babadeda | a424d4ad76806d261477a6117dc0fd2b0517357a826f9d0d7da22aac7c0f5ed3

Resubmissions

11-09-2022 13:38

220911-qxfnksfddn 10

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2022 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

output/pentest_sample_15.exe
Size

129.3MB
MD5

9a2949ed34685809e0a23bdfea97271e
SHA1

1ada36a15cea1e1b6c70d155518d2b36a03c4e97
SHA256

f3fef8eac63444e364437305ba947e5b9e098ea15cf7e30458ab67d272fa1fab
SHA512

941486e979b1a9a08e61f3f4bb348224fc9a55c60a3ec6a6eadceb6d8ea0b00b5641f549616dd01b374d8ceaf3e05bc41cecaaca27d8e980232de1a84a8d21ef
SSDEEP

3145728:zR/5KgSAOsWBD4TABLmERk6WFQLnZLmzxPj9MDOC7vadxZA6NnArUwxS846PjsN3:zR/b

Score

10^/10

babadeda remcos sys32 crypter loader persistence ransomware rat

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3172_203154532\us_tv_and_film.txt

Ransom Note

you i to that it me what this know i'm no have my don't just not do be your we it's so but all well oh about right you're get here out going like yeah if can up want think that's now go him how got did why see come good really look will okay back can't mean tell i'll hey he's could didn't yes something because say take way little make need gonna never we're too she's i've sure our sorry what's let thing maybe down man very there's should anything said much any even off please doing thank give thought help talk god still wait find nothing again things let's doesn't call told great better ever night away believe feel everything you've fine last keep does put around stop they're i'd guy isn't always listen wanted guys huh those big lot happened thanks won't trying kind wrong talking guess care bad mom remember getting we'll together dad leave understand wouldn't actually hear baby nice father else stay done wasn't course might mind every enough try hell came someone you'll whole yourself idea ask must coming looking woman room knew tonight real son hope went hmm happy pretty saw girl sir friend already saying next job problem minute thinking haven't heard honey matter myself couldn't exactly having probably happen we've hurt boy dead gotta alone excuse start kill hard you'd today car ready without wants hold wanna yet seen deal once gone morning supposed friends head stuff worry live truth face forget true cause soon knows telling wife who's chance run move anyone person bye somebody heart miss making meet anyway phone reason damn lost looks bring case turn wish tomorrow kids trust check change anymore least aren't working makes taking means brother hate ago says beautiful gave fact crazy sit afraid important rest fun kid word watch glad everyone sister minutes everybody bit couple whoa either mrs feeling daughter wow gets asked break promise door close hand easy question tried far walk needs mine killed hospital anybody alright wedding shut able die perfect stand comes hit waiting dinner funny husband almost pay answer cool eyes news child shouldn't yours moment sleep read where's sounds sonny pick sometimes bed date plan hours lose hands serious shit behind inside ahead week wonderful fight past cut quite he'll sick it'll eat nobody goes save seems finally lives worried upset carly met brought seem sort safe weren't leaving front shot loved asking running clear figure hot felt parents drink absolutely how's daddy sweet alive sense meant happens bet blood ain't kidding lie meeting dear seeing sound fault ten buy hour speak lady jen thinks christmas outside hang possible worse mistake ooh handle spend totally giving here's marriage realize unless sex send needed scared picture talked ass hundred changed completely explain certainly sign boys relationship loves hair lying choice anywhere future weird luck she'll turned touch kiss crane questions obviously wonder pain calling somewhere throw straight cold fast words food none drive feelings they'll marry drop cannot dream protect twenty surprise sweetheart poor looked mad except gun y'know dance takes appreciate especially situation besides pull hasn't worth sheridan amazing expect swear piece busy happening movie we'd catch perhaps step fall watching kept darling dog honor moving till admit problems murder he'd evil definitely feels honest eye broke missed longer dollars tired evening starting entire trip niles suppose calm imagine fair caught blame sitting favor apartment terrible clean learn frasier relax accident wake prove smart message missing forgot interested table nbsp mouth pregnant ring careful shall dude ride figured wear shoot stick follow angry write stopped ran standing forgive jail wearing ladies kinda lunch cristian greenlee gotten hoping phoebe thousand ridge paper tough tape count boyfriend proud agree birthday they've share offer hurry feet wondering decision ones finish voice herself would've mess deserve evidence cute dress interesting hotel enjoy quiet concerned staying beat sweetie mention clothes fell neither mmm fix respect prison attention holding calls surprised bar keeping gift hadn't putting dark owe ice helping normal aunt lawyer apart plans jax girlfriend floor whether everything's box judge upstairs sake mommy possibly worst acting accept blow strange saved conversation plane mama yesterday lied quick lately stuck difference store she'd bought doubt listening walking cops deep dangerous buffy sleeping chloe rafe join card crime gentlemen willing window walked guilty likes fighting difficult soul joke favorite uncle promised bother seriously cell knowing broken advice somehow paid losing push helped killing boss liked innocent rules learned thirty risk letting speaking ridiculous afternoon apologize nervous charge patient boat how'd hide detective planning huge breakfast horrible awful pleasure driving hanging picked sell quit apparently dying notice congratulations visit could've c'mon letter decide forward fool showed smell seemed spell memory pictures slow seconds hungry hearing kitchen ma'am should've realized kick grab discuss fifty reading idiot suddenly agent destroy bucks shoes peace arms demon livvie consider papers incredible witch drunk attorney tells knock ways gives nose skye turns keeps jealous drug sooner cares plenty extra outta weekend matters gosh opportunity impossible waste pretend jump eating proof slept arrest breathe perfectly warm pulled twice easier goin dating suit romantic drugs comfortable finds checked divorce begin ourselves closer ruin smile laugh treat fear what'd otherwise excited mail hiding stole pacey noticed fired excellent bringing bottom note sudden bathroom honestly sing foot remind charges witness finding tree dare hardly that'll steal silly contact teach shop plus colonel fresh trial invited roll reach dirty choose emergency dropped butt credit obvious locked loving nuts agreed prue goodbye condition guard fuckin grow cake mood crap crying belong partner trick pressure dressed taste neck nurse raise lots carry whoever drinking they'd breaking file lock wine spot paying assume asleep turning viki bedroom shower nikolas camera fill reasons forty bigger nope breath doctors pants freak movies folks cream wild truly desk convince client threw hurts spending answers shirt chair rough doin sees ought empty wind aware dealing pack tight hurting guest arrested salem confused surgery expecting deacon unfortunately goddamn bottle beyond whenever pool opinion starts jerk secrets falling necessary barely dancing tests copy cousin ahem twelve tess skin fifteen speech orders complicated nowhere escape biggest restaurant grateful usual burn address someplace screw everywhere regret goodness mistakes details responsibility