe
PID 1208 wrote to memory of 2076	1208	MsiExec.exe	taskkill.exe
PID 1208 wrote to memory of 2076	1208	MsiExec.exe	taskkill.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 1796 wrote to memory of 2316	1796	msiexec.exe	MsiExec.exe
PID 812 wrote to memory of 2788	812	Quibusdam.exe	nmf1aPaRyDs4GOpB.exe
PID 812 wrote to memory of 2788	812	Quibusdam.exe	nmf1aPaRyDs4GOpB.exe
PID 812 wrote to memory of 2788	812	Quibusdam.exe	nmf1aPaRyDs4GOpB.exe
PID 812 wrote to memory of 2788	812	Quibusdam.exe	nmf1aPaRyDs4GOpB.exe
PID 2788 wrote to memory of 2808	2788	nmf1aPaRyDs4GOpB.exe	nmf1aPaRyDs4GOpB.exe
PID 2788 wrote to memory of 2808	2788	nmf1aPaRyDs4GOpB.exe	nmf1aPaRyDs4GOpB.exe

C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe
"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp" /SL5="$70152,4477466,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\Zembra.exe
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Zembra.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Zembra.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:2952

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Zembra.exe /f
7⤵
- Kills process with taskkill
PID:2980

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:3032

C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3052

C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe
"C:\Users\Admin\AppData\Local\Temp\ZembraBro.exe"
6⤵
- Executes dropped EXE
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.binance.com/en/register?ref=WDA8929C
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe & exit
5⤵
PID:2352

C:\Windows\SysWOW64\PING.EXE
ping 0
6⤵
- Runs ping.exe
PID:2384

C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe /qn CAMPAIGN="642"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\NloCjN7K\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634568427 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
5⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe
C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe
C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe /usthree SUB=2fe3d428284ff9b385bc1c941892777b
5⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "nmf1aPaRyDs4GOpB.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\EqJmAo4h\nmf1aPaRyDs4GOpB.exe" & exit
6⤵
PID:3068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "nmf1aPaRyDs4GOpB.exe" /f
7⤵
- Kills process with taskkill
PID:2120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DBD9F13227815E00292EE9DFCFA5C103 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC2A3459F5BBAD23C0CEDE76273C5FC6
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2076

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 315E56FEB27186B6C67CFC74BA68D0E1 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
5bbd4ca409d0e3d9e1356f6aa0e72821

SHA1
09fb93b1b1bdbcd87acdc4c21d5e3ca8f9a0e0a0

SHA256
6cd79e569127f8895878251f5d848131dc1c7d22437236ade6dca522ba93af59

SHA512
9fbb7a6d6ce18b76895efde9ab586321375678299ab0c275c6d085fdc81c780daf586d09af5af692585ad48be2d917fb0412d9c6e68c5a1fbe886979ef5c0836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
bd4ceda56f9ffd6244ad66f6f33c4b10

SHA1
54d0b14bac6f1e9fb4507b4a363d4263aeba0c5d

SHA256
1cd958aa3dc68a314ae995cb12b5d503647380c55cbfe46eb86578e5e550f650

SHA512
7154bc08984df4508ea0498b012b435d774506c4dfed4bb28f968b13889496589d3b54d229a48ad7225687a83e31f34d027399d52490fabb0afa420622a3d5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
2ae8533ac6bf615c97548f30008b1fd3

SHA1
c53e618829b2c0ec35842b6e87a44dec94e923e2

SHA256
079cab1ed8c11e2236fc2ef294d0ff046fa33b1a37fa1ea9d13703805c4318d2

SHA512
8bdc4892b8365e8dd9939164e1c3358037e54da1f7645a18676a8ff6d3606b09adf76a23241dd361616acae65503d8af98449d39299ecfc34640b924efca01f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
171b5f4f4c104ea26c52198c5d3a38d1

SHA1
11bc8472943b23266cc42de988133bb02b5230ae

SHA256
8e9d25c57b940fd6ed781d59441f7c00eb6dde1c6cbcbbe0d8e71f9d8b7e536f

SHA512
65c6f78b82ed4e7d4626f3dd0a20c44b4e80cbaf81672d97eb639b7f69e5a34c6da5ac18959217a197e3f14e3d8f78a12fd7d9d95dd400ccbfcc15387a089bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c447d9a2470fcb264601a68e7249b332

