049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906

Analysis

max time kernel
146s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
Size

12.1MB
MD5

0d7f3f3e6bee00211f27a83c89450e4c
SHA1

e06b293da697a265f96943db01a3793f1b28c4ba
SHA256

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906
SHA512

d7721a5fa0e3680562f07ffb290a6586c356c531efb12262a534880bd408dd59d9ccb072cf7d1acfa6cde6716e85fb47b224353bd6ba6834db3f1873ff5fc60d

Score

8^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

EXEtender.exeSetup.exeIKernel.exeIKernel.exeiKernel.exeGPlayer.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.execmhelper.exe

pid	process
1096	EXEtender.exe
1520	Setup.exe
1472	IKernel.exe
1772	IKernel.exe
1044	iKernel.exe
1004	GPlayer.exe
636	cmhelper.exe
1100	cmhelper.exe
1160	cmhelper.exe
1964	cmhelper.exe
1628	cmhelper.exe
1724	cmhelper.exe
592	cmhelper.exe
1464	cmhelper.exe
1288	cmhelper.exe
1572	cmhelper.exe
1712	cmhelper.exe
1472	cmhelper.exe
1100	cmhelper.exe
1692	cmhelper.exe
1932	cmhelper.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

1168 explorer.exe

pid	process
1168	explorer.exe

Loads dropped DLL 64 IoCs

Processes:

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exeEXEtender.exeSetup.exeIKernel.exeIKernel.exeiKernel.exeregsvr32.exeregsvr32.exeGPlayer.exe

pid	process
2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
1096	EXEtender.exe
1520	Setup.exe
1520	Setup.exe
1520	Setup.exe
1520	Setup.exe
1472	IKernel.exe
1472	IKernel.exe
1472	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1044	iKernel.exe
1044	iKernel.exe
1044	iKernel.exe
1772	IKernel.exe
1520	Setup.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
560	regsvr32.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1488	regsvr32.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
1772	IKernel.exe
2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DependencyCheck = "Performed"	GPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /schedule 300000"	GPlayer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

IKernel.exe

description ioc process

File opened for modification C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini IKernel.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\desktop.ini	IKernel.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
File opened (read-only)	\??\Y:	IKernel.exe
File opened (read-only)	\??\A:	GPlayer.exe
File opened (read-only)	\??\E:	IKernel.exe
File opened (read-only)	\??\G:	IKernel.exe
File opened (read-only)	\??\I:	IKernel.exe
File opened (read-only)	\??\M:	IKernel.exe
File opened (read-only)	\??\T:	IKernel.exe
File opened (read-only)	\??\U:	IKernel.exe
File opened (read-only)	\??\A:	IKernel.exe
File opened (read-only)	\??\J:	IKernel.exe
File opened (read-only)	\??\N:	IKernel.exe
File opened (read-only)	\??\O:	IKernel.exe
File opened (read-only)	\??\R:	IKernel.exe
File opened (read-only)	\??\B:	GPlayer.exe
File opened (read-only)	\??\F:	IKernel.exe
File opened (read-only)	\??\H:	IKernel.exe
File opened (read-only)	\??\K:	IKernel.exe
File opened (read-only)	\??\P:	IKernel.exe
File opened (read-only)	\??\Q:	IKernel.exe
File opened (read-only)	\??\S:	IKernel.exe
File opened (read-only)	\??\B:	IKernel.exe
File opened (read-only)	\??\L:	IKernel.exe
File opened (read-only)	\??\V:	IKernel.exe
File opened (read-only)	\??\W:	IKernel.exe
File opened (read-only)	\??\X:	IKernel.exe
File opened (read-only)	\??\Z:	IKernel.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

IKernel.exeGPlayer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 IKernel.exe
File opened for modification \??\PhysicalDrive0 GPlayer.exe
Drops file in System32 directory 1 IoCs

Processes:

