0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-05-2022 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe
Size

2.5MB
MD5

40fb983ff0568389f34942bb2aeed39b
SHA1

ec8b95ee374397430b7db55c56bb1e011675e1a1
SHA256

0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672
SHA512

5aca28dbede74328075964632f7936c947c49eaddd3a727b805a36955bbb8192746d398940b5998af7cebb6b82113d7c82b443e227591b2a7c66f8f1b1d23894

Score

10^/10

link pdf suricata

Malware Config

Signatures

suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ShadowArenaPatcher32.paeShadowArenaPatcher32.pae

pid process

3116 ShadowArenaPatcher32.pae
480 ShadowArenaPatcher32.pae

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ShadowArenaPatcher32.paeShadowArenaPatcher32.pae

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ShadowArenaPatcher32.pae
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ShadowArenaPatcher32.pae

Loads dropped DLL 18 IoCs

Processes:

ShadowArenaPatcher32.paeShadowArenaPatcher32.paeRegAsm.exeRegAsm.exe

pid	process
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
2500	RegAsm.exe
2500	RegAsm.exe
1384	RegAsm.exe
1384	RegAsm.exe
1384	RegAsm.exe
1384	RegAsm.exe
2500	RegAsm.exe
2500	RegAsm.exe

HTTP links in PDF interactive object 3 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae	pdf_with_link_action
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae	pdf_with_link_action
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 33 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\ProgId	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\Class = "PAGAuth.PAGAuth"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\ProgId\ = "PAGAuth.PAGAuth"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\ProgId\ = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth\CLSID\ = "{C94BB851-E348-422C-B181-5CB6C2A548FE}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\ = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\Implemented Categories	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth\ = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\RuntimeVersion = "v4.0.30319"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\ = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\Class = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\Assembly = "PAGAuth, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\Assembly = "PAGAuth, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\Class = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\Assembly = "PAGAuth, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\Assembly = "PAGAuth, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth\CLSID\ = "{C94BB851-E348-422C-B181-5CB6C2A548FE}"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth\ = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\Class = "PAGAuth.PAGAuth"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PAGAuth.PAGAuth\CLSID	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94BB851-E348-422C-B181-5CB6C2A548FE}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319"	RegAsm.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ShadowArenaPatcher32.pae

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ShadowArenaPatcher32.pae
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ShadowArenaPatcher32.pae
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ShadowArenaPatcher32.pae
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	ShadowArenaPatcher32.pae
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	ShadowArenaPatcher32.pae

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exeShadowArenaPatcher32.paeShadowArenaPatcher32.pae

pid	process
4716	0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe
4716	0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
480	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae
3116	ShadowArenaPatcher32.pae

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exeShadowArenaPatcher32.paeShadowArenaPatcher32.pae

description	pid	process	target process
PID 4716 wrote to memory of 3116	4716	0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe	ShadowArenaPatcher32.pae
PID 4716 wrote to memory of 3116	4716	0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe	ShadowArenaPatcher32.pae
PID 4716 wrote to memory of 3116	4716	0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe	ShadowArenaPatcher32.pae
PID 3116 wrote to memory of 1384	3116	ShadowArenaPatcher32.pae	RegAsm.exe
PID 3116 wrote to memory of 1384	3116	ShadowArenaPatcher32.pae	RegAsm.exe
PID 3116 wrote to memory of 1384	3116	ShadowArenaPatcher32.pae	RegAsm.exe
PID 3116 wrote to memory of 480	3116	ShadowArenaPatcher32.pae	ShadowArenaPatcher32.pae
PID 3116 wrote to memory of 480	3116	ShadowArenaPatcher32.pae	ShadowArenaPatcher32.pae
PID 3116 wrote to memory of 480	3116	ShadowArenaPatcher32.pae	ShadowArenaPatcher32.pae
PID 480 wrote to memory of 2500	480	ShadowArenaPatcher32.pae	RegAsm.exe
PID 480 wrote to memory of 2500	480	ShadowArenaPatcher32.pae	RegAsm.exe
PID 480 wrote to memory of 2500	480	ShadowArenaPatcher32.pae	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe
"C:\Users\Admin\AppData\Local\Temp\0576409a978e936604c09649b2db4466428903f346e1cece4cbbda244b3db672.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae
C:\Users\Admin\AppData\Local\Temp/ShadowArenaPatcher32.pae
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1384