suspect corner hero dumb terrific whoo hole memories o'clock teeth ruined bite stenbeck liar showing cards desperate search pathetic spoke scare marah afford settle stayed checking hired heads concern blew alcazar champagne connection tickets happiness saving kissing hated personally suggest prepared onto downstairs ticket it'd loose holy duty convinced throwing kissed legs loud saturday babies where'd warning miracle carrying blind ugly shopping hates sight bride coat clearly celebrate brilliant wanting forrester lips custody screwed buying toast thoughts reality lexie attitude advantage grandfather sami grandma someday roof marrying powerful grown grandmother fake must've ideas exciting familiar bomb bout harmony schedule capable practically correct clue forgotten appointment deserves threat bloody lonely shame jacket hook scary investigation invite shooting lesson criminal victim funeral considering burning strength harder sisters pushed shock pushing heat chocolate miserable corinthos nightmare brings zander crash chances sending recognize healthy boring feed engaged headed treated knife drag badly hire paint pardon behavior closet warn gorgeous milk survive ends dump rent remembered thanksgiving rain revenge prefer spare pray disappeared aside statement sometime meat fantastic breathing laughing stood affair ours depends protecting jury brave fingers murdered explanation picking blah stronger handsome unbelievable anytime shake oakdale wherever pulling facts waited lousy circumstances disappointed weak trusted license nothin trash understanding slip sounded awake friendship stomach weapon threatened mystery vegas understood basically switch frankly cheap lifetime deny clock garbage why'd tear ears indeed changing singing tiny decent avoid messed filled touched disappear exact pills kicked harm fortune pretending insurance fancy drove cared belongs nights lorelai lift timing guarantee chest woke burned watched heading selfish drinks doll committed elevator freeze noise wasting ceremony uncomfortable staring files bike stress permission thrown possibility borrow fabulous doors screaming bone xander what're meal apology anger honeymoon bail parking fixed wash stolen sensitive stealing photo chose lets comfort worrying pocket mateo bleeding shoulder ignore talent tied garage dies demons dumped witches rude crack bothering radar soft meantime gimme kinds fate concentrate throat prom messages intend ashamed somethin manage guilt interrupt guts tongue shoe basement sentence purse glasses cabin universe repeat mirror wound travers tall engagement therapy emotional jeez decisions soup thrilled stake chef moves extremely moments expensive counting shots kidnapped cleaning shift plate impressed smells trapped aidan knocked charming attractive argue puts whip embarrassed package hitting bust stairs alarm pure nail nerve incredibly walks dirt stamp terribly friendly damned jobs suffering disgusting stopping deliver riding helps disaster bars crossed trap talks eggs chick threatening spoken introduce confession embarrassing bags impression gate reputation presents chat suffer argument talkin crowd homework coincidence cancel pride solve hopefully pounds pine mate illegal generous outfit maid bath punch freaked begging recall enjoying prepare wheel defend signs painful yourselves maris that'd suspicious cooking button warned sixty pity yelling awhile confidence offering pleased panic hers gettin refuse grandpa testify choices cruel mental gentleman coma cutting proteus guests expert benefit faces jumped toilet sneak halloween privacy smoking reminds twins swing solid options commitment crush ambulance wallet gang eleven option laundry assure stays skip fail discussion clinic betrayed sticking bored mansion soda sheriff suite handled busted load happier studying romance procedure commit assignment suicide minds swim yell llanview chasing proper believes humor hopes lawyers giant latest escaped parent tricks insist dropping cheer medication flesh routine sandwich handed false beating warrant awfully odds treating thin suggesting fever sweat silent clever sweater mall sharing assuming judgment goodnight divorced surely steps confess math listened comin answered vulnerable bless dreaming chip zero pissed nate kills tears knees chill brains unusual packed dreamed cure lookin grave cheating breaks locker gifts awkward thursday joking reasonable dozen curse quartermaine millions dessert rolling detail alien delicious closing vampires wore tail secure salad murderer spit offense dust conscience bread answering lame invitation grief smiling pregnancy prisoner delivery guards virus shrink freezing wreck massimo wire technically blown anxious cave holidays cleared wishes caring candles bound charm pulse jumping jokes boom occasion silence nonsense frightened slipped dimera blowing relationships kidnapping spin tool roxy packing blaming wrap obsessed fruit torture personality there'll fairy necessarily seventy print motel underwear grams exhausted believing freaking carefully trace touching messing recovery intention consequences belt sacrifice courage enjoyed attracted remove testimony intense heal defending unfair relieved loyal slowly buzz alcohol surprises psychiatrist plain attic who'd uniform terrified cleaned zach threaten fella enemies satisfied imagination hooked headache forgetting counselor andie acted badge naturally frozen sakes appropriate trunk dunno costume sixteen impressive kicking junk grabbed understands describe clients owns affect witnesses starving instincts happily discussing deserved strangers surveillance admire questioning dragged barn deeply wrapped wasted tense hoped fellas roommate mortal fascinating stops arrangements agenda literally propose honesty underneath sauce promises lecture eighty torn shocked backup differently ninety deck biological pheebs ease creep waitress telephone ripped raising scratch rings prints thee arguing ephram asks oops diner annoying taggert sergeant blast towel clown habit creature bermuda snap react paranoid handling eaten therapist comment sink reporter nurses beats priority interrupting warehouse loyalty inspector pleasant excuses threats guessing tend praying motive unconscious mysterious unhappy tone switched rappaport sookie neighbor loaded swore piss balance toss misery thief squeeze lobby goa'uld geez exercise forth booked sandburg poker eighteen d'you bury everyday digging creepy wondered liver hmmm magical fits discussed moral helpful searching flew depressed aisle cris amen vows neighbors darn cents arrange annulment useless adventure resist fourteen celebrating inch debt violent sand teal'c celebration reminded phones paperwork emotions stubborn pound tension stroke steady overnight chips beef suits boxes cassadine collect tragedy spoil realm wipe surgeon stretch stepped nephew neat limo confident perspective climb punishment finest springfield hint furniture blanket twist proceed fries worries niece gloves soap signature disappoint crawl convicted flip counsel doubts crimes accusing shaking remembering hallway halfway bothered madam gather cameras blackmail symptoms rope ordinary imagined cigarette supportive explosion trauma ouch furious cheat avoiding whew thick oooh boarding approve urgent shhh misunderstanding drawer phony interfere catching bargain tragic respond punish penthouse thou rach ohhh insult bugs beside begged absolute strictly socks senses sneaking reward polite checks tale physically instructions fooled blows tabby bitter adorable y'all tested suggestion jewelry alike jacks distracted s