IKernel.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\vtdi.386 IKernel.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	IKernel.exe
File opened for modification	\??\PhysicalDrive0	GPlayer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\vtdi.386	IKernel.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe

description	pid	process	target process
PID 2040 set thread context of 1168	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_errorTools.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\og_i6604.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\postroll\genr6c0d.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\d3dcompiler_47.dll	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\devider.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\carousel.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\Onli7781.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\resources\img\back_to_game.png	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\resources\img\pause_game_background.jpg	GPlayer.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\postroll\errStatusPage_header.jpg	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\masks\banner_off_2_buttons.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Report.exe	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\gmt\cls_6411.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd646f.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd_ErrorPage.html	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\auto6559.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\masks\banner_off_1_buttons.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\arr_right_hover.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\SubscriptionClubGamesTab.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\clos784c.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\info\co_Admin.dat	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\686de1.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\my_account_icon.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\CheckBoxChecked.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\updatebuttonover.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\6000004\IS.	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\skin_events\PreR7540.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\skin_events\specialAdsEvent.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\nobuttonoff.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\exs.exe	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Settings.xml	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\dl_i65d5.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\layo671d.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\dott6e8c.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\dat\GPlr623d.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\css\mikado_font\2DCCC2_0_0.woff	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\arr_right.png	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\js\skin_events\SkinComMgrListener.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_provider_cache.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\logoDialogBox.png	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\Exit7714.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\mask\login_splash_high.rgn	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\IGL\13000090\cef\swiftshader\libGLESv2.dll	GPlayer.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\GameInfoDefault\Game623d.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\close_1.gif	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\yesb7955.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\gameInfo\crow66ee.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\btn\clos67d8.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\Service.ico	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\X4HS5f60.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_62ba.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_intro.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\icon\FRGL7734.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\pl\pl_general.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\IGL\2000118\*.xml	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\repo6069.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\classes\cls_persistency.js	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Exent\gplayer\gplayer_api_defines.js	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\genr6eda.rra	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\logo6f86.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\Popups\1\yesbuttondown.bmp	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\prvd_LoadGameAdPageHigh.html	IKernel.exe
File opened for modification	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\dialogBox\bottomRight.jpg	IKernel.exe
File created	C:\Program Files (x86)\Free Ride Games\Skins\000005\html\Skin\Provider\img\skinUI\1106d35.rra	IKernel.exe

Drops file in Windows directory 9 IoCs

Processes:

IKernel.exe

description	ioc	process
File opened for modification	C:\Windows\Glutil.exe	IKernel.exe
File opened for modification	C:\Windows\X3.vxd	IKernel.exe
File opened for modification	C:\Windows\Downloaded Program Files\ExentCtl.ocx	IKernel.exe
File opened for modification	C:\Windows\GPlrLanc.dat	IKernel.exe
File opened for modification	C:\Windows\FRGN.ico	IKernel.exe
File opened for modification	C:\Windows\ExentInfo.exe	IKernel.exe
File created	C:\Windows\Exen61df.rra	IKernel.exe
File created	C:\Windows\Downloaded Program Files\Exen79c3.rra	IKernel.exe
File created	C:\Windows\FRGN89d9.rra	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IKernel.exeGPlayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	IKernel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	IKernel.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GPlayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GPlayer.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

regedit.exeregedit.exeregedit.exeGPlayer.exeIKernel.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	GPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\Policy = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Gplayer.exe = "10001"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GTR.exe = "9999"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppName = "GPlayer.exe"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\gplayer.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	IKernel.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GtrHost.exe = "9999"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}\AppPath = "C:\\Program Files (x86)\\Free Ride Games"	IKernel.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

IKernel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	IKernel.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\Exetender = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe\" /runonstartup"	IKernel.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	IKernel.exe

Modifies registry class 64 IoCs

Processes:

IKernel.exeIKernel.exeregedit.exeiKernel.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ = "ISetupMainWindow4"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\ = "Setup UI 1.0 Type Library"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\ = "ISetupFileErrorInfo"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper.1\ = "InstallShield setup object wrapper"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}\InProcServer32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83755DD1-086B-11D3-8868-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2069-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA7E2087-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID\ = "Setup.ScriptObjectWrapper"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}\VersionIndependentProgID\ = "GameTreatWidget.GameTreatWidget"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44d07caa-4fc4-5a84-9951-a485ad808d0e}\InprocServer32\AppID = "{B415CD14-B45D-4BCA-B552-B06175C38606}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EXEtender\DefaultIcon\ = "\"C:\\Program Files (x86)\\Free Ride Games\\GPlayer.exe,0\""	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.Kernel"	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{220A6516-9695-47EF-9413-7BEDC27C34CF}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper\CLSID\ = "{AA7E2087-CB55-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	IKernel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C9C1FD39-F2D3-50C9-AA6E-662D0EB26128}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib\ = "{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\ProgID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ = "ISetupFilesCost"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ = "ISetupMainWindow2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ExentCtl.ExentInf.1\ = "ExentInf Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ = "ISetupTextSubstitution"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\0	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GPlayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	GPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	GPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GPlayer.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

