redline | 3bcf69e225f3a55bdc75f5622ad66736f6bab02ee8771ebd10b094bf99497a18

Analysis

max time kernel
137s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-08-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
Size

1.7MB
MD5

3d8bc8f17e09303edcf5b8ae9a32d0fa
SHA1

80331898dfe6d1c20afdba65da52d7a719e24a1d
SHA256

3bcf69e225f3a55bdc75f5622ad66736f6bab02ee8771ebd10b094bf99497a18
SHA512

3571ceb7d0864c9348fc3930d952f4a82c40d4d2a32435eba918b19ba1daf7e9ca424f678efd15af78c55f9188a997b2fd8574d54f1796ecff28ec278af10d91

Score

10^/10

redline 5 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/1168-79-0x0000000000190000-0x00000000001D4000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/616-76-0x00000000003F0000-0x0000000000410000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
behavioral1/memory/808-97-0x00000000012D0000-0x00000000012F0000-memory.dmp	family_redline
behavioral1/memory/1432-99-0x00000000008B0000-0x00000000008D0000-memory.dmp	family_redline
behavioral1/memory/1240-98-0x0000000000B20000-0x0000000000B40000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exejshainx.exetag.exeffnameedit.exerawxdev.exeEU1.exeMinecraftForge.exe

pid	process
520	F0geI.exe
1620	kukurzka9000.exe
616	namdoitntn.exe
1524	real.exe
1168	safert44.exe
808	jshainx.exe
1432	tag.exe
1240	ffnameedit.exe
1936	rawxdev.exe
432	EU1.exe
3912	MinecraftForge.exe

Loads dropped DLL 15 IoCs

Processes:

3d8bc8f17e09303edcf5b8ae9a32d0fa.exejshainx.exe

pid	process
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
808	jshainx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

3d8bc8f17e09303edcf5b8ae9a32d0fa.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\EU1.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

real.exeEU1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EU1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EU1.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B62D7951-1A76-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B62FEA51-1A76-11ED-808D-42A98B637845} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000044fb973448e1304c1e2ec2b6ea9b8abb381c7b8085530128df5532c715b9a1e0000000000e80000000020000200000006c73ae89c8b223e7968b8643439492f701daf8835ed14f7e4337493d0378784c20000000ec97180674492c9789ae4b731230a87a40a7a2fadc5498fd5fc3938889e79719400000000c00d680bd8f7b219b7c286978c4581b2c33a738bc95428640708ee9af1b8b8443b457add02ac916d11a0d0ef9f4fdd3e3884a7fa5e08982c14dc7a0d2b34036	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B633E1F1-1A76-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jshainx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	jshainx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

tag.exenamdoitntn.exejshainx.exesafert44.exeffnameedit.exereal.exeEU1.exeMinecraftForge.exe

pid	process
1432	tag.exe
616	namdoitntn.exe
808	jshainx.exe
1168	safert44.exe
1240	ffnameedit.exe
1524	real.exe
1524	real.exe
1524	real.exe
432	EU1.exe
432	EU1.exe
3912	MinecraftForge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tag.exenamdoitntn.exejshainx.exesafert44.exeffnameedit.exeMinecraftForge.exe

description	pid	process
Token: SeDebugPrivilege	1432	tag.exe
Token: SeDebugPrivilege	616	namdoitntn.exe
Token: SeDebugPrivilege	808	jshainx.exe
Token: SeDebugPrivilege	1168	safert44.exe
Token: SeDebugPrivilege	1240	ffnameedit.exe
Token: SeDebugPrivilege	3912	MinecraftForge.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1772 iexplore.exe
2016 iexplore.exe
1456 iexplore.exe
1252 iexplore.exe
816 iexplore.exe
1900 iexplore.exe
1928 iexplore.exe
2000 iexplore.exe

pid	process
1772	iexplore.exe
2016	iexplore.exe
1456	iexplore.exe
1252	iexplore.exe
816	iexplore.exe
1900	iexplore.exe
1928	iexplore.exe
2000	iexplore.exe

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
816	iexplore.exe
816	iexplore.exe
1252	iexplore.exe
1252	iexplore.exe
1456	iexplore.exe
1456	iexplore.exe
2016	iexplore.exe
2016	iexplore.exe
2000	iexplore.exe
1772	iexplore.exe
2000	iexplore.exe
1772	iexplore.exe
1928	iexplore.exe
1928	iexplore.exe
1900	iexplore.exe
1900	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d8bc8f17e09303edcf5b8ae9a32d0fa.exe