C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae
"C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae" --type=renderer --no-sandbox --disable-databases --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\Temp\debug.log" --user-agent=SHADOWARENA --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3116.0.112218755\145756605" /prefetch:673131151
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP140.dll
Filesize
432KB

MD5
54628f77144e17530a8b8882d1789c90

SHA1
6b63d1cb13524b664330574fd7911f1f25dfad16

SHA256
21ecd8652ef68418a68dab73d01c1eb8a8b1fa7f6001f1c688ad78da8f7463d5

SHA512
61e90e751912a84c258e0a5662226e38ddb1a9fc5060cb4b257d3ec7a47569af1a0e402e77b5c8a258554504f40c373a49718c2296cede7cda64bc26dc469730

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAGAuth.dll
Filesize
9KB

MD5
c373edb610e260fa372e9ac00f963183

SHA1
c130c14d464f978c33f6e86bc71d0f9592caa3b7

SHA256
f70c495480695386064b9f676af37a4de60f558c76749026b210d721f90e4cec

SHA512
8ac8258802df337fa9ca3047c4885be949350c91d839785da30ed2065b6e413cc2675d867a1ac6a56c6132fdd6ce7748ddc4778a5709570a89e7b37c165c9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\PatchUI.json
Filesize
387KB

MD5
8f91e5e45a50956ed79381602817e9f6

SHA1
16d84bc60fae4c1a3b6a25f4efb3e788cb698e4b

SHA256
4fee9b584a034a60a214e049db8f5cc213334d55441e4c3cc02b5e1a464ad070

SHA512
55564e0e24f5c02fa0647e5f2addf58547fb78ff0189b4b3f5d047ca8441e4bcecfc5e9efb53dc30e6754eb1a6ed1562cf8f55e0899a9d5441bc2321d9a01dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resource.ini
Filesize
21B

MD5
7149215fe5c29623869f638289dcd98b

SHA1
1b5fb9ceb5e80234a5674b9ff8a8ee3984c6777d

SHA256
07e28969d7a9e5905ca7a4d3131ed948f0d5702309754ec40b7b7953cb92e00d

SHA512
f2710230626266dd30704e7e3f606f87766b0715256123ec6045daf5e0d8cf2850802723f9e097c2cfbaf6a45c4db6b7a3c451326b063be4eedf464877494187

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae
Filesize
3.3MB

MD5
c6024ca8a28ed059aff35d30d4ea35d9

SHA1
f0641770c9e80cc0a6d6ab10935d67dea91130a3

SHA256
dc47b3ec104a0270105c36183ec19916141d9a31c5c6e3714db46e60d1844d09

SHA512
1c9963945b4f7222053e4bd44261e1a5611b3c13d67d4497b903d2326f7180b2578bf2bd24424f5cfe07ed88758330b547bfbeb4cb3bedc0bffc42c25ade84b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae
Filesize
3.3MB

MD5
c6024ca8a28ed059aff35d30d4ea35d9

SHA1
f0641770c9e80cc0a6d6ab10935d67dea91130a3

SHA256
dc47b3ec104a0270105c36183ec19916141d9a31c5c6e3714db46e60d1844d09

SHA512
1c9963945b4f7222053e4bd44261e1a5611b3c13d67d4497b903d2326f7180b2578bf2bd24424f5cfe07ed88758330b547bfbeb4cb3bedc0bffc42c25ade84b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShadowArenaPatcher32.pae
Filesize
3.3MB

MD5
c6024ca8a28ed059aff35d30d4ea35d9

SHA1
f0641770c9e80cc0a6d6ab10935d67dea91130a3

SHA256
dc47b3ec104a0270105c36183ec19916141d9a31c5c6e3714db46e60d1844d09

SHA512
1c9963945b4f7222053e4bd44261e1a5611b3c13d67d4497b903d2326f7180b2578bf2bd24424f5cfe07ed88758330b547bfbeb4cb3bedc0bffc42c25ade84b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SplashImage
Filesize
689KB