1956 regedit.exe
896 regedit.exe
544 regedit.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

GPlayer.exe

pid process

1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

464
464
464
464
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

IKernel.exe

description pid process

Token: SeRestorePrivilege 1772 IKernel.exe
Token: SeBackupPrivilege 1772 IKernel.exe

pid	process
1956	regedit.exe
896	regedit.exe
544	regedit.exe

pid	process
464
464
464
464

description	pid	process
Token: SeRestorePrivilege	1772	IKernel.exe
Token: SeBackupPrivilege	1772	IKernel.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

GPlayer.exe

pid	process
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

GPlayer.exe

pid	process
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe
1004	GPlayer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

GPlayer.exe

pid process

1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe
1004 GPlayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exeEXEtender.exeSetup.exeIKernel.exe

description	pid	process	target process
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 2040 wrote to memory of 1096	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	EXEtender.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1096 wrote to memory of 1520	1096	EXEtender.exe	Setup.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1520 wrote to memory of 1472	1520	Setup.exe	IKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 1044	1772	IKernel.exe	iKernel.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 560	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1956	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 1488	1772	IKernel.exe	regsvr32.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 896	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 1772 wrote to memory of 544	1772	IKernel.exe	regedit.exe
PID 2040 wrote to memory of 1004	2040	049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe	GPlayer.exe

C:\Users\Admin\AppData\Local\Temp\049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe
"C:\Users\Admin\AppData\Local\Temp\049004d780345a7dfa640b2aa33039ddbd65cf17695382612da863f891155906.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe
  "C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1472
- C:\Program Files (x86)\Free Ride Games\GPlayer.exe
  "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" "-shortcut http://www.freeridegames.com/opTools/getRGMX.jsp?PrvId=143&AppId=521450&RunIndex=1&AcID=&OpenShInIE=0&PrvDir=Default"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1004
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPR
    3⤵
    - Executes dropped EXE
    PID:636
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPR
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:592
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Program Files (x86)\Free Ride Games\cmhelper.exe
    UPW
    3⤵
    - Executes dropped EXE
    PID:1100
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  PID:1168

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:1044
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\Downloaded Program Files\ExentCtl.ocx"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:560
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Runs .reg file with regedit
  PID:1956
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll"
  2⤵
  - Loads dropped DLL
  PID:1488
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaults.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Runs .reg file with regedit
  PID:896
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Program Files (x86)\Free Ride Games\EXEtenderDefaultsProvider.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Runs .reg file with regedit
  PID:544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
PID:668

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
PID:1100
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:1160

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PR
1⤵
- Executes dropped EXE
PID:1628
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  R
  2⤵
  - Executes dropped EXE
  PID:1724

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:1464
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1288

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:1712
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1472

C:\Program Files (x86)\Free Ride Games\cmhelper.exe
"C:\Program Files (x86)\Free Ride Games\cmhelper.exe" PW
1⤵
- Executes dropped EXE
PID:1692
- C:\Program Files (x86)\Free Ride Games\cmhelper.exe
  W
  2⤵
  - Executes dropped EXE
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
C:\Program Files (x86)\Free Ride Games\ClientCfg.xml

Filesize
262B

MD5
33092f70ea80bc968eee80de9ad4c453

SHA1
91489ce57d4f22ce5b401080b0dd091f5e36be82

SHA256
de5727fdd8d46c40dcb9c200234cf941a355b67314c00fa7d64495e57f3cb0f0

SHA512
45090e61202ed292dadb33daf422fe3d8e3f0515322b225baa7652319519e0ed1d221170cdee10aca755fbecba7cc64d8eea8389586bbfb056a43133d40c6647

