8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe
Size

12.1MB
MD5

a16d9ab556f1b45893c132c36ca4c655
SHA1

d15355bcc87d81cfe4ffba318f605131e57f82e6
SHA256

8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d
SHA512

1dcece48c6d66cde4c0543187afb832b204ade3fb95dcc82175dc9ebf355ffda89cbf7e60f760fa3abc3fee8837eb890f9a20386174ad8741c95af1512ca7143

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

EXEtender.exeSetup.exeIKernel.exeIKernel.exeiKernel.exeGPlayer.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.exe

pid	process
996	EXEtender.exe
1740	Setup.exe
1756	IKernel.exe
592	IKernel.exe
1528	iKernel.exe
1936	GPlayer.exe
2036	cmhelper.exe
1900	cmhelper.exe
1328	cmhelper.exe
332	cmhelper.exe
1888	cmhelper.exe
568	cmhelper.exe
960	cmhelper.exe
776	cmhelper.exe
1932	cmhelper.exe
2020	cmhelper.exe
1368	cmhelper.exe
1916	cmhelper.exe
1472	cmhelper.exe
568	cmhelper.exe
1964	cmhelper.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2012 explorer.exe

pid	process
2012	explorer.exe

Loads dropped DLL 64 IoCs

Processes:

8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exeEXEtender.exeSetup.exeIKernel.exeIKernel.exeiKernel.exeregsvr32.exeregsvr32.exeGPlayer.exe

pid	process
1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe
996	EXEtender.exe
1740	Setup.exe
1740	Setup.exe
1740	Setup.exe
1740	Setup.exe
1756	IKernel.exe
1756	IKernel.exe
1756	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
1528	iKernel.exe
1528	iKernel.exe
1528	iKernel.exe
592	IKernel.exe
1740	Setup.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
912	regsvr32.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
1236	regsvr32.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
592	IKernel.exe
1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe
1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DependencyCheck = "Performed"	GPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /schedule 300000"	GPlayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

IKernel.exe

description ioc process

File opened for modification C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini IKernel.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini	IKernel.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
File opened (read-only)	\??\B:	IKernel.exe
File opened (read-only)	\??\J:	IKernel.exe
File opened (read-only)	\??\N:	IKernel.exe
File opened (read-only)	\??\U:	IKernel.exe
File opened (read-only)	\??\Y:	IKernel.exe
File opened (read-only)	\??\Z:	IKernel.exe
File opened (read-only)	\??\E:	IKernel.exe
File opened (read-only)	\??\H:	IKernel.exe
File opened (read-only)	\??\K:	IKernel.exe
File opened (read-only)	\??\L:	IKernel.exe
File opened (read-only)	\??\P:	IKernel.exe
File opened (read-only)	\??\A:	IKernel.exe
File opened (read-only)	\??\F:	IKernel.exe
File opened (read-only)	\??\G:	IKernel.exe
File opened (read-only)	\??\I:	IKernel.exe
File opened (read-only)	\??\O:	IKernel.exe
File opened (read-only)	\??\S:	IKernel.exe
File opened (read-only)	\??\T:	IKernel.exe
File opened (read-only)	\??\V:	IKernel.exe
File opened (read-only)	\??\W:	IKernel.exe
File opened (read-only)	\??\A:	GPlayer.exe
File opened (read-only)	\??\B:	GPlayer.exe
File opened (read-only)	\??\M:	IKernel.exe
File opened (read-only)	\??\Q:	IKernel.exe
File opened (read-only)	\??\R:	IKernel.exe
File opened (read-only)	\??\X:	IKernel.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

IKernel.exeGPlayer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 IKernel.exe
File opened for modification \??\PhysicalDrive0 GPlayer.exe
Drops file in System32 directory 1 IoCs

Processes:

IKernel.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\vtdi.386 IKernel.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	IKernel.exe
File opened for modification	\??\PhysicalDrive0	GPlayer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\vtdi.386	IKernel.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe

description	pid	process	target process
PID 1932 set thread context of 2012	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

