redline | 463e7bb6693b947b343cd1ba77247bc8e6504a1fe80f36cdf2a3d7d345e15fd3

Analysis

max time kernel
111s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-08-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f903876c8479896331d5c7b3d4a87597.exe
Size

1.7MB
MD5

f903876c8479896331d5c7b3d4a87597
SHA1

fed1aa21c1471e10655ce43a77d99c918375439b
SHA256

463e7bb6693b947b343cd1ba77247bc8e6504a1fe80f36cdf2a3d7d345e15fd3
SHA512

ec6a003bbf101dafa54ffcce882ceb444e62275275a08617051df732d7c9eea468bee51045232d866e13bf6dd0085101e47727a9b612f68c36e12a644b4bdf3f

Score

10^/10

redline 5 5076357887 @tag12312341 nam3 ruxarr_gg discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Extracted

Family

redline

Botnet

@tag12312341

62.204.41.144:14096

Attributes

auth_value
71466795417275fac01979e57016e277

Extracted

Family

redline

Botnet

5076357887

195.54.170.157:16525

Attributes

auth_value
0dfaff60271d374d0c206d19883e06f3

Extracted

Family

redline

Botnet

RuXaRR_GG

insttaller.com:40915

Attributes

auth_value
4a733ff307847db3ee220c11d113a305

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
behavioral1/memory/1836-104-0x0000000000A70000-0x0000000000A90000-memory.dmp	family_redline
behavioral1/memory/564-103-0x0000000000E20000-0x0000000000E40000-memory.dmp	family_redline
behavioral1/memory/1156-102-0x0000000000A10000-0x0000000000A54000-memory.dmp	family_redline
behavioral1/memory/1408-101-0x0000000000130000-0x0000000000150000-memory.dmp	family_redline
behavioral1/memory/428-105-0x00000000002B0000-0x00000000002D0000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

F0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exetag.exejshainx.exeffnameedit.exerawxdev.exeme.exeMinecraftForge.exe

pid	process
1392	F0geI.exe
2020	kukurzka9000.exe
1836	namdoitntn.exe
1700	real.exe
1156	safert44.exe
564	tag.exe
428	jshainx.exe
1408	ffnameedit.exe
112	rawxdev.exe
1564	me.exe
3740	MinecraftForge.exe

Loads dropped DLL 15 IoCs

Processes:

f903876c8479896331d5c7b3d4a87597.exejshainx.exe

pid	process
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
604	f903876c8479896331d5c7b3d4a87597.exe
428	jshainx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

f903876c8479896331d5c7b3d4a87597.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\rawxdev.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	f903876c8479896331d5c7b3d4a87597.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	f903876c8479896331d5c7b3d4a87597.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

me.exereal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	me.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	real.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	real.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	me.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e09f5ab47eaed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D15D4251-1A71-11ED-B40B-E20468906380} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D15F7CA1-1A71-11ED-B40B-E20468906380} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D15F5591-1A71-11ED-B40B-E20468906380} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

jshainx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	jshainx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	jshainx.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

real.exeme.exenamdoitntn.exejshainx.exesafert44.exetag.exeffnameedit.exeMinecraftForge.exe

pid process

1700 real.exe
1564 me.exe
1564 me.exe
1836 namdoitntn.exe
428 jshainx.exe
1156 safert44.exe
564 tag.exe
1408 ffnameedit.exe
3740 MinecraftForge.exe

pid	process
1700	real.exe
1564	me.exe
1564	me.exe
1836	namdoitntn.exe
428	jshainx.exe
1156	safert44.exe
564	tag.exe
1408	ffnameedit.exe
3740	MinecraftForge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

namdoitntn.exejshainx.exesafert44.exetag.exeffnameedit.exeMinecraftForge.exe

description	pid	process
Token: SeDebugPrivilege	1836	namdoitntn.exe
Token: SeDebugPrivilege	428	jshainx.exe
Token: SeDebugPrivilege	1156	safert44.exe
Token: SeDebugPrivilege	564	tag.exe
Token: SeDebugPrivilege	1408	ffnameedit.exe
Token: SeDebugPrivilege	3740	MinecraftForge.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1756 iexplore.exe
1640 iexplore.exe
1784 iexplore.exe
996 iexplore.exe
1396 iexplore.exe
1800 iexplore.exe
1576 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1756	iexplore.exe
1756	iexplore.exe
1396	iexplore.exe
1396	iexplore.exe
1640	iexplore.exe
1640	iexplore.exe
996	iexplore.exe
996	iexplore.exe
1784	iexplore.exe
1784	iexplore.exe
1800	iexplore.exe
1800	iexplore.exe
1576	iexplore.exe
1576	iexplore.exe
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2260	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2260	IEXPLORE.EXE
2276	IEXPLORE.EXE
2276	IEXPLORE.EXE
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2276	IEXPLORE.EXE
2276	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f903876c8479896331d5c7b3d4a87597.exe