Download Submit
C:\Program Files (x86)\Free Ride Games\NPGameTreatPlugin.reg

Filesize
10KB

MD5
a967a8514d0ad555b80e10b86d2c4ea9

SHA1
0f05f75587cd5a15a7b3a2bb980daf956e9ab99e

SHA256
142633c50dbeea509b3c1ff7c32223b227a40036c77361e0d0474316a9e63849

SHA512
cd9834292e008a4c15724c2c5eafb1a2cad6c50f9d889d269d8cf723f6556ac509db9be51fcb799a1e43570cef4a8fd4e681b08d9d77e1ae90118e423cba976a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe

Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe

Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\ExentCtl.ocx

Filesize
497KB

MD5
5fc1bb4249d11957616ab7d1591c93cc

SHA1
ab2735c7ec583068a0b322c57483cfb350d93cbe

SHA256
77fe282422f1b8acc1d5fbfdde79d4f8616fb95f59cda965d435a0346c2b6d30

SHA512
1e086e6734c51e6a18a98ec49ef3464bf6f92e861061a29a1def534176417c96fe894a4d684718889ebfe9ab2085ab9fe7b2b1a3d69b0bd5dc6d52d6393bb44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\FRGN.ico

Filesize
17KB

MD5
ab7afac47007d11443ac2c19f9dbac01

SHA1
63a5c5bf2f95edc047f40e64500f05cdbe26cafe

SHA256
c3ea631d603ea726a57ccf50f18fc6336074c6d439d68eb7c44e1e95718378e6

SHA512
e49cd893c015220857439f273eebd3ddd0fcc5e8dbb38268b4dbb44d1a063150143014ac22c144ea5bf96a0fadbef17dd1bc6ee6564a0ce89befe1704aef07c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\IKernel.ex_

Filesize
343KB

MD5
3214f45b155a8d5a26ee2f4dd93eaf73

SHA1
44a2e6e23a7c8167a7c36597d3e4714ef09f0f7e

SHA256
716cf59211259e00acb40481da02728264bc8948206b2153e96ddeae6e230dee

SHA512
064bf3728179657be4872d5b4d15cf7b4a605afc636fd55a4313bd96804a1b7e0b9f730a7a5df40841125e5ec465e1c195b673f1ee0700eebb864a90cce29b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\data1.cab

Filesize
498KB

MD5
1f5cb19bd50f9caa8b4a1f846a98dde8

SHA1
e454bcebab9865fca0d3e5dbddc81aaee828f8e7

SHA256
aff20289c501a3899e403c11138aca0e002c7becf0734d8bd135860fa7a8fbe6

SHA512
9e1a35f75043638da64598952d59faab979f0c86ab3675bc421ef6aa8140fc83713a095296189ffecd3b05e68693032daeba27d7ad48f8df7b4c8014a5999cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\data2.cab

Filesize
10.5MB

MD5
f66cf7b9886dde614857bb56e450966b

SHA1
42adecdd87f2ebe6a17044c8fad7115e9dab7bcd

SHA256
ffe81219f555ee4352c5c96ecceb4ee4b85d0f650c8e5243c102cf54ccc0e7c5

SHA512
3fd228bcd801ae9b21f5adaa21032589b3ddc571666dbe684e107a342b05cd15c12e2798ace38da43842a168088d45845233b4bca297cbb11f2610a52aea8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\layout.bin

Filesize
417B

MD5
ae7db797f4f7855091079f0841fce3ea

SHA1
2832dd3bdf894641688e05a9ee09d1fe9e2ead62

SHA256
64b0eb64395fbc22b8d54895318a81d5d2abe6e4045cb04641d75155cb869a47

SHA512
5a29ad7145928623a1fe4c932a6dbb0459c2c4a5046fa09effe04d38fd09b270cc1075aaf5d65d6405d673910d5ce1aac19daf2ce09f18bbb5813ecdf997b2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\setup.ini

Filesize
2KB

MD5
84320a31550309b8cc2ddf3c3c00f975

SHA1
3affa5e03b8dae2de23e1807ef1f583fdf781701

SHA256
4f08bacb598278136b61c4f01221b3061489a5c886f9634f26348254571ca8cc

SHA512
0547af5ae9858345161ee6468ab2f7b3011ab5f1bca7c6e577c7e37d1b41788fbdea159032728291fdfb123ef9c0b870678a517ce77e8ab6884bfbf89be86c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft16BE.tmp\setup.inx