GPlayer.exeIKernel.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Free Ride Games\info\co_Admin.dat	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\layo824b.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_end_game_ad_splash.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGL8d62.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\Onli8dfe.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\background.jpg	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\yesbuttonover.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\adGameHigh.css	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\26.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\stop.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\carousel.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGL8d91.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\natives_blob.bin	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_errorTools.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\106.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\928853.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGL8db0.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\hideinfo_0.gif	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\sear89d9.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\clie8a75.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd7c13.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\blueimp-gallery.min.css	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\Langs\0409\EXEt8e2d.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\sear89f8.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\YUI\autocomplete-min.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\pinb8f45.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\resources\locales\en-US.pak	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd_EndGameAdPage.html	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCC81ce.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\cloc83f0.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\join84da.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGL8dcf.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\IG.	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\mask\login_splash_high.rgn	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\game84bb.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\puzz8557.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\YUI\yahoo-dom-event.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_games.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\d3dcompiler_47.dll	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\AppL72e0.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\cmhe730f.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\GameInst.dll	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_759e.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\bgTo83d1.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\13000090\resources\img\yes_btn.png	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\player_my_account_icon.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\tabs8a27.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\bootstrap.min.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\skin_events\Post8c1a.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_d8cb6.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_href_request.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\logi8151.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCC2_1_0.eot	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\Exit.ico	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\2000118\IG.	IKernel.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}\data6e5d.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\logo.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\yesbuttonnorm.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\updatebuttonnorm.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\postroll\effect_gmt_btn-sprites.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCC2_1_0.woff	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\mask\login.rgn	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\logo.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\arr_8872.rra	IKernel.exe

Drops file in Windows directory 9 IoCs

Processes:

IKernel.exe

description	ioc	process
File opened for modification	C:\Windows\ExentInfo.exe	IKernel.exe
File opened for modification	C:\Windows\Glutil.exe	IKernel.exe
File opened for modification	C:\Windows\GPlrLanc.dat	IKernel.exe
File created	C:\Windows\FRGNa7f4.rra	IKernel.exe
File opened for modification	C:\Windows\X3.vxd	IKernel.exe
File created	C:\Windows\Exen7495.rra	IKernel.exe
File opened for modification	C:\Windows\Downloaded Program Files\ExentCtl.ocx	IKernel.exe
File created	C:\Windows\Downloaded Program Files\Exen905e.rra	IKernel.exe
File opened for modification	C:\Windows\FRGN.ico	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IKernel.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GPlayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GPlayer.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

regedit.exeregedit.exeIKernel.exeregedit.exeGPlayer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\gplayer.exe = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\Policy = "3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath = "C:\\Program Files (x86)\\Free Ride Games"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppName = "GPlayer.exe"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	GPlayer.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

IKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe

Modifies registry class 64 IoCs

Processes:

IKernel.exeIKernel.exeregsvr32.exeiKernel.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\ = "ISetupDriver"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6A06043B-60F9-11D5-A6CD-0002B31F7455}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\ExentCtl.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6A060447-60F9-11D5-A6CD-0002B31F7455}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID\ = "Setup.ScriptDriverWrapper"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\ProgID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS\ = "0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ = "ISetupCABFiles"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ = "ISetupFileService"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EXEtender\Shell\Open	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel.1\ = "InstallShield setup kernel"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ = "ISetupObject"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ = "ISetupSDMessage"	IKernel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{103DFC4E-147A-5606-9B4E-1C216DF227A1}\1.0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEFD8F9E-7F71-5307-A9E8-D2E60A4AAECA}\TypeLib\ = "{103DFC4E-147A-5606-9B4E-1C216DF227A1}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EXEtender\DefaultIcon	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Application/x-rgmx\Extension = ".rgmx"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6A060448-60F9-11D5-A6CD-0002B31F7455}\MiscStatus\ = "0"	regsvr32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GPlayer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	GPlayer.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

976 regedit.exe
1840 regedit.exe
1832 regedit.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