description	pid	process	target process
PID 604 wrote to memory of 1784	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1784	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1784	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1784	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1756	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1756	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1756	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1756	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 996	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 996	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 996	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 996	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1632	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1632	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1632	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1632	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1800	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1800	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1800	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1800	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1396	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1396	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1396	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1396	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1576	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1576	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1576	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1576	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1640	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1640	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1640	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1640	604	f903876c8479896331d5c7b3d4a87597.exe	iexplore.exe
PID 604 wrote to memory of 1392	604	f903876c8479896331d5c7b3d4a87597.exe	F0geI.exe
PID 604 wrote to memory of 1392	604	f903876c8479896331d5c7b3d4a87597.exe	F0geI.exe
PID 604 wrote to memory of 1392	604	f903876c8479896331d5c7b3d4a87597.exe	F0geI.exe
PID 604 wrote to memory of 1392	604	f903876c8479896331d5c7b3d4a87597.exe	F0geI.exe
PID 604 wrote to memory of 2020	604	f903876c8479896331d5c7b3d4a87597.exe	kukurzka9000.exe
PID 604 wrote to memory of 2020	604	f903876c8479896331d5c7b3d4a87597.exe	kukurzka9000.exe
PID 604 wrote to memory of 2020	604	f903876c8479896331d5c7b3d4a87597.exe	kukurzka9000.exe
PID 604 wrote to memory of 2020	604	f903876c8479896331d5c7b3d4a87597.exe	kukurzka9000.exe
PID 604 wrote to memory of 1836	604	f903876c8479896331d5c7b3d4a87597.exe	namdoitntn.exe
PID 604 wrote to memory of 1836	604	f903876c8479896331d5c7b3d4a87597.exe	namdoitntn.exe
PID 604 wrote to memory of 1836	604	f903876c8479896331d5c7b3d4a87597.exe	namdoitntn.exe
PID 604 wrote to memory of 1836	604	f903876c8479896331d5c7b3d4a87597.exe	namdoitntn.exe
PID 604 wrote to memory of 1700	604	f903876c8479896331d5c7b3d4a87597.exe	real.exe
PID 604 wrote to memory of 1700	604	f903876c8479896331d5c7b3d4a87597.exe	real.exe
PID 604 wrote to memory of 1700	604	f903876c8479896331d5c7b3d4a87597.exe	real.exe
PID 604 wrote to memory of 1700	604	f903876c8479896331d5c7b3d4a87597.exe	real.exe
PID 604 wrote to memory of 1156	604	f903876c8479896331d5c7b3d4a87597.exe	safert44.exe
PID 604 wrote to memory of 1156	604	f903876c8479896331d5c7b3d4a87597.exe	safert44.exe
PID 604 wrote to memory of 1156	604	f903876c8479896331d5c7b3d4a87597.exe	safert44.exe
PID 604 wrote to memory of 1156	604	f903876c8479896331d5c7b3d4a87597.exe	safert44.exe
PID 604 wrote to memory of 564	604	f903876c8479896331d5c7b3d4a87597.exe	tag.exe
PID 604 wrote to memory of 564	604	f903876c8479896331d5c7b3d4a87597.exe	tag.exe
PID 604 wrote to memory of 564	604	f903876c8479896331d5c7b3d4a87597.exe	tag.exe
PID 604 wrote to memory of 564	604	f903876c8479896331d5c7b3d4a87597.exe	tag.exe
PID 604 wrote to memory of 428	604	f903876c8479896331d5c7b3d4a87597.exe	jshainx.exe
PID 604 wrote to memory of 428	604	f903876c8479896331d5c7b3d4a87597.exe	jshainx.exe
PID 604 wrote to memory of 428	604	f903876c8479896331d5c7b3d4a87597.exe	jshainx.exe
PID 604 wrote to memory of 428	604	f903876c8479896331d5c7b3d4a87597.exe	jshainx.exe
PID 604 wrote to memory of 1408	604	f903876c8479896331d5c7b3d4a87597.exe	ffnameedit.exe
PID 604 wrote to memory of 1408	604	f903876c8479896331d5c7b3d4a87597.exe	ffnameedit.exe
PID 604 wrote to memory of 1408	604	f903876c8479896331d5c7b3d4a87597.exe	ffnameedit.exe
PID 604 wrote to memory of 1408	604	f903876c8479896331d5c7b3d4a87597.exe	ffnameedit.exe