Filesize
389KB

MD5
b4d6c93644f48e1e7a466c5c62caae5a

SHA1
787973d54704815e79054f58df7e0f10a2fd3726

SHA256
4e53d8ec2a0398980c6d4a959a139acbb74beac415ee5d61c0ee1e5d0fc9d739

SHA512
81c28ff24d019ccc371a79999b1855de396ade2a5abeffb3939b2e7a6a12d0604c19d315972072c9eeb2f532cc5646bf52a1e5572ba21558242812b4607b2495

Download Submit
C:\Windows\Downloaded Program Files\ExentCtl.ocx

Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
\??\c:\users\admin\appdata\local\temp\pft16be.tmp\data1.hdr

Filesize
67KB

MD5
24aa2f11f07a6741e5cba0c77fbe41f7

SHA1
814b78b7d9e2ac36bc903af06c2e00e74b04c137

SHA256
276f1904a5a29eded951caabb832b5a1494a4fe1f957a24320f2f5234a665048

SHA512
a2e65f0f1364fe61cb4cda85718d843b21efe5455b5443946710c7a9ceb41fa491667af788cbb7852a3ed70fab5d98dd91499964e50a20ee1a8dfc4411b621fe

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
606KB

MD5
62f2d4e0721703d216ac74d8e539e108

SHA1
b64a9770f69cee28c1df20e655902af714aafcbc

SHA256
826d5cca5c2170255f83ac196b156ee27cf848f3d78506ec9c9c5459450a9044

SHA512
7a01e5f320f5da5a5dfc736b73b50bbfaf66bded2051067e1f413ab613641ab3fd33c9eb27f8e5e1c25b5eced8f368a39914f377980edd1d3e5f6fb9abe4822f

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\AppLoader2KEx.dll

Filesize
1.2MB

MD5
417c6b730b00435a461b1025539ad2cd

SHA1
9d6509b8ee41264bb89f411b72e903875fbd97d8

SHA256
dcd9e3cdb8bb1c1fb7504deb07b82ed49dc09865f18fd0973b46989d66a19d35

SHA512
03a684f51526527bb4ff178004b72eb4ff4e05451a12b58161cb1c166f3b55cebd849aeb225485fa7b3fc0e052d9fcce7d552ee27ece330a65a93e3bd1549acf

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Program Files (x86)\Free Ride Games\exs.dll

Filesize
658KB

MD5
73b67d16d52ddc7e0fd2351343f68ffb

SHA1
5e0db67d64105b58e370c6dc1976f0bf11abce21

SHA256
655fa7bd5c21a6b229b571eab1623a070f2b1138037b700c30be4eefa150783c

SHA512
c77872aa91bc226da548cad63856e2d5ef370c988692aa667b222cacfc5c49bc0d331a69b2afd0965893871f4cc919155bdea14033c2f7c775bc2d09a0aa20da

Download Submit
\Users\Admin\AppData\Local\Temp\FRG_Updater143\EXEtender.exe

Filesize
12.3MB

MD5
2604c1d5fc21e1782c999d0c84c7cf07

SHA1
8a8e330b26ed27c06e31cd501213c71c4586b0dc

SHA256
182db0c9db91176d611bdd8f5d8592d66a98d3527d843f1c66bca0b6930b1726

SHA512
7fa930e47eefa386f9ee63800444bb9d5866088c7ecf8ed1b7c3a1b269d998c4ba1ebccc8fd23735dd794cdbd14f03ebd5ae9dd2fdfd12c6f02a37455b7302b4

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\Setup.exe

Filesize
61KB

MD5
66469b37264376fef149d1d43f0964c5

SHA1
9e59a50c44da1f99ea0c74f8d3126638f117fea3

SHA256
4039ec330d75e585c6589c8166bb2244a84d03a8e3d393d046558fe4e4920576

SHA512
eb175fbaf0810f2f7a3ca13ed2dc03d9b6370b4f0e944b26bbd18b686fce2b98a561886e0c984e4abd99f4d71e7e1ef1c8f93d042070046f837e3bde5f5cc52f