Extracted

Family

remcos

Botnet

Sys32

65.108.9.124:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
Sys32-PI9IVT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\page	family_babadeda
behavioral2/memory/4684-217-0x0000000008380000-0x000000000BB80000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

pentest_sample_15.tmppentest_sample_15.tmpMp3tag.exe

pid process

4556 pentest_sample_15.tmp
3836 pentest_sample_15.tmp
4684 Mp3tag.exe

pid	process
4556	pentest_sample_15.tmp
3836	pentest_sample_15.tmp
4684	Mp3tag.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pentest_sample_15.tmppentest_sample_15.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	pentest_sample_15.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	pentest_sample_15.tmp

Loads dropped DLL 5 IoCs

Processes:

Mp3tag.exe

pid process

4684 Mp3tag.exe
4684 Mp3tag.exe
4684 Mp3tag.exe
4684 Mp3tag.exe
4684 Mp3tag.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
4684	Mp3tag.exe
4684	Mp3tag.exe
4684	Mp3tag.exe
4684	Mp3tag.exe
4684	Mp3tag.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220911154011.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f940b2b8-9ea9-4597-8313-473349a115e5.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

pentest_sample_15.tmpmsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3836	pentest_sample_15.tmp
3836	pentest_sample_15.tmp
4536	msedge.exe
4536	msedge.exe
3172	msedge.exe
3172	msedge.exe
5076	identity_helper.exe
5076	identity_helper.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3172 msedge.exe
3172 msedge.exe
3172 msedge.exe
3172 msedge.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pentest_sample_15.tmpMp3tag.exemsedge.exe

pid process

3836 pentest_sample_15.tmp
4684 Mp3tag.exe
3172 msedge.exe
3172 msedge.exe
3172 msedge.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Mp3tag.exe

pid process

4684 Mp3tag.exe
4684 Mp3tag.exe
4684 Mp3tag.exe

pid	process
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe
3172	msedge.exe

pid	process
4684	Mp3tag.exe
4684	Mp3tag.exe
4684	Mp3tag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pentest_sample_15.exepentest_sample_15.tmppentest_sample_15.exepentest_sample_15.tmpMp3tag.exemsedge.exe