MD5
8d445ac7942b55926a5959c576bd85a8

SHA1
f28d54d10f2b235e90932ea47afe9f41d945310e

SHA256
73f97fd8323b3515cc2e6ac551412dcce48b8184a52a7927427e2c35b26a8fbd

SHA512
2186af3c162fd16d8e71d32f26f6f80be26215095a61d5529c1abaa706464746a854d8daaae0888a2337f20810f17ec48846ce2b22d86222c741f1b79b1aa7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll
Filesize
83KB

MD5
607b9eef0c8173d1e8e75947aeed6a13

SHA1
43a575271718f44f4aadacf6476c54c29c2c096b

SHA256
a4e64b1281a49232aeddef73193111b55eb28961d47244d0eba1dfe2887c2b81

SHA512
7919425aca7881ff53ce4a637f6f6dedc47e030892c858c20d2e303872221764aad6826e1c1fd24f40d61af730403ee891d3e354fe9085158f35bf2d198f5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cef.pak
Filesize
2.4MB

MD5
541da2186d3a1d47fd9f0022d14eba55

SHA1
bf5cc1d5680bb54e1da2d929f594e000be7bd603

SHA256
b86468f8634e81d31ea3fb57e4b2931c252044d3fabf383db30dc9b369ee7503

SHA512
c03cdace845d52e201d182c419c5d2867ae12cd13c8233619bddae66273662778cd44bea42c0fd1857fcf2c3a5288d741348b63df4827ff2431411cf8119ae58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cef_100_percent.pak
Filesize
292KB

MD5
51b6d1e6273e7a861786d8ff7bd31b9a

SHA1
0dfe006cc932c630d23cd703b4095c6498ddd319

SHA256
da51571017bb6cc0cd1a2654cf289f84a378ed9bc458833dc25e3075d8098129

SHA512
acf1b3509a165adbfcafb6be95756b919dfb9d35efa026f62841259d2ef62d1593e37cc4e9f3e6b80ba523152f9b6e761ed12c81a0a7701871bbf91d672644ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cef_extensions.pak
Filesize
3.9MB

MD5
4df5045de92260ccb13cfc9a11f339f5

SHA1
0c5ad977579092d17bd621f53f31dfe82abbc332

SHA256
1d0e3e82700d66ac71eac6778b08dcab69c99a598a5de99149a91d7c0fa8b18f

SHA512
a3b8bc2afc4749e24794a524a41acbec8a78046c7bbdf0e9395169c1dccfe3c57392dd9a5887f5a0038ea3872a54ee0f1d9e2acf706cb21a45a60f9405394a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini
Filesize
132KB

MD5
14d1ff263895a3a761ea1847c97f7fa8

SHA1
8ac594b9e7f5317594378b7772deacaa3cebb601

SHA256
545adaf8bbb8387e4efaaddf2fa6e433768cf353d72cd4d60cac340ddc748067

SHA512
03f1f1fb40efa48021e5bf93d98c34fede4be5c14237e8ba59a1352851031f8ede8610ccbb23b386876c95acc4adf3b7654fec170c1498cfc108d9e4a63067e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\expapply.dll
Filesize
339KB

MD5
e6a29d65c29b6c304d74572fcb8f7d4c

SHA1
a90d974d746af11a3561abc94b0b56dfb6ed76cf

SHA256
8063bb304c4b37c8436e1b1fab4a95173d7cd2800949425c00e9c6c1c229a496

SHA512
657693bb91caafd494e87add2d58c8d177d57de1036dfe4622ae7f398c26d507bc90157b2141e824afb1a3335e11912e345512d45340ebd02eef04723d479d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\expapply.dll
Filesize
339KB

MD5
e6a29d65c29b6c304d74572fcb8f7d4c

SHA1
a90d974d746af11a3561abc94b0b56dfb6ed76cf

SHA256
8063bb304c4b37c8436e1b1fab4a95173d7cd2800949425c00e9c6c1c229a496

SHA512
657693bb91caafd494e87add2d58c8d177d57de1036dfe4622ae7f398c26d507bc90157b2141e824afb1a3335e11912e345512d45340ebd02eef04723d479d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\expapply.dll
Filesize
339KB