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\pft16BE.tmp\exs.dll

Filesize
658KB

MD5
1c885a3de897a9369eca686f66805bc0

SHA1
ab957b7b50d47959d42d91a353a6ac133f25b6ed

SHA256
f48d248591af5f20b8416cc7371eb2cc6aed7fa2d9c6104f983c0a1c81ec16ae

SHA512
7f60253043cfb9ef0d1a49b19a4719ca85f965c65e6bb83c6440a167099d69f52e3353ce02f793408b6f6f96170966eab3781fb524fc46da091437425c7876ea

Download Submit
\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\_IsRes.dll

Filesize
252KB

MD5
48ea604d4fa7d9af5b121c04db6a2fec

SHA1
dc3c04977106bc1fbf1776a6b27899d7b81fb937

SHA256
cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b

SHA512
9206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707

Download Submit
\Users\Admin\AppData\Local\Temp\{2b7bdadb-ec8c-4c54-b5dd-ce45a016d3a7}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
\Windows\Downloaded Program Files\ExentCtl.ocx

Filesize
398KB

MD5
9c63a99b4216a82a6754ff170a3cdb02

SHA1
8105e1faed19b7fedc02fd3fa7e72755ecaf6209

SHA256
47cba3d1af9af3b72db733336567bd80a422b04e89c5327390d5a143c394ea8f

SHA512
499da0abf3369bbfec4b584ef6935ef4df50c09d5fdb834db704a587dd1e817b2efe4907cc89f74119021adcc70529330a2f0bae02bb90733fdee58726c0add8

Download Submit
memory/544-162-0x0000000000000000-mapping.dmp

Download
memory/560-124-0x0000000000000000-mapping.dmp

Download
memory/592-188-0x0000000000000000-mapping.dmp

Download
memory/636-174-0x0000000000000000-mapping.dmp

Download
memory/896-160-0x0000000000000000-mapping.dmp

Download
memory/1004-173-0x0000000002210000-0x000000000225A000-memory.dmp

Filesize
296KB

Download
memory/1004-168-0x0000000000000000-mapping.dmp

Download
memory/1004-181-0x000000000AAE0000-0x000000000ACF3000-memory.dmp

Filesize
2.1MB

Download
memory/1044-93-0x0000000000000000-mapping.dmp

Download
memory/1096-56-0x0000000000000000-mapping.dmp

Download
memory/1100-198-0x0000000000000000-mapping.dmp

Download
memory/1160-177-0x0000000000000000-mapping.dmp

Download
memory/1168-170-0x0000000000660EFA-mapping.dmp

Download
memory/1168-172-0x0000000074F51000-0x0000000074F53000-memory.dmp

Filesize
8KB

Download
memory/1288-191-0x0000000000000000-mapping.dmp

Download
memory/1472-71-0x0000000000000000-mapping.dmp

Download
memory/1472-196-0x0000000000000000-mapping.dmp

Download
memory/1488-139-0x0000000000000000-mapping.dmp

Download
memory/1520-61-0x0000000000000000-mapping.dmp

Download
memory/1572-193-0x0000000000000000-mapping.dmp

Download
memory/1724-186-0x0000000000000000-mapping.dmp

Download
memory/1772-103-0x00000000003E0000-0x00000000003F3000-memory.dmp

Filesize
76KB

Download
memory/1772-164-0x0000000005F31000-0x0000000005FB1000-memory.dmp

Filesize
512KB

Download
memory/1772-111-0x0000000002050000-0x000000000207C000-memory.dmp

Filesize
176KB

Download
memory/1772-105-0x0000000000A61000-0x0000000000A86000-memory.dmp

Filesize
148KB

Download
memory/1772-167-0x0000000005F30000-0x0000000005FD5000-memory.dmp

Filesize
660KB

Download
memory/1772-165-0x0000000005F30000-0x0000000005FD5000-memory.dmp

Filesize
660KB

Download
memory/1772-145-0x0000000005E30000-0x0000000005F65000-memory.dmp

Filesize
1.2MB

Download
memory/1772-166-0x0000000005F31000-0x0000000005FB1000-memory.dmp

Filesize
512KB

Download
memory/1772-108-0x0000000002190000-0x00000000021E3000-memory.dmp

Filesize
332KB

Download
memory/1772-106-0x0000000000A60000-0x0000000000A98000-memory.dmp

Filesize
224KB

Download
memory/1932-201-0x0000000000000000-mapping.dmp

Download
memory/1956-128-0x0000000000000000-mapping.dmp

Download
memory/1964-183-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download