description	pid	process	target process
PID 688 wrote to memory of 4556	688	pentest_sample_15.exe	pentest_sample_15.tmp
PID 688 wrote to memory of 4556	688	pentest_sample_15.exe	pentest_sample_15.tmp
PID 688 wrote to memory of 4556	688	pentest_sample_15.exe	pentest_sample_15.tmp
PID 4556 wrote to memory of 3616	4556	pentest_sample_15.tmp	pentest_sample_15.exe
PID 4556 wrote to memory of 3616	4556	pentest_sample_15.tmp	pentest_sample_15.exe
PID 4556 wrote to memory of 3616	4556	pentest_sample_15.tmp	pentest_sample_15.exe
PID 3616 wrote to memory of 3836	3616	pentest_sample_15.exe	pentest_sample_15.tmp
PID 3616 wrote to memory of 3836	3616	pentest_sample_15.exe	pentest_sample_15.tmp
PID 3616 wrote to memory of 3836	3616	pentest_sample_15.exe	pentest_sample_15.tmp
PID 3836 wrote to memory of 4684	3836	pentest_sample_15.tmp	Mp3tag.exe
PID 3836 wrote to memory of 4684	3836	pentest_sample_15.tmp	Mp3tag.exe
PID 3836 wrote to memory of 4684	3836	pentest_sample_15.tmp	Mp3tag.exe
PID 4684 wrote to memory of 3172	4684	Mp3tag.exe	msedge.exe
PID 4684 wrote to memory of 3172	4684	Mp3tag.exe	msedge.exe
PID 3172 wrote to memory of 5100	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 5100	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4508	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4536	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4536	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe
PID 3172 wrote to memory of 4060	3172	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe
"C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\is-DKGTQ.tmp\pentest_sample_15.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DKGTQ.tmp\pentest_sample_15.tmp" /SL5="$C0052,134703868,908288,C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe
"C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\is-TSJJI.tmp\pentest_sample_15.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TSJJI.tmp\pentest_sample_15.tmp" /SL5="$D0052,134703868,908288,C:\Users\Admin\AppData\Local\Temp\output\pentest_sample_15.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe
"C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mp3tag.de/en/download.html
6⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff970dd46f8,0x7ff970dd4708,0x7ff970dd4718
7⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
7⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
7⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
7⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
7⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5064 /prefetch:8
7⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:8
7⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
7⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
7⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
7⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
7⤵
- Drops file in Program Files directory
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7fbdc5460,0x7ff7fbdc5470,0x7ff7fbdc5480
8⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
7⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
7⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
7⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 /prefetch:8
7⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5300 /prefetch:2
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4186890045776196593,8104153822547521002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
7⤵
PID:5752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
ca488e4d1684d2f25144655da4c7309f

SHA1
ef83bf03c6d3e8cb9c5a4d8e1c350e83d0defb05

SHA256
a582a8bb053fbe0171dd962526f8a7324a18b7738630040a8e1bfdc5fe1879b4

SHA512
0743702d8a6a871a8f5433dbb59cb9c47ac1fd673181d9c4e257509c22eb53a991bb384a97818a797671d27dbd96bc828c6b90d392823661cd0329ba2b0bd952

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DKGTQ.tmp\pentest_sample_15.tmp
Filesize
3.1MB

MD5
7388fff746d0ccae6e5610e87ff63b7d

SHA1
3ac665008fed3810141cf530627afa365df6dbf9

SHA256
85431ef6910699233ecd80d08c13f5507990b9d5d668f589768416c4a25b8494

SHA512
9a5002a93c0b53854af4c55c26ec65709f4080e6940b22729a399f844a2513a55e37cca1df960992996da8976ab8a918baa7b970afbc04e25b0f511bec7b4d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TSJJI.tmp\pentest_sample_15.tmp
Filesize
3.1MB

MD5
7388fff746d0ccae6e5610e87ff63b7d

SHA1
3ac665008fed3810141cf530627afa365df6dbf9

SHA256
85431ef6910699233ecd80d08c13f5507990b9d5d668f589768416c4a25b8494

SHA512
9a5002a93c0b53854af4c55c26ec65709f4080e6940b22729a399f844a2513a55e37cca1df960992996da8976ab8a918baa7b970afbc04e25b0f511bec7b4d00

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Help-English.chm
Filesize
587KB

MD5
2eb4f53ae6bd1b85c8a34020d37fbe22

SHA1
da2e015b284c777585055df22c2c83bda0a62f2d

SHA256
ff09f8496fbec5c9453f50cdeb06819d608b6194e657d029b2bc8744c53da7e0

SHA512
163899c6821e835c22f0043fcd39293b45c4c621b83389b603f3dfc86f3f53e8a69abdb5c9caf77de55e5e29c0ad6e26f52c4fc10751c41eccec23b20062b24c

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Help-French.chm
Filesize
610KB

MD5
83352aae89bf34e7e06308e6be436a74

SHA1
4c3af7c0bb241a13c6debe6a536e51a9168a070a

SHA256
76de175d74cc0c76b22fed9cf92c27454f13291487d1c4862b22b44ec11f8394

SHA512
5f5aef9092db37fff8cd34243a89073aec3358ce3d6567f47bd943cd78d547e9f0d4ef20c24710f29e4af676683a5cd70421ab456eab85305924dd1cb9d8d67c

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Help-German.chm
Filesize
630KB

MD5
37ea5ae1b45287977e65dbe1faaef1c9

SHA1
e5a459700198c3de5c658f67eedf749379c7cd97

SHA256
4fa129633bd035751f0fa7c376ad51731e78207408e5abe334e1542d5af2bb8f

SHA512
66a17761cfae732280f5a61d98514100f92e23699ab0116da6756890a53e971177b1ec11213e7080881c935ffe352ec4e0676a7152f63bbdcc35b74ae70a91b8

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Help-Polish.chm
Filesize
629KB

MD5
d581f7b2554311d06abe30af742cdd23

SHA1
5a6daaf86bb5648fb5c0fcc7b0cd7ecff8a5bc98

SHA256
ab629a0a4e8b9d6ce427edda082dc2ce4710248f2ce95f96ec8f2a9b772f1f6e

SHA512
f62d096ae32a60ef5bc2d411be91caac0dc087a4cd433085f56bfdb89ade88742c112cdc1b2818ba5c5085a27e14c4f609fa8823ebe83e85e725c9da06973550

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Help-Spanish.chm
Filesize
606KB

MD5
2e6bdff2f4fad5371a7186eb61b4620c

SHA1
6d9fda4bfe4732815cad0e7aa5366774a091e6e6

SHA256
cd6d7caeccf6297b7167dc5a7359056d442dc60bd6e0cc8365893a29d26111d8

SHA512
fca3230b529c6e9441dd4e4ff6ebdf6002cb093a69bfa3cc4e097273af6aa612715ff9f2f638a424599a12ce146d548cc4de9430c098a481e630fd1c5e98006f