MD5
e6a29d65c29b6c304d74572fcb8f7d4c

SHA1
a90d974d746af11a3561abc94b0b56dfb6ed76cf

SHA256
8063bb304c4b37c8436e1b1fab4a95173d7cd2800949425c00e9c6c1c229a496

SHA512
657693bb91caafd494e87add2d58c8d177d57de1036dfe4622ae7f398c26d507bc90157b2141e824afb1a3335e11912e345512d45340ebd02eef04723d479d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\icudtl.dat
Filesize
9.7MB

MD5
970fe088600931d0507605759c6b3679

SHA1
22c8b378d1695e0f94ae8d52c9480eccff92f62c

SHA256
18977bd65e2b2ceb2821db501dfd2bdd920762972e612dd1d8ec45f4a313296f

SHA512
27a3545455432ca2a196621a8968d122da94afc30c3c8e50b2215116f03a7cfd6ef1760372f655888a20355becce6baf324d1621529666f07c964c15cdd975f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcef.dll
Filesize
45.3MB

MD5
6177180e372a56d584cfb8d97a63a5a3

SHA1
bb67ea029b4755dad149fb819681999e6178aa49

SHA256
10cc8c45eb785afc169f2e6d437942798a96405d04c6417d6cc21112affa0c61

SHA512
d88ab6709f7c3d8126fd09566652d591c48a66aa8d59b9318f705eaec4488583921a2d91db808232e55b1752d6d9c1770b42e355e6ade7d7ce9a84c7c4afc80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcef.dll
Filesize
45.3MB

MD5
6177180e372a56d584cfb8d97a63a5a3

SHA1
bb67ea029b4755dad149fb819681999e6178aa49

SHA256
10cc8c45eb785afc169f2e6d437942798a96405d04c6417d6cc21112affa0c61

SHA512
d88ab6709f7c3d8126fd09566652d591c48a66aa8d59b9318f705eaec4488583921a2d91db808232e55b1752d6d9c1770b42e355e6ade7d7ce9a84c7c4afc80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcef.dll
Filesize
45.3MB

MD5
6177180e372a56d584cfb8d97a63a5a3

SHA1
bb67ea029b4755dad149fb819681999e6178aa49

SHA256
10cc8c45eb785afc169f2e6d437942798a96405d04c6417d6cc21112affa0c61

SHA512
d88ab6709f7c3d8126fd09566652d591c48a66aa8d59b9318f705eaec4488583921a2d91db808232e55b1752d6d9c1770b42e355e6ade7d7ce9a84c7c4afc80e

Download Submit
C:\Users\Admin\AppData\Local\Temp\locales\en-US.pak
Filesize
26KB

MD5
951c8e3755c0f0c0be6df9681e020bbd

SHA1
7832ba068de6bf026d0f954b3f4295c290db0e21

SHA256
b2fa5d3d07eafdda2c578737b77cfd9a83a8ee451adfdffd4dda64d4bf9f96df

SHA512
8a5948c9c995820df19bb79cf0a22362cfbf5757a7e8dd90bd5ea92516db9fed9cfb27d1211cd3dcc48e923bc38148fe823ce873271a7372f9fe88d5f7c01811

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
Filesize
432KB

MD5
54628f77144e17530a8b8882d1789c90

SHA1
6b63d1cb13524b664330574fd7911f1f25dfad16

SHA256
21ecd8652ef68418a68dab73d01c1eb8a8b1fa7f6001f1c688ad78da8f7463d5

SHA512
61e90e751912a84c258e0a5662226e38ddb1a9fc5060cb4b257d3ec7a47569af1a0e402e77b5c8a258554504f40c373a49718c2296cede7cda64bc26dc469730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
Filesize
432KB

MD5
54628f77144e17530a8b8882d1789c90

SHA1
6b63d1cb13524b664330574fd7911f1f25dfad16

SHA256
21ecd8652ef68418a68dab73d01c1eb8a8b1fa7f6001f1c688ad78da8f7463d5

SHA512
61e90e751912a84c258e0a5662226e38ddb1a9fc5060cb4b257d3ec7a47569af1a0e402e77b5c8a258554504f40c373a49718c2296cede7cda64bc26dc469730

Download Submit
C:\Users\Admin\AppData\Local\Temp\natives_blob.bin
Filesize
429KB