GPlayer.exe

pid process

1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

464
464
464
464
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

IKernel.exe

description pid process

Token: SeRestorePrivilege 592 IKernel.exe
Token: SeBackupPrivilege 592 IKernel.exe

pid	process
976	regedit.exe
1840	regedit.exe
1832	regedit.exe

pid	process
464
464
464
464

description	pid	process
Token: SeRestorePrivilege	592	IKernel.exe
Token: SeBackupPrivilege	592	IKernel.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

GPlayer.exe

pid	process
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

GPlayer.exe

pid	process
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe
1936	GPlayer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

GPlayer.exe

pid process

1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe
1936 GPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exeEXEtender.exeSetup.exeIKernel.exe

description	pid	process	target process
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 1932 wrote to memory of 996	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	EXEtender.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 996 wrote to memory of 1740	996	EXEtender.exe	Setup.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 1740 wrote to memory of 1756	1740	Setup.exe	IKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 1528	592	IKernel.exe	iKernel.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 912	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1832	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 1236	592	IKernel.exe	regsvr32.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 976	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 592 wrote to memory of 1840	592	IKernel.exe	regedit.exe
PID 1932 wrote to memory of 1936	1932	8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe	GPlayer.exe

C:\Users\Admin\AppData\Local\Temp\8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe
"C:\Users\Admin\AppData\Local\Temp\8dcd4d9b5427a160020e80fdc40affbc43c94a681a263e777faf0a036455c14d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
"C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1756

C:\Program Files (x86)\Free Ride Games\GPlayer.exe
"C:\Program Files (x86)\Free Ride Games\GPlayer.exe" "-shortcut http://www.freeridegames.com/opTools/getRGMX.jsp?PrvId=143&AppId=662250&RunIndex=1&AcID=&OpenShInIE=0&PrvDir=Default"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
UPR
3⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
UPR
3⤵
- Executes dropped EXE
PID:332

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
UPW
3⤵
- Executes dropped EXE
PID:960

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
UPW
3⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
UPW
3⤵
- Executes dropped EXE
PID:1472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
2⤵
- Deletes itself
PID:2012

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1528

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\Downloaded Program Files\ExentCtl.ocx"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:912

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg"
2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Runs .reg file with regedit
PID:1832

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll"
2⤵
- Loads dropped DLL
PID:1236

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaults.reg"
2⤵
- Modifies Internet Explorer settings
- Runs .reg file with regedit
PID:976

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaultsProvider.reg"
2⤵
- Modifies Internet Explorer settings
- Runs .reg file with regedit
PID:1840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
PID:1784

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
R
2⤵
- Executes dropped EXE
PID:1328

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
R
2⤵
- Executes dropped EXE
PID:568

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:776

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
W
2⤵
- Executes dropped EXE
PID:1932

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:1368

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
W
2⤵
- Executes dropped EXE
PID:1916

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:568

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
W
2⤵
- Executes dropped EXE
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll
Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll
Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll
Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
C:\Program Files (x86)\Free Ride Games\ClientCfg.xml
Filesize
262B

MD5
33092f70ea80bc968eee80de9ad4c453

SHA1
91489ce57d4f22ce5b401080b0dd091f5e36be82

SHA256
de5727fdd8d46c40dcb9c200234cf941a355b67314c00fa7d64495e57f3cb0f0

SHA512
45090e61202ed292dadb33daf422fe3d8e3f0515322b225baa7652319519e0ed1d221170cdee10aca755fbecba7cc64d8eea8389586bbfb056a43133d40c6647

Download Submit
C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg
Filesize
10KB

MD5
a967a8514d0ad555b80e10b86d2c4ea9

SHA1
0f05f75587cd5a15a7b3a2bb980daf956e9ab99e

SHA256
142633c50dbeea509b3c1ff7c32223b227a40036c77361e0d0474316a9e63849

SHA512
cd9834292e008a4c15724c2c5eafb1a2cad6c50f9d889d269d8cf723f6556ac509db9be51fcb799a1e43570cef4a8fd4e681b08d9d77e1ae90118e423cba976a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\ExentCtl.ocx
Filesize
497KB