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\History.txt
Filesize
28KB

MD5
a227ca2864720ddbb1ed98fa86c19144

SHA1
c203185d03f247fb6dd1bd1b7d930bddd0c8ffda

SHA256
120fe3d9c3ed32f75611e25955e5a1adfb22f3e73a846b8d535d4ea18659f2bb

SHA512
3ea6bc16e55250f6e505dc1ebcfe571c1af6f5a47475e7275fee1a53671482204bd7a3dc7356fc3689a074c9b759ec79bd4694f29f9fdd51b51371b11b5a5d62

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\MSVCP140.dll
Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\Mp3tag.exe
Filesize
8.6MB

MD5
92c1655770e49b1dc19359ea1f02e780

SHA1
16b459328f086dd988bfb2b45288d32652400301

SHA256
bf9a506f8c9409fe9609c9590477fdb5cbd185c7b76344260a2494ec064feb28

SHA512
b5e7d6eb435411449402840161d47ec17a6d7f24853e3536d0619dfec5b5fead9de9336560a434735c343e2d96f22d97b9be6c5a52e708c97ced6999808946f6

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\VCRUNTIME140.dll
Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\intro.dat
Filesize
452KB

MD5
375add568d17aee03919c72bf76274a1

SHA1
68b830009f336cf68c0837630ad4acd39ee4fe02

SHA256
9e23405023848dacfd7eefa20d3eab91dda8054607c23ff0fed93ee7bd7c06c1

SHA512
3b264e40a190c442b81636b38604c03a3878f6f6a0d3d23c698958267fca57a9609db99a7c0387a8047b98e03291a192c1aedf5b2d84a1afd0254281d254e07b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Chinese-H.ico
Filesize
1KB

MD5
1fc48b93562b46e428a2db1d4ea4a099

SHA1
772bc0d8527c5a0450fc0ff8ce525fca240564a5

SHA256
0b29a27f3d2ab4379cd99e9e7a93f6e40a0fe12cb73d1e6f3d296ec2c7e38a58

SHA512
55634f207c835a4dfd90ea1501a9ea5a0c406940def5f3b690d8b67085da8e61e890b29be679da61e8ce58a6f176b9f8927c02b81dea25a9de5561e1ea054a58

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Chinese.ico
Filesize
1KB

MD5
2ca29c521af17539d17968900ed650a1

SHA1
b508852a5febaa2ebd942229cc9104df4059430f

SHA256
1b8a834029f10ec10d796c8344b990df082a3b3c67e8f480d8ce48c07177d549

SHA512
90ba3bd6431912fa44458675eff9be42d99665b505d5dc4012591f4b018033ff95c6b7adceffe639040aa32ed2ef8c978c249fae9ede5a2db26e9b522d61d11d

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Chinese.lng
Filesize
33KB

MD5
6ffca121b98fe96e137fb02a96165844

SHA1
54c4a3a5f64793404e6432ee73cd813ff80d7987

SHA256
8fe61fa9fce770d0e38fa2c74bd81b926767bc31e70d3ae4445f283f9791e232

SHA512
cfb8f5a4d951bb2ed638cf95d3bdb5fce42e35f4ca2c2ec55a84fba06bb98e47b803099a19a009fbec09891ead41179f9781d3c6713a34374ffae63a2b0aff67

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\English-H.ico
Filesize
1KB

MD5
e5e33562181f5549042249668092b0db

SHA1
7103748dd38ec44a3dea582a9aea2123870a6937

SHA256
1dff252a4f45c471b8fc81d5d1c94ac1ca918a2ec0725b875f088cb75b53a938

SHA512
9cdf1a067383086d7ea79fe145e84ae6be8b1e476dcc357416941c8839c46eafd496f865aa8c553df6ad61ea1afe00004cc3df22a395cbbd53f4b45423468b6b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\English.ico
Filesize
1KB

MD5
1a25e199fb242d852a2bd217fd038bc1

SHA1
9276090831fb29e65b781624ccef3c2390014c5e

SHA256
668c3afced3f33fa016a3b1ff65715acb80823172493ded605633e937000b235

SHA512
347d5b00be749330f173b8566f6a80d905342c099d6e41afc856ea5f5837342e40a3a0e376bb50f62fe7f841a53aa04e93161d6053159324c51e7ff89decedbc

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\English.lng
Filesize
51KB

MD5
e89dffc6ef81076aa3d6c5f44b7a9ee6

SHA1
f93acb2fd61275a661072e991dd8d2d70da32f07

SHA256
793b6104102eafe70dc608eed2a9b5aa71faa19f068c8dd0339457f3ed3da31c

SHA512
0f99bfb3902dc2a4c94bd61e4e8249e2ab0bc1a1015a556f0aca3038858385c839e26a3c03b19c88bf9b8ed7d30f8ccb9f6f1bab851f935689ccdb4b8907b94d

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\French-H.ico
Filesize
1KB

MD5
76872d444ab4c1719b42cf5417f1105f

SHA1
a6a1a7e596dd4068e9960d30525e4589b79bd4f8

SHA256
82ea4ec8fbfe3cbd3cae19132d23455ee2bea3ab65f2eba353359f0a45183257

SHA512
4415de96db7510a01369d8357522e41676d0be3249f3f35c03553d100714ea2bb4181ce9c8c5fa0d87700060574cbed56c9e8867023716beb8aa23ba67b6ff5e