C:\Users\Admin\AppData\Local\Temp\f903876c8479896331d5c7b3d4a87597.exe
"C:\Users\Admin\AppData\Local\Temp\f903876c8479896331d5c7b3d4a87597.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1AbtZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
2⤵
PID:1632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1800 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nhGL4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A3AZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1ALSZ4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1392

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
"C:\Program Files (x86)\Company\NewProduct\rawxdev.exe"
2⤵
- Executes dropped EXE
PID:112

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
C:\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
39429716184b2571199d2f0cd04ff528

SHA1
86594d3efcc75d82df7de3d10c70851a72705c3d

SHA256
38d1a622697d90f573333c220e23410162f667f9d49123ab78f276ac2531b1b0

SHA512
a656893bbae7b9d6a14316a0812f030b6f514c5b5e65f929dd59c93b108aac017650af830e83eff9ea88b97df26e3065d7bb0a58dee8afc615b05613065b2dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D15B1F71-1A71-11ED-B40B-E20468906380}.dat
Filesize
3KB

MD5
c916991f16f78f1fd665f456b7406eb5

SHA1
a0c84fa459c483a2b2ebe2f459cb47f2d48d4ddf

SHA256
023a3472fc28ad1c6fc551efe85ba64f75fd3cf9c19edd1bfbbf0d789212ca28

SHA512
15988995119467ab24e796db9ff8b6a3c7726bf2466c4080d9ac365a7a4c703b549db1eeb16e2aca57489542df0a1fba4931955cfbdd0682b8b808e95af4a3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D15CF431-1A71-11ED-B40B-E20468906380}.dat
Filesize
3KB

MD5
921de811cfdc48a35f8b66b8cbb4e678

SHA1
840eef39dd95ca8027da00d424155066b301bea5

SHA256
0b7dc78c5b3008155d3b04d06e60794964953af4a66eedfb2a3d23511726cb18

SHA512
ff59fbc20f953700b1efae57d9d338eba42773c6a6a9f0f4f599e6af955c536eec5c8526ca03ad15e75227ad65db558c09e74aa9f087299c1bff736362c4a651

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V5ZS463D.txt
Filesize
606B

MD5
1200a4e139db0154e2ec6cc9641f9beb

SHA1
78c2e94623d7971106cf52c9f65356640995c02e

SHA256
9887da86576efeb325ecbd6b97ddc005e88170f6e3159a0f8f159df5fd0a8649

SHA512
e87ff4dc9ef2b0cb5f41048508ae18ebed46a09227e6dd491540c927b5e7e2ee711a939721a2a3b763cbde4196bec291c92618336c7e0a913c628d8862b9fbbc

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
\Program Files (x86)\Company\NewProduct\ffnameedit.exe
Filesize
107KB

MD5
4bf892a854af9af2802f526837819f6e

SHA1
09f2e9938466e74a67368ecd613efdc57f80c30b

SHA256
713eeb4e9271fe4b15160d900ad78498838bb33f7f97ad544a705ab2a46d97cf

SHA512
7ef9d8cb4daf6be60c5a41439dab4e7384676b34de2341ac52cb33815645fbb51a4b78725ea97479d287a8d7a0a61b4b337b1ad49cce2a23c9192fd9b7678d44

Download Submit
\Program Files (x86)\Company\NewProduct\jshainx.exe
Filesize
107KB

MD5
2647a5be31a41a39bf2497125018dbce

SHA1
a1ac856b9d6556f5bb3370f0342914eb7cbb8840

SHA256
84c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665

SHA512
68f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
1.4MB

MD5
8df3405e9cd1a18d10568e0d32e6dc39

SHA1
a084252242da8dbf97f23d7785fdf2b8d9677d3b

SHA256
79516c040ffbb1121904be5b09cd8a7e6fb78885dcc08a9e33781258680b639b

SHA512
6f3e242723983ea2d04d0857d88e2706d53ec9d9b8c030e25e28a60f70813bdd8a8082db60f70b79ed20d6544b8fc069b7fd096da78bbd64b08a5435adfbaa87

Download Submit
\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
\Program Files (x86)\Company\NewProduct\me.exe
Filesize
286KB