MD5
5fc1bb4249d11957616ab7d1591c93cc

SHA1
ab2735c7ec583068a0b322c57483cfb350d93cbe

SHA256
77fe282422f1b8acc1d5fbfdde79d4f8616fb95f59cda965d435a0346c2b6d30

SHA512
1e086e6734c51e6a18a98ec49ef3464bf6f92e861061a29a1def534176417c96fe894a4d684718889ebfe9ab2085ab9fe7b2b1a3d69b0bd5dc6d52d6393bb44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\FRGN.ico
Filesize
17KB

MD5
ab7afac47007d11443ac2c19f9dbac01

SHA1
63a5c5bf2f95edc047f40e64500f05cdbe26cafe

SHA256
c3ea631d603ea726a57ccf50f18fc6336074c6d439d68eb7c44e1e95718378e6

SHA512
e49cd893c015220857439f273eebd3ddd0fcc5e8dbb38268b4dbb44d1a063150143014ac22c144ea5bf96a0fadbef17dd1bc6ee6564a0ce89befe1704aef07c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\IKernel.ex_
Filesize
343KB

MD5
3214f45b155a8d5a26ee2f4dd93eaf73

SHA1
44a2e6e23a7c8167a7c36597d3e4714ef09f0f7e

SHA256
716cf59211259e00acb40481da02728264bc8948206b2153e96ddeae6e230dee

SHA512
064bf3728179657be4872d5b4d15cf7b4a605afc636fd55a4313bd96804a1b7e0b9f730a7a5df40841125e5ec465e1c195b673f1ee0700eebb864a90cce29b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\data1.cab
Filesize
498KB

MD5
1f5cb19bd50f9caa8b4a1f846a98dde8

SHA1
e454bcebab9865fca0d3e5dbddc81aaee828f8e7

SHA256
aff20289c501a3899e403c11138aca0e002c7becf0734d8bd135860fa7a8fbe6

SHA512
9e1a35f75043638da64598952d59faab979f0c86ab3675bc421ef6aa8140fc83713a095296189ffecd3b05e68693032daeba27d7ad48f8df7b4c8014a5999cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\data2.cab
Filesize
10.5MB

MD5
f66cf7b9886dde614857bb56e450966b

SHA1
42adecdd87f2ebe6a17044c8fad7115e9dab7bcd

SHA256
ffe81219f555ee4352c5c96ecceb4ee4b85d0f650c8e5243c102cf54ccc0e7c5

SHA512
3fd228bcd801ae9b21f5adaa21032589b3ddc571666dbe684e107a342b05cd15c12e2798ace38da43842a168088d45845233b4bca297cbb11f2610a52aea8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\exs.dll
Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\layout.bin
Filesize
417B

MD5
ae7db797f4f7855091079f0841fce3ea

SHA1
2832dd3bdf894641688e05a9ee09d1fe9e2ead62

SHA256
64b0eb64395fbc22b8d54895318a81d5d2abe6e4045cb04641d75155cb869a47

SHA512
5a29ad7145928623a1fe4c932a6dbb0459c2c4a5046fa09effe04d38fd09b270cc1075aaf5d65d6405d673910d5ce1aac19daf2ce09f18bbb5813ecdf997b2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\setup.ini
Filesize
2KB

MD5
84320a31550309b8cc2ddf3c3c00f975

SHA1
3affa5e03b8dae2de23e1807ef1f583fdf781701

SHA256
4f08bacb598278136b61c4f01221b3061489a5c886f9634f26348254571ca8cc

SHA512
0547af5ae9858345161ee6468ab2f7b3011ab5f1bca7c6e577c7e37d1b41788fbdea159032728291fdfb123ef9c0b870678a517ce77e8ab6884bfbf89be86c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft29B2.tmp\setup.inx
Filesize
389KB

MD5
b4d6c93644f48e1e7a466c5c62caae5a

SHA1
787973d54704815e79054f58df7e0f10a2fd3726

SHA256
4e53d8ec2a0398980c6d4a959a139acbb74beac415ee5d61c0ee1e5d0fc9d739

SHA512
81c28ff24d019ccc371a79999b1855de396ade2a5abeffb3939b2e7a6a12d0604c19d315972072c9eeb2f532cc5646bf52a1e5572ba21558242812b4607b2495