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\French.ico
Filesize
1KB

MD5
31593b847d0959e8cf06ce0d6e55a95f

SHA1
e9a160d5c941b64d4f27f563410e5974d8f4adeb

SHA256
86486cb827bc98405ccc888170a08eb0772a82a88c3408060c5d271358f27a00

SHA512
9c75add56ca25c473b00f4c4c87c2e12ddc3ab1c95eaf969ae3dedb81c3c5804a9a445d7507f7698833cf3b22f734b50091d1b47b7d8d3062d27d58924dc20ea

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\French.lng
Filesize
57KB

MD5
1eb77a05522e233582f3b5c0f8e7adc2

SHA1
6d9ca22c95112162f1d68917d14e22c49fd05ab5

SHA256
700a3566f97fa9881b340a7adf9883868bdc2e6ac6068c1ce9018860a533b01e

SHA512
77cd27845b29c729dafeaa821a3b8699c3a571af0fa0b8434671869e625f92c722d7f19bea967e7670a25f8e9ed498b08fb3e66cf4fc4016b71feaa9165bd14d

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\German-H.ico
Filesize
1KB

MD5
9c782f29599fa09859e1941a6539ede3

SHA1
62ac8a8edaf2be1ae5e552e662566f1ac7d5a4f7

SHA256
71d4e770225df363d73cb78cfdb7b4c12170e4c1ce88a51668d944e162cac55d

SHA512
d5f878471c1f1d48670051e8ec3ab0fa713b3bfea193e37ae4ac1179a78813d3710b0d1d208b994ded33dda21f88f99b803e445c800039457ae6dd2bef0e8250

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\German.ico
Filesize
1KB

MD5
aa8483bc62f65bc8f9d7a55f58d2b0bb

SHA1
31d4ed6f4922d18aa21bce30065fe218d5c66708

SHA256
6277806c8d03094a4f62ce8c7a2d93ba5d207eb8180300f8ab2b9375eb56bbe2

SHA512
bbc67477c76744ed761b2f6765559bc3cb63408ae93924dac085365ffa7a1d4eaa1efbab991be5629573a47e9a42c52e7b301271af4531ce7a89788efd481a6b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\German.lng
Filesize
53KB

MD5
8d3658d1bbf7bd1bccb2d0dc3a866625

SHA1
b8119d0d0ebfdf334ee53dd25a5fd86a23207eb7

SHA256
14e9f290930517e935f25257244c8152ab1cff1a0298b211d2e9acffd823f48f

SHA512
43d2b29861d9a3db4243080b272e36b36f015662c07d6e1662e0c56d6e6f0ee38eb53196937171fc759e1848db69f047dc9015dabc3db34be4601eb12c8eaea5

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Polish-H.ico
Filesize
1KB

MD5
d4a2b48b3aa4bc93096ac3b5767e08d2

SHA1
46af87c4f45f4bc6766a89b535b3992248d56505

SHA256
d606afab07684101fbc4e6bfe5cf35e5c5ef55e24dc13e6bb44afd0fa39ca3ee

SHA512
e0172ed88675c51ddc2ac38f68eef02e55dc028aa6e9e33f606bd73293748e11b194a53f2ce2853681ae627a1f3a1b0b57fafc6f2343ab7bb1e412a681b749d1

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Polish.ico
Filesize
1KB

MD5
ad8bbac74c6010604a7bbd9e4df43688

SHA1
eb18b66c38b2a5ad5fe98177b677b4ed36c898aa

SHA256
5a98fc48378b8772579632706747d35d3f16c542fa5f0493b44100a0104eb559

SHA512
6df720edc81ce9af7e26028073219fcf3d8a503285bac95e9bbf2f6e7dd51e05624d72d9cd7bf670bc9c081ebf25dcde728ff7d21386d5a1d8330b1988527c56

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Polish.lng
Filesize
57KB

MD5
510bf502e1c75b32b93149b5fe4cad32

SHA1
87817f340c57a54c6afbbca340ebee1255b7d184

SHA256
9a4e8473fcf1a0a551ef9f03b260f751f27eb9f0384f23dc12c060daf6c1c2e0

SHA512
5985b2ac20e6a5495e9f1d8aff6cb460cac2042213a73c4477eb09c36c2141467bc7a8966330be22bea59212a32cca51307b49fd42d3a27bad8a338f08f175c3

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Russian-H.ico
Filesize
1KB

MD5
ee464ce2c72dc4a01afccf12b318ea23

SHA1
9cebc61498162ca4847519cdd0739f97399cd396

SHA256
596b46cdafb26774740466a73d4031813511db5840d2fe5c4d90284278a08d99

SHA512
0645f8d741feea1debe9b7ee484922499d44270783ba3d4d65232d7b6f2bb113cf4adb8278b78fb8dc725228fe21e912a2b8b228cb08d58015a537d4774e7a62

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Russian.ico
Filesize
1KB

MD5
ed0fa2d2cd41dbb442b010b4bd2cca9f

SHA1
783d3843a976bd91829398f9ccbfa5b98150023e

SHA256
7c24485ad1023a46521ed10a38ea762cd9c185aeed7dfd32a717d274606d8074

SHA512
4b2134844bfb56b9ba266f6687359117d5f0c0d5040213c025d906fab5ac8711a09673bdac342c59bfd1bb0fc8294c5a4f97cbc29567bd2c52b90dbabddc1d3b