MD5
29f986a025ca64b6e5fbc50fcefc8743

SHA1
4930311ffe1eac17a468c454d2ac37532b79c454

SHA256
766033bd59297068c74324bfffca88887a4f02588bac347e277644011fb6b090

SHA512
7af798f1480c18952597699189eff78d2ac638b40bffbc651954807b81d667207dd6d4ad073a787d40a423a15361d625f49b556109f998d2c56fa66d71c7268a

Download Submit
\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
\Program Files (x86)\Company\NewProduct\rawxdev.exe
Filesize
1.2MB

MD5
919cf73749642aa08fb76e9254af5efa

SHA1
08c25ab3572b9035496aec516342e37a25a84883

SHA256
2a31d54ca5b61e6c51c9fb64f3c8d7f081ccd9f5bf525396101d68c3d6050db3

SHA512
5b632aa85adf0dafa2eacee4addd2329334ddf3d7f6c12e8bce2c302722c7ccd61cfac5fa194870e9f775b64275d8c9e14c9f160e3fbb6d0cc03f9432c9a28f6

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\real.exe
Filesize
286KB

MD5
8a370815d8a47020150efa559ffdf736

SHA1
ba9d8df8f484b8da51161a0e29fd29e5001cff5d

SHA256
975457ed5ae0174f06cc093d4f9edcf75d88118cbbac5a1e76ad7bc7c679cd58

SHA512
d2eb60e220f64e76ebed2b051cc14f3a2da29707d8b2eb52fb41760800f11eafeb8bb3f1f8edcfca693a791aa60e56e263063f2b72abe4ad8784061feee6f7bf

Download Submit
\Program Files (x86)\Company\NewProduct\safert44.exe
Filesize
246KB

MD5
414ffd7094c0f50662ffa508ca43b7d0

SHA1
6ec67bd53da2ff3d5538a3afcc6797af1e5a53fb

SHA256
d3fb9c24b34c113992c5c658f6a11f9620da2e49d12d1acabe871e1bea7846ee

SHA512
c6527077b4822c062e32c39be06e285916b501a358991d120a469f5da1e13d282685ca7ca3fa938292d5beef073fbea42ff9ba96fa5c395f057f7c964608a399

Download Submit
\Program Files (x86)\Company\NewProduct\tag.exe
Filesize
107KB

MD5
2ebc22860c7d9d308c018f0ffb5116ff

SHA1
78791a83f7161e58f9b7df45f9be618e9daea4cd

SHA256
8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

SHA512
d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

Download Submit
\Users\Admin\AppData\Local\Temp\MinecraftForge.exe
Filesize
71KB

MD5
f8370d132f334be6703ce54b08db1578

SHA1
55d98f702724f25535bfbeb7a46cee92d57a4421

SHA256
2b058754c1b4402ccc99db8e247f234593bb96015af801f2ee6880425b126fb6

SHA512
0eee39de1ffb965744c97a1c6918ccd755a4fae18d889893244e9d0e3760f28615e46cce524930f1d9f18540bbd6644cd45765c8f95f04c615a0ff682136b35b

Download Submit
memory/112-90-0x0000000000000000-mapping.dmp

Download
memory/428-105-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/428-80-0x0000000000000000-mapping.dmp

Download
memory/564-103-0x0000000000E20000-0x0000000000E40000-memory.dmp

Filesize
128KB

Download
memory/564-75-0x0000000000000000-mapping.dmp

Download
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1156-106-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1156-72-0x0000000000000000-mapping.dmp

Download
memory/1156-102-0x0000000000A10000-0x0000000000A54000-memory.dmp

Filesize
272KB

Download
memory/1392-162-0x000000000054B000-0x000000000055C000-memory.dmp

Filesize
68KB

Download
memory/1392-135-0x000000000054B000-0x000000000055C000-memory.dmp

Filesize
68KB

Download
memory/1392-95-0x000000000054B000-0x000000000055C000-memory.dmp

Filesize
68KB

Download
memory/1392-57-0x0000000000000000-mapping.dmp

Download
memory/1392-98-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1392-97-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1408-85-0x0000000000000000-mapping.dmp

Download
memory/1408-101-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/1564-93-0x0000000000000000-mapping.dmp

Download
memory/1700-69-0x0000000000000000-mapping.dmp

Download
memory/1700-116-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1836-104-0x0000000000A70000-0x0000000000A90000-memory.dmp

Filesize
128KB

Download
memory/1836-64-0x0000000000000000-mapping.dmp

Download
memory/2020-100-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/2020-61-0x0000000000000000-mapping.dmp

Download
memory/2020-99-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3740-156-0x0000000000000000-mapping.dmp

Download
memory/3740-159-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/3740-160-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download