description	pid	process	target process
PID 1980 wrote to memory of 1900	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1900	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1900	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1900	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1772	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1772	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1772	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1772	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1456	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1456	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1456	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1456	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1928	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1928	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1928	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1928	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1252	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1252	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1252	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 1252	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2016	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2016	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2016	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2016	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 816	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 816	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 816	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 816	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2000	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2000	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2000	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 2000	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	iexplore.exe
PID 1980 wrote to memory of 520	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	F0geI.exe
PID 1980 wrote to memory of 520	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	F0geI.exe
PID 1980 wrote to memory of 520	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	F0geI.exe
PID 1980 wrote to memory of 520	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	F0geI.exe
PID 1980 wrote to memory of 1620	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	kukurzka9000.exe
PID 1980 wrote to memory of 1620	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	kukurzka9000.exe
PID 1980 wrote to memory of 1620	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	kukurzka9000.exe
PID 1980 wrote to memory of 1620	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	kukurzka9000.exe
PID 1980 wrote to memory of 616	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	namdoitntn.exe
PID 1980 wrote to memory of 616	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	namdoitntn.exe
PID 1980 wrote to memory of 616	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	namdoitntn.exe
PID 1980 wrote to memory of 616	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	namdoitntn.exe
PID 1980 wrote to memory of 1524	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	real.exe
PID 1980 wrote to memory of 1524	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	real.exe
PID 1980 wrote to memory of 1524	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	real.exe
PID 1980 wrote to memory of 1524	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	real.exe
PID 1980 wrote to memory of 1168	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	safert44.exe
PID 1980 wrote to memory of 1168	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	safert44.exe
PID 1980 wrote to memory of 1168	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	safert44.exe
PID 1980 wrote to memory of 1168	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	safert44.exe
PID 1980 wrote to memory of 1432	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	tag.exe
PID 1980 wrote to memory of 1432	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	tag.exe
PID 1980 wrote to memory of 1432	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	tag.exe
PID 1980 wrote to memory of 1432	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	tag.exe
PID 1980 wrote to memory of 808	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	jshainx.exe
PID 1980 wrote to memory of 808	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	jshainx.exe
PID 1980 wrote to memory of 808	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	jshainx.exe
PID 1980 wrote to memory of 808	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	jshainx.exe
PID 1980 wrote to memory of 1240	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	ffnameedit.exe
PID 1980 wrote to memory of 1240	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	ffnameedit.exe
PID 1980 wrote to memory of 1240	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	ffnameedit.exe
PID 1980 wrote to memory of 1240	1980	3d8bc8f17e09303edcf5b8ae9a32d0fa.exe	ffnameedit.exe

C:\Users\Admin\AppData\Local\Temp\3d8bc8f17e09303edcf5b8ae9a32d0fa.exe
"C:\Users\Admin\AppData\Local\Temp\3d8bc8f17e09303edcf5b8ae9a32d0fa.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1AbtZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nhGL4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A3AZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1ALSZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:520

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1620

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:1936

C:\Program Files (x86)\Company\NewProduct\EU1.exe
"C:\Program Files (x86)\Company\NewProduct\EU1.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
3ad7fe34020f64ea3db03b7d89bd41b6

SHA1
64f37ff3b3a7d919657e6879db0f8b4e3b0b11bd

SHA256
2a94e0f773f18583829392d33c89f52a2c229436774d6d6392e0fa3baacd2106

SHA512
a878ca4f7c798b2713c7ae6787cf8e7f8797d2ffdb9017a82988a19292f302a2d05ad2b4f4b270011d287cef70c87cffbd3ec26d9c93339f16cecdfa7a73577a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B61F96A1-1A76-11ED-808D-42A98B637845}.dat
Filesize
5KB

MD5
a5879cab132d32cfe7c678015b36a963

SHA1
cabe67b1b1ea9eebd992f0d51292748f056799c0

SHA256
537377ed071c09720c2baec685e38217650360b73c3811fc5213a90c0ea2e21b

SHA512
244508ce9895ae944419a4f0f8e33b248471171907320f006758086a4e425ce2772b5439ab315db509e17db40859b0a8306f0ed2796eef068de90f1d69eae92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B62B5671-1A76-11ED-808D-42A98B637845}.dat
Filesize
3KB

MD5
48522162c916775177aa34f4d588286a

SHA1
01744f42342dfc216e0f15b447b26d1f7727a1da

SHA256
11abf121edbb94164f34c5b9c8121a531a972aff1330f795c292c874c301ce16

SHA512
3169cbda6b43b2b40a6a859a7b63327f802cb5173d87381349c39026bbbca550ea8c1b469f6ef5adc8459f72d34cfeb5037daf92cb1b1a7da31c12e3e50751e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B62B5671-1A76-11ED-808D-42A98B637845}.dat
Filesize
5KB

MD5
41b120e68bb8bffd4255c90b2bee6e95

SHA1
91aeed72c5f87fc1c742ccee2e3e5931f6479584

SHA256
01a59a5659612a1716a227d6360842d04284e0b41966223ed5a4ef9e2e29ffa9

SHA512
ee02ae9b7b417e75e7562d2835ea0b8b646755b295f6f95acdc81e2c846b3a53311af56f2446f9740ad30188bbb30a42ffd6468f1b9e42c648893e4c40bd4fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B62D7951-1A76-11ED-808D-42A98B637845}.dat
Filesize
5KB