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Russian.lng
Filesize
55KB

MD5
c9e1ab651d7b4224dda2f0ab26cb6ea4

SHA1
f20014009b702b0394542e1a783543c45f3848e5

SHA256
1344db026c57382d39bd9d70ca19c8061ed6bc030993957c8062593b70fd36d7

SHA512
48d290c098dcc2e5f14c72527b2a9ea9982a762c4c8e01deb4862d596df0c695d2eb1e24dc0a0a87fed7d5e31330c61a5adbe06193e4b0ac772a3cd5d68caae0

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Spanish-H.ico
Filesize
1KB

MD5
959a045dcfc52077692f0d091db9054d

SHA1
ecd119a1e382f059bb9b04e37222ac3257272994

SHA256
73fca4e5f38e65f21b2b7251231178e64ce8cb288044d064e176965a1b4dc699

SHA512
022939b3cf3bc0555b190ea61b7594fe24f87cce44ce371f081d67202fe085e19a550898a4372bf8cca0d492a9ec837ff3a9d680998d2d5b35c26a5b0f042a98

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Spanish.ico
Filesize
1KB

MD5
603afd32d12ed4bdc1bdfbb11040f271

SHA1
ac68f01be1f873330333ccacebd8079e2a72adfc

SHA256
9eb18c0dacb6e60abdf315b853fd6c9db8968ced959b7d31d1dcbc80b561bfb6

SHA512
b93869f43ae9cd0c1cac0d21b588527a3f93eeaf972ecf1f6d167f36d5f8e3d677daee6db0e1d409294e939cc8f2be2c65f4c0fbd5ca5918a09b01571a630c33

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Spanish.lng
Filesize
55KB

MD5
e823235f336b6a582f4ac01a37d02f28

SHA1
00432df7a112aaadc5f0bdf0d6d1e08cbd0a24b9

SHA256
64fa7bea1e6ff8edb8b7b1b153919ac85a727e70ed16525cbbaa3083d1285cc1

SHA512
1906fcee08ab24ce108d246f7a969694cf85096b97dd662b5dc62e8ec42a8af108c5a737c7ba81fd6a34ae5c45375dac55f8da690da0fa6098b3a0b5ebf70c51

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Turkish-H.ico
Filesize
1KB

MD5
397c2b2e3b51a18e30f2dc89033cad0e

SHA1
7fa57dd3a500786ef134a784bdc4db1f63c084b3

SHA256
a55d201a33dac742a6822d01e61290f5ebd62972357d667387f10a53d72f59e3

SHA512
f0fa91cb28bcd5c78a900c5e19ac9a43536ade1e3eed5cb5fccbfb771600d50f0296888dd04f952507a609658a4c32ce92b55b71816688bc2e5ca483a845de78

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Turkish.ico
Filesize
1KB

MD5
cdf8c6bbf47aa67eaebcef92831cfb93

SHA1
ee98003799fd442e70fc5113963bf3f57c91d3e7

SHA256
6b8927d0ebc38f068dd9cb77d2ac25eb5204978af5b5d704d8efc0347ff68c8b

SHA512
d40b10b7a43c5cff6bf5e8baf2eab588b3fd624cbc38ceab27442d2a19a6f5b0246aa08ba3e40b02ee90f6e0b4a3a5e9994aa290ef7f950925bfda675a332ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Turkish.lng
Filesize
50KB

MD5
0a3e015d0cca8a08681b18aab0dbd67f

SHA1
c42d98949471a156643922781d60c7fe60d47330

SHA256
a187afe5fa6b96b12d652cfdbe3e794a99611ab0a9031a1d45d6d0d1c727a898

SHA512
a4a07e6709d39fa89bccd1a7124522505b71abbab47562b339fdc17940154bc172366cf4b19c9a11253ac0b3fa496d0b06cd0438a250ccce42deed7abe1cf34d

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Ukrainian-H.ico
Filesize
1KB

MD5
bd34f886dd0e713843d66cfcd98077d7

SHA1
da7851fb81ad20ff81932de5b93f00015e9cb5d5

SHA256
23f586fa16d554822a5aa76b1cad46fa41d8e14cf82678444fbe99f5123d4cae

SHA512
c1d3f9ca95180d2e1eb8bce77f4447414bbdd938402186078c8acfdd72de419c5137bf477e80fa9c3eee43c0c27787dae19ec52cca1f371cfdd705e11971277c

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Ukrainian.ico
Filesize
1KB

MD5
131e22667b0d34d3dbf668c22baac5a2

SHA1
951630a3f4f9711cf34d30ff510f4c0d17f3c2c3

SHA256
5e3f5bbc477f138bc4729a72074fa9e028b96c0764ca8e010a6107ca16fc669c

SHA512
464ddfe3598fc675f938b2bb5c6ef2be228e0e22973b7042ebe5882520fa998dc47f5f7d477e4f66567a08ade0c71d93ed74f355b337e393ba18c6b869b6f248

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\language\Ukrainian.lng
Filesize
54KB

MD5
7c9a627eb332759b81d41f7e40053ff6

SHA1
9d1568fc57bd016864c253f04f581f1a4a28e5ea

SHA256
ee8c8b69f362587e792fe86a63f8b7502393164bbb7c4db3f3993493af3660ad

SHA512
9cb6a3834b274319474a266ac7eedca614af37026d75e1e71fed9c60edb6f2378235e79f165f41c590816bcc1b83b2f4e41d373e9735e52555e10625ea5a529f

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\libwlp-20.dll
Filesize
19KB