Download Submit
C:\Windows\Downloaded Program Files\ExentCtl.ocx
Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
\??\c:\users\admin\appdata\local\temp\pft29b2.tmp\data1.hdr
Filesize
67KB

MD5
24aa2f11f07a6741e5cba0c77fbe41f7

SHA1
814b78b7d9e2ac36bc903af06c2e00e74b04c137

SHA256
276f1904a5a29eded951caabb832b5a1494a4fe1f957a24320f2f5234a665048

SHA512
a2e65f0f1364fe61cb4cda85718d843b21efe5455b5443946710c7a9ceb41fa491667af788cbb7852a3ed70fab5d98dd91499964e50a20ee1a8dfc4411b621fe

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll
Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll
Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll
Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll
Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll
Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll
Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll
Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll
Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll
Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\Setup.exe
Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\exs.dll
Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\exs.dll
Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\pft29B2.tmp\exs.dll
Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\_IsRes.dll
Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\isrt.dll
Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
\Windows\Downloaded Program Files\ExentCtl.ocx
Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
memory/332-183-0x0000000000000000-mapping.dmp

Download
memory/568-186-0x0000000000000000-mapping.dmp

Download
memory/592-167-0x0000000004790000-0x0000000004835000-memory.dmp

Filesize
660KB

Download
memory/592-164-0x0000000004791000-0x0000000004811000-memory.dmp

Filesize
512KB

Download
memory/592-132-0x0000000004690000-0x0000000004735000-memory.dmp

Filesize
660KB

Download
memory/592-166-0x0000000004791000-0x0000000004811000-memory.dmp

Filesize
512KB

Download
memory/592-165-0x0000000004790000-0x0000000004835000-memory.dmp

Filesize
660KB

Download
memory/592-146-0x0000000004690000-0x00000000047C5000-memory.dmp

Filesize
1.2MB

Download
memory/592-105-0x0000000000AC0000-0x0000000000AF8000-memory.dmp

Filesize
224KB

Download
memory/592-111-0x0000000000BC0000-0x0000000000BEC000-memory.dmp

Filesize
176KB

Download
memory/592-145-0x0000000004691000-0x000000000476C000-memory.dmp

Filesize
876KB

Download
memory/912-124-0x0000000000000000-mapping.dmp

Download
memory/960-188-0x0000000000000000-mapping.dmp

Download
memory/976-160-0x0000000000000000-mapping.dmp

Download
memory/996-56-0x0000000000000000-mapping.dmp

Download
memory/1236-139-0x0000000000000000-mapping.dmp

Download
memory/1328-177-0x0000000000000000-mapping.dmp

Download
memory/1472-198-0x0000000000000000-mapping.dmp

Download
memory/1528-93-0x0000000000000000-mapping.dmp

Download
memory/1740-61-0x0000000000000000-mapping.dmp

Download
memory/1756-71-0x0000000000000000-mapping.dmp

Download
memory/1832-128-0x0000000000000000-mapping.dmp

Download
memory/1840-162-0x0000000000000000-mapping.dmp

Download
memory/1916-196-0x0000000000000000-mapping.dmp

Download
memory/1932-54-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1932-191-0x0000000000000000-mapping.dmp

Download
memory/1936-179-0x000000000A900000-0x000000000A964000-memory.dmp

Filesize
400KB

Download
memory/1936-181-0x000000000AB60000-0x000000000AD73000-memory.dmp

Filesize
2.1MB

Download
memory/1936-172-0x00000000002D0000-0x000000000031A000-memory.dmp

Filesize
296KB

Download
memory/1936-168-0x0000000000000000-mapping.dmp

Download
memory/1964-201-0x0000000000000000-mapping.dmp

Download
memory/2012-173-0x0000000074231000-0x0000000074233000-memory.dmp

Filesize
8KB

Download
memory/2012-170-0x0000000000100EFA-mapping.dmp

Download
memory/2020-193-0x0000000000000000-mapping.dmp

Download
memory/2036-174-0x0000000000000000-mapping.dmp

Download