SHA1
779acbc363e7ceddd8e979c777fa1913edb3c076

SHA256
62860b57ded6ed7f2f37cf923aa17cd90f630a1f9f2a4a64c603b128549c1f77

SHA512
03be1e66eb20940c27abff772c3c39ea9d194a88b342df46ea065e701241c72b341d3ed7eb93c7804620b0e4ee9438fb033c17e5f1425e98346e030c1c54b4a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
24d5d543f55a837739cd40a5795c2716

SHA1
62c92672540b97647dbb6d975d1b39506f046d83

SHA256
508650eeefc2198f33e331fd5f0978bf13fd0efe23abb9b24158452573e18eba

SHA512
75d341dd13194d99b9b69471a6b92ff05fcc061bc7cd4e5f781e47aaa26595e2a656f0e5a8b9766c4f337dda7b2d7e3fd909262c68c2cf1f132ec81800c7ebc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
db8106de6892e8dfe428f9db13b4f3b0

SHA1
6aca3dbc01865fa58efb38d2cf4e57c4f0517cb4

SHA256
43b77c133d225d1fd7022d9eb42c00ea35c3aa7a21f44c8bee3ea5395aeaf5aa

SHA512
24a180b361e108d1a4b4f7012a7a71fbbcf50b24cb67837127956c4da5fdc67e944b6dfc7377983bcfadf14d4599518e6a59cf8724bc217e07a80f72b4f10403

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
9f4ea2a5a82053389dac5e89c07e12da

SHA1
e58c31c47699050eece2df9042276af02fa3f791

SHA256
e31994cea2b94ccd4f94f3449428c5ad2d8c4a3848addfe2479da004b67639c2

SHA512
657d95936c825e6b8be0cd075d27746f9a3e320662b883a56a6a5deb59925c16b8e3486c9528e5020cfc601f284b22d6c7ee73d32b692e478ba98e687d2591a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI49BA.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5050.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
C:\Windows\Installer\MSI5F42.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI62DB.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI6378.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI6492.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI656D.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI66A6.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Windows\Installer\MSI682D.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI6909.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Windows\Installer\MSI6A23.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
C:\Windows\Installer\MSI6B3C.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
C:\Windows\Installer\MSI7388.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI74E1.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI780D.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI788B.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
C:\Windows\Installer\MSI7928.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Program Files (x86)\Dolore\quia\Quibusdam.exe
MD5
9b872933c0915fc132fe0a8246ea9298

SHA1
603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08

SHA256
da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900

SHA512
27db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade

Download Submit
\Users\Admin\AppData\Local\Temp\C4cPtPB3\QcDIZx6q.exe
MD5
9d06a0509951399f7ccc94a8952f041d

SHA1
933f524ca176564706f8062bfbc631e321a4bbe4

SHA256
8e1501f1418f652681acdecf629ac0c27a1fb87ddb939a5fa5dba53a7635b7f6

SHA512
64d919b896c9e79012a778709bf5563f1cb0a6ecfbbaa11030b8cc68ac46404e5c2cd4cbeec5c6170f49fcd5acb60d5d323700b4376a5c0357e4a826c79d2787

Download Submit
\Users\Admin\AppData\Local\Temp\INA490E.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSI49BA.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI5050.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\NloCjN7K\FTxEfaSIb.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
\Users\Admin\AppData\Local\Temp\Zembra.exe
MD5
0dcce39047700778b4e36188b6eea28e

SHA1
1b323820dfd9da3d1da039c79a8514e69fb31698

SHA256
f477238d3021193a2ba26c4be732dfe949976f7d02a55662dcc21a46f6d87845

SHA512
e971094ee925baf465f0e29a481c11fb176aed9e6605e8b25f0003f033ac1d124490e94a7e343ab1fd1a0601aec446d47592c22608297a2d5e7df8a1a13b788c

Download Submit
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-66Q7B.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F2GT3.tmp\Software-update-patc_612604768.tmp
MD5
4caf2ca22417bb2cd44c0d0daf5fdd8b