MD5
d0645f36f5d0fdf9e8502908cb7096aa

SHA1
d2442b26c40e45a00c1c3f5a88e9798606aad71e

SHA256
bb6a54a7414519312130fc364128d9464c3d0763e42b018ed29db22a2e389dd8

SHA512
73d14a588d9fed22e6109a0043cdb1cb75c665ac802555e8903679274e505d36d5d1e3e032e890311c88053a30029ce76eefd97b09211faaad6834fafb677e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\patcher_version
Filesize
5B

MD5
62e425a9c332e7a357eb0281569daab0

SHA1
489574e80593d6a65f106b975e6267a2abda9c1c

SHA256
ebd614e676d0cbe5f1a411ae599fdeef6d1a8dfdbb007e39b4c7fb2ec0965419

SHA512
6aa1791e6a2ef28f5b9ca548c7c01a8e4b6048e6e1e0463c439e5158b3773915fed37033a765b38b6ddc675edb5e0c0c674aa79432ac94c146859015777d8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.ini
Filesize
211B

MD5
d1276ce90a7ee9695e9cde436482b68e

SHA1
148070f9207e6fda0d20a947cc4b7878774c9f02

SHA256
3988dba85aba56b3fada4759e85fe5b7a0bba8885ed020ba9271edb214e26a56

SHA512
1b63c4423955005255c4de53bac1234b2ba2d2a4141606c1c4228dac1daa6cb29cf322e5f2b56cb63a88fec29a63c4fd2ada5cd3b3952a3cc3d5aa3f14896d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api.dll
Filesize
214KB

MD5
7b857c897bc69313e4936dc3dcce5193

SHA1
4ee43374520904fa6d80c12c273d67eb7b5c984e

SHA256
5b6ef90f822209180ed5cafecb90af849ee84bcf6281eeb21be2f89b3b5c89b6

SHA512
be6406cc367815cc7b813adef24e5ddad6c8244d4964bd37ed0656aaae404496f4f9e38968e9acba91bff1db171127126d8219ebea8757142ebac0c82a233573

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api.dll
Filesize
214KB

MD5
7b857c897bc69313e4936dc3dcce5193

SHA1
4ee43374520904fa6d80c12c273d67eb7b5c984e

SHA256
5b6ef90f822209180ed5cafecb90af849ee84bcf6281eeb21be2f89b3b5c89b6

SHA512
be6406cc367815cc7b813adef24e5ddad6c8244d4964bd37ed0656aaae404496f4f9e38968e9acba91bff1db171127126d8219ebea8757142ebac0c82a233573

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api.dll
Filesize
214KB

MD5
7b857c897bc69313e4936dc3dcce5193

SHA1
4ee43374520904fa6d80c12c273d67eb7b5c984e

SHA256
5b6ef90f822209180ed5cafecb90af849ee84bcf6281eeb21be2f89b3b5c89b6

SHA512
be6406cc367815cc7b813adef24e5ddad6c8244d4964bd37ed0656aaae404496f4f9e38968e9acba91bff1db171127126d8219ebea8757142ebac0c82a233573

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
Filesize
83KB

MD5
607b9eef0c8173d1e8e75947aeed6a13

SHA1
43a575271718f44f4aadacf6476c54c29c2c096b

SHA256
a4e64b1281a49232aeddef73193111b55eb28961d47244d0eba1dfe2887c2b81

SHA512
7919425aca7881ff53ce4a637f6f6dedc47e030892c858c20d2e303872221764aad6826e1c1fd24f40d61af730403ee891d3e354fe9085158f35bf2d198f5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
Filesize
83KB

MD5
607b9eef0c8173d1e8e75947aeed6a13

SHA1
43a575271718f44f4aadacf6476c54c29c2c096b

SHA256
a4e64b1281a49232aeddef73193111b55eb28961d47244d0eba1dfe2887c2b81

SHA512
7919425aca7881ff53ce4a637f6f6dedc47e030892c858c20d2e303872221764aad6826e1c1fd24f40d61af730403ee891d3e354fe9085158f35bf2d198f5d0f

Download Submit
memory/480-156-0x0000000000000000-mapping.dmp

Download
memory/1384-146-0x0000000000000000-mapping.dmp

Download
memory/1384-154-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/2500-167-0x0000000004E90000-0x0000000004E98000-memory.dmp

Filesize
32KB

Download
memory/2500-163-0x0000000000000000-mapping.dmp

Download
memory/3116-130-0x0000000000000000-mapping.dmp

Download