MD5
fa847fa54c646c39fcf8e58c6fdcb46f

SHA1
d052ac0346c77be6d87c2da668543c63d3307036

SHA256
a15614de6f933f1941dbbb57641900439c02b3a90c40e409e32cae5c04426378

SHA512
3dca61429b7572d3106d095cea128b8b0bb8c685f0251b5920c8d69d828d33f90d507ba62033ab29cb8bb2d46e8574d0b52c7dba8181c2fa98ed304a8ed80cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\libwlp-20.dll
Filesize
19KB

MD5
fa847fa54c646c39fcf8e58c6fdcb46f

SHA1
d052ac0346c77be6d87c2da668543c63d3307036

SHA256
a15614de6f933f1941dbbb57641900439c02b3a90c40e409e32cae5c04426378

SHA512
3dca61429b7572d3106d095cea128b8b0bb8c685f0251b5920c8d69d828d33f90d507ba62033ab29cb8bb2d46e8574d0b52c7dba8181c2fa98ed304a8ed80cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\msvcp140.dll
Filesize
428KB

MD5
fdd04dbbcf321eee5f4dd67266f476b0

SHA1
65ffdfe2664a29a41fcf5039229ccecad5b825b9

SHA256
21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

SHA512
04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\page
Filesize
1.3MB

MD5
bc23ffe164676054ce5e5314abeaf11a

SHA1
eebc94229ce1b1a51d4dc96399d1ebda0b52b075

SHA256
dc36a03e536fbc03b4a89caa83435ec57fd021386341b53e23b56b359d988ab0

SHA512
78262e6a18988981e8a4f82fbf84e00d9058480912947851c5491a822f8f3c27a3345acf37bc2aeff514251024a1304fba087cf63f699b99af0299e9b0b26cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\srkey.ico
Filesize
23KB

MD5
82dc896b02d0657d99267ff4b75c816a

SHA1
dd2dc205f09e2edeebb49d3ba0943e3f4cfdcdad

SHA256
d53b3e723e6243543df5ae36eec85cf9470e32572409ec9cd1f2edd0b05479b5

SHA512
42dac91fe6e2767a70956aec8fb9734f8c3b8dc1db36a4cb8f6ef17e000482254083e01e9b1d7816a865291e0376f8a0a7fc126143b3a16f412604527404a2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\tak_deco_lib.dll
Filesize
127KB

MD5
f0bf722006ebf17f9a194e892ba2bf37

SHA1
a483e46857f29e98535a992438006c962e0404e5

SHA256
a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

SHA512
47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\tak_deco_lib.dll
Filesize
127KB

MD5
f0bf722006ebf17f9a194e892ba2bf37

SHA1
a483e46857f29e98535a992438006c962e0404e5

SHA256
a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

SHA512
47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\tak_deco_lib.dll
Filesize
127KB

MD5
f0bf722006ebf17f9a194e892ba2bf37

SHA1
a483e46857f29e98535a992438006c962e0404e5

SHA256
a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

SHA512
47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Strong Recovery Master\vcruntime140.dll
Filesize
77KB

MD5
ba65db6bfef78a96aee7e29f1449bf8a

SHA1
06c7beb9fd1f33051b0e77087350903c652f4b77

SHA256
141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

SHA512
ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

Download Submit
\??\pipe\LOCAL\crashpad_3172_IOXEZWZMNWPDDXJO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/644-224-0x0000000000000000-mapping.dmp

Download
memory/688-140-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/688-132-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/688-136-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1168-175-0x0000000000000000-mapping.dmp

Download
memory/1416-225-0x0000000000000000-mapping.dmp

Download
memory/1944-169-0x0000000000000000-mapping.dmp

Download
memory/2628-230-0x0000000000000000-mapping.dmp

Download
memory/3172-160-0x0000000000000000-mapping.dmp

Download
memory/3412-232-0x0000000000000000-mapping.dmp

Download
memory/3616-138-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3616-159-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3616-137-0x0000000000000000-mapping.dmp

Download
memory/3616-143-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/3836-141-0x0000000000000000-mapping.dmp

Download
memory/4060-167-0x0000000000000000-mapping.dmp

Download
memory/4296-220-0x0000000000000000-mapping.dmp

Download
memory/4508-163-0x0000000000000000-mapping.dmp

Download
memory/4536-164-0x0000000000000000-mapping.dmp

Download
memory/4556-222-0x0000000000000000-mapping.dmp

Download
memory/4556-134-0x0000000000000000-mapping.dmp

Download
memory/4644-226-0x0000000000000000-mapping.dmp

Download
memory/4684-217-0x0000000008380000-0x000000000BB80000-memory.dmp

Filesize
56.0MB

Download
memory/4684-176-0x0000000006600000-0x0000000006699000-memory.dmp

Filesize
612KB

Download
memory/4684-218-0x000000000BC80000-0x000000000BCF7000-memory.dmp

Filesize
476KB

Download
memory/4684-149-0x0000000001290000-0x00000000012B5000-memory.dmp

Filesize
148KB

Download
memory/4684-144-0x0000000000000000-mapping.dmp

Download
memory/4684-228-0x000000000BC80000-0x000000000BCF7000-memory.dmp

Filesize
476KB

Download
memory/4684-153-0x0000000001290000-0x00000000012B5000-memory.dmp

Filesize
148KB

Download
memory/5076-227-0x0000000000000000-mapping.dmp

Download
memory/5096-171-0x0000000000000000-mapping.dmp

Download
memory/5100-161-0x0000000000000000-mapping.dmp

Download
memory/5456-234-0x0000000000000000-mapping.dmp

Download
memory/5496-236-0x0000000000000000-mapping.dmp

Download
memory/5728-237-0x0000000000000000-mapping.dmp

Download
memory/5752-239-0x0000000000000000-mapping.dmp

Download