SHA1
bdb2b86d9c033785c9b1db5618986030b2852ffd

SHA256
a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

SHA512
ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI5F42.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI62DB.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI6378.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI6492.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI656D.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI66A6.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Windows\Installer\MSI682D.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI6909.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI6A23.tmp
MD5
5f1b243813a203c66ba735139d8ce0c7

SHA1
c60a57668d348a61e4e2f12115afb9f9024162ba

SHA256
52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

SHA512
083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

Download Submit
\Windows\Installer\MSI6B3C.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI7388.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI74E1.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI780D.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI788B.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
\Windows\Installer\MSI7928.tmp
MD5
9824aa0d785bef52b2f5ca21b7eacf8e

SHA1
54ae25b7ea5e6bd3e0a77f10650c6f441a0b1764

SHA256
e59b2b4d1466e834f1c797319b920ea13b3cdb04a7777dac9a31c6551ff5715a

SHA512
67d421cc29d53fca937e5afa492610ea3e6370dc46edcdc8568255ea53de8d04498cec43ee3e2a6c91fde92c4b2b6552fd3ae02cb3d6c88f28f1f3f4ede6e07a

Download Submit
memory/360-55-0x0000000076AA1000-0x0000000076AA3000-memory.dmp

Filesize
8KB

Download
memory/360-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/812-72-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/812-77-0x0000000004220000-0x0000000004222000-memory.dmp

Filesize
8KB

Download
memory/812-70-0x0000000000000000-mapping.dmp

Download
memory/812-74-0x0000000000400000-0x0000000001860000-memory.dmp

Filesize
20.4MB

Download
memory/812-75-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1136-145-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/1136-179-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1136-182-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/1136-180-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/1136-181-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/1136-178-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/1136-147-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1136-146-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/1136-149-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1136-148-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/1136-150-0x00000000045B0000-0x00000000045B1000-memory.dmp

Filesize
4KB

Download
memory/1136-151-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/1136-152-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/1136-153-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1136-154-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/1136-156-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/1136-155-0x0000000004560000-0x0000000004562000-memory.dmp

Filesize
8KB

Download
memory/1136-157-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1136-158-0x0000000000400000-0x00000000009A4000-memory.dmp

Filesize
5.6MB

Download
memory/1136-177-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1136-176-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/1136-169-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/1136-167-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/1136-168-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1136-103-0x0000000000000000-mapping.dmp

Download
memory/1208-115-0x0000000000000000-mapping.dmp

Download
memory/1388-84-0x0000000000000000-mapping.dmp

Download
memory/1388-89-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1676-107-0x0000000000000000-mapping.dmp

Download
memory/1684-60-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1684-67-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1692-96-0x0000000000000000-mapping.dmp

Download
memory/1796-94-0x000007FEFC3F1000-0x000007FEFC3F3000-memory.dmp

Filesize
8KB

Download
memory/1948-79-0x0000000000000000-mapping.dmp

Download
memory/2076-120-0x0000000000000000-mapping.dmp

Download
memory/2120-188-0x0000000000000000-mapping.dmp

Download
memory/2248-194-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-200-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-196-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-195-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-206-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2248-197-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-198-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2248-199-0x000000000041B23E-mapping.dmp

Download
memory/2316-143-0x0000000000000000-mapping.dmp

Download
memory/2332-202-0x0000000000000000-mapping.dmp

Download
memory/2352-203-0x0000000000000000-mapping.dmp

Download
memory/2384-204-0x0000000000000000-mapping.dmp

Download
memory/2520-205-0x0000000000000000-mapping.dmp

Download
memory/2788-170-0x0000000000000000-mapping.dmp

Download
memory/2808-171-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2808-175-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2808-173-0x0000000000414F3A-mapping.dmp

Download
memory/2808-172-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2952-183-0x0000000000000000-mapping.dmp

Download
memory/2980-184-0x0000000000000000-mapping.dmp

Download
memory/3032-185-0x0000000000000000-mapping.dmp

Download
memory/3052-193-0x00000000009F0000-0x0000000000A2E000-memory.dmp

Filesize
248KB

Download
memory/3052-192-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/3052-191-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/3052-189-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3052-186-0x0000000000000000-mapping.dmp

Download
memory/3068-187-0x0000000000000000-mapping.dmp

Download