MD5
b62436a37e4ad65b10e53fee0d3b7956

SHA1
6a78e0299eb86fd13abedba000a2f6ddc333ce07

SHA256
7979fd1ca6e9a58501aec172c32a0b0107b3939eca740edc930a5f962bc8af3e

SHA512
af7582a3917c1e22c0911875b64ef7ac1205e36e3ca68b8c38c4c1bc2e5c9110d1173f9cfbb0c8a8e3e61974a10f3538cbe51d017e42961de0dc33ead2880caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B62FEA51-1A76-11ED-808D-42A98B637845}.dat
Filesize
3KB

MD5
517c45b0977cbbe468b07e84ae3d3897

SHA1
e9b37f2e80cb5b574665f5dc4c2b832ccd0f1964

SHA256
24e212cab6d99def63ce2d03fcf354185800db6ab3f6eaf5f315a0d384f6b8f7

SHA512
76d37d57c9f57a3690154692880bf29a13cb7667052920077b552a420f8d67609d018baaf36a5a394b2bb1a5eb0ade58c0b5d151b7ac97ce2bba9edeef36c4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B633E1F1-1A76-11ED-808D-42A98B637845}.dat
Filesize
4KB

MD5
b088c02cec666537b5fa9bee5faef9fb

SHA1
1ef05f53a2c6b5f46016c3468acd01ef18caf82a

SHA256
6254debd58fbabb1dc4b3beac3c4b050e09b04d608152b870bbd64d563bc3e26

SHA512
322de00327bc4e81dd7fc54383e6faac1d804a531fde1ec9c0c510f29d21dc0739fa7446c8a87e634244fc7ec7357f659c9ed2f6a54be3f5bb0180ea638bb7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B633E1F1-1A76-11ED-808D-42A98B637845}.dat
Filesize
3KB

MD5
cb046d75747e28d4efbf252e8f3bdfbf

SHA1
838f7cde12edd5a9b8380bae3d1df9cd506dc170

SHA256
34be06a0a8866db42db0c1cea4e7d74214abc3b180d03cf69c4a059598f72d28

SHA512
1f241f13af6f6ab7beb7d16115ce41cb45f64625dd522e06ef1981ede600fc664442e8dc854048fd399f0a1d5786f99507c7a1cd24a21eedff17231681789a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S0TODPFL.txt
Filesize
608B

MD5
e12e94da95c0e71978dec0a7efb37666

SHA1
3218d402a6edebc36a1aeedbdfef24a4b4416211

SHA256
56522de3f890a61c39518f375b4cf02bcbb688fa2f429b6b1772188e12403347

SHA512
0db5d68ba7b204a464102080f1d65c09867750f4f0fc41de6868ac75a5dc2f1025334321d9564e6215cc4186751d5a655a47b6eb6fd783e973170b30b94f94bd

Download Submit
\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
\Program Files (x86)\Company\NewProduct\EU1.exe
Filesize
286KB

MD5
eaa8eacd3c59ed71b7f68ef7a96602a3

SHA1
9b35e7b6cd147a4a729d3f6b1791e774a754c589

SHA256
2f7a5ab1ce00d00b1196b2cd815457176467928a47a8c652b8af41e6bab8772b

SHA512
c19934e143dcf1242f2f1584baaad4cebbd2e06d048c2ef9d347683ef0d77e2791c364608957e8ea4c1b9613450c3c2e4112bb56280ee12a4b1b1a63c714d83e

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
memory/432-95-0x0000000000000000-mapping.dmp

Download
memory/520-167-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/520-121-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/520-102-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/520-103-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/520-104-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/520-57-0x0000000000000000-mapping.dmp

Download
memory/616-64-0x0000000000000000-mapping.dmp

Download
memory/616-76-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/808-97-0x00000000012D0000-0x00000000012F0000-memory.dmp

Filesize
128KB

Download
memory/808-81-0x0000000000000000-mapping.dmp

Download
memory/1168-101-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1168-72-0x0000000000000000-mapping.dmp

Download
memory/1168-79-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1240-86-0x0000000000000000-mapping.dmp

Download
memory/1240-98-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/1432-75-0x0000000000000000-mapping.dmp

Download
memory/1432-99-0x00000000008B0000-0x00000000008D0000-memory.dmp

Filesize
128KB

Download
memory/1524-122-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1524-68-0x0000000000000000-mapping.dmp

Download
memory/1620-107-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1620-105-0x0000000001EA0000-0x0000000001EB2000-memory.dmp

Filesize
72KB

Download
memory/1620-61-0x0000000000000000-mapping.dmp

Download
memory/1936-91-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/3912-142-0x0000000000000000-mapping.dmp

Download
memory/3912-146-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/3912-145-0x00000000000F0000-0x0000000000108000-memory.dmp

Filesize
96KB

Download