joker | 7744f54029903437e91494ec1f4d027b711655ea579c90bc31ac237b4e9a966c

Analysis

max time kernel
173s
max time network
175s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-10-2022 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4mekey.exe
Size

1.9MB
MD5

20646285758e54e6757c47b5fc46824f
SHA1

d9c5f9ba67341be09f24b7a77d5e559ff1558549
SHA256

7744f54029903437e91494ec1f4d027b711655ea579c90bc31ac237b4e9a966c
SHA512

f6bcf25ec7bef95a511e7dcd243f5933a94284bf0369aaaa7034e8a92628accdd7645a840ebc6aeb0f38b2eb0d93f818ba30b47526816a9df6f0018dd2616204
SSDEEP

49152:Hmn5MJeOzOVrurQngTgQNccgZCm/XrwmsvtgiyZ5JXD:HmjCQngs3cgAm/bwmQjk5JXD

Score

10^/10

joker discovery evasion infostealer trojan upx

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 7 IoCs

pid	Process
4336	4mekey_ts4.0.9.exe
516	4mekey_ts4.0.9.tmp
3828	NetFrameCheck.exe
4848	Tenorshare 4MeKey.exe
2328	Monitor.exe
640	autoInstall64.exe
68	AppleMobileDeviceProcess.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4260-125-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/memory/4260-206-0x0000000000400000-0x00000000007D4000-memory.dmp	upx
behavioral1/memory/4260-420-0x0000000000400000-0x00000000007D4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	Tenorshare 4MeKey.exe

Loads dropped DLL 64 IoCs

pid	Process
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
2328	Monitor.exe
2328	Monitor.exe
2328	Monitor.exe
2328	Monitor.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tenorshare 4MeKey.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET164.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\usbaapl64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET165.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.PNF	pnputil.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Tenorshare 4MeKey.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET154.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET165.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\usbaaplrc.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaaplrc.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Tenorshare 4MeKey.exe
File created	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET153.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET154.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\usbaapl64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET153.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\USBAAPL64.CAT	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\usbaapl64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8612906e-cde3-f344-b185-b154c149d997}\SET164.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbaapl64.inf_amd64_c0e4d8c2aef471b7\USBAAPL64.CAT	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Tenorshare 4MeKey.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Tenorshare 4MeKey.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-HALDT.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-CBUJJ.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-libraryloader-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-crt-environment-l1-1-0.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-HUHSS.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-processthreads-l1-1-0.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-QGNG5.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-VQ98H.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\AgentSupportCLR.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-util-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\api-ms-win-crt-stdio-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\WpfAnimatedGif.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-B3TNQ.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-D4T56.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x86\UsbDrivers86\is-6KOI5.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\EntityFramework.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\ts_sqlite3.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\usbmuxd.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\TS.UI.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-F3NIH.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\cloud	Tenorshare 4MeKey.exe
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\api-ms-win-crt-convert-l1-1-0.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-0PSV4.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-78EKT.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\ucrtbase.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\ext_script\is-87V52.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-2L63B.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-GMS60.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-KUJTR.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-BGQ6P.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x86\UsbDrivers86\is-G9793.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\libgcc_s_dw2-1.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-crt-utility-l1-1-0.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-2TMT5.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-BAJ44.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\api-ms-win-core-localization-l1-2-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\swscale-2.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\log4net.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\pthreadVC2.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-memory-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\api-ms-win-crt-locale-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-rtlsupport-l1-1-0.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\libxml2.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-4011N.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Microsoft.WindowsAPICodePack.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\msvcp120.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-QHUG1.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\api-ms-win-core-processenvironment-l1-1-0.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-6FJH4.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-KB4AV.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-MFCC2.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\msvcp140.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepair.dll	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\libcurl.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-KHT9F.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-7IP4M.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\config\is-0H74P.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\ext_script\is-C0E41.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-G8790.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x86\infinstallx86.exe	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-QHADR.tmp	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\is-99T6H.tmp	4mekey_ts4.0.9.tmp
File opened for modification	C:\Program Files (x86)\Tenorshare\4MeKey\libiconv-2.dll	4mekey_ts4.0.9.tmp
File created	C:\Program Files (x86)\Tenorshare\4MeKey\is-FPR1S.tmp	4mekey_ts4.0.9.tmp

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 49 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Tenorshare 4MeKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	Tenorshare 4MeKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	pnputil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Tenorshare 4MeKey.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	Tenorshare 4MeKey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	pnputil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	pnputil.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\Tenorshare 4MeKey.exe = "1"	Tenorshare 4MeKey.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Tenorshare 4MeKey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Tenorshare 4MeKey.exe = "1"	Tenorshare 4MeKey.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Tenorshare 4MeKey.exe = "11000"	Tenorshare 4MeKey.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	Tenorshare 4MeKey.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.tenorshare.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 03bc80556daed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000032144caa2caa3573249440e60fd278319224b5f90009819ec1c70a86874755a23a94ae96174a285894549a8971fd607a2c45b6993f0e3b27d13b0c95	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3da48044b1e9d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tenorshare.com\Total = "9"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 03bc80556daed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\tenorshare.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	4mekey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4mekey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4mekey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4mekey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	4mekey.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4260	4mekey.exe
4260	4mekey.exe
4260	4mekey.exe
4260	4mekey.exe
516	4mekey_ts4.0.9.tmp
516	4mekey_ts4.0.9.tmp
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
68	AppleMobileDeviceProcess.exe
68	AppleMobileDeviceProcess.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3996	MicrosoftEdgeCP.exe
3996	MicrosoftEdgeCP.exe
4272	MicrosoftEdgeCP.exe
4272	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeDebugPrivilege	1988	MicrosoftEdge.exe
Token: SeDebugPrivilege	1988	MicrosoftEdge.exe
Token: SeDebugPrivilege	1988	MicrosoftEdge.exe
Token: SeDebugPrivilege	1988	MicrosoftEdge.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeAuditPrivilege	36	svchost.exe
Token: SeSecurityPrivilege	36	svchost.exe
Token: SeDebugPrivilege	1480	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1480	MicrosoftEdgeCP.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeLoadDriverPrivilege	4848	Tenorshare 4MeKey.exe
Token: SeDebugPrivilege	1988	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
516	4mekey_ts4.0.9.tmp
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe
4848	Tenorshare 4MeKey.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3828	NetFrameCheck.exe
1988	MicrosoftEdge.exe
3996	MicrosoftEdgeCP.exe
3996	MicrosoftEdgeCP.exe
4344	MicrosoftEdge.exe
4272	MicrosoftEdgeCP.exe
4272	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4336	4260	4mekey.exe	67
PID 4260 wrote to memory of 4336	4260	4mekey.exe	67
PID 4260 wrote to memory of 4336	4260	4mekey.exe	67
PID 4336 wrote to memory of 516	4336	4mekey_ts4.0.9.exe	68
PID 4336 wrote to memory of 516	4336	4mekey_ts4.0.9.exe	68
PID 4336 wrote to memory of 516	4336	4mekey_ts4.0.9.exe	68
PID 4260 wrote to memory of 3828	4260	4mekey.exe	71
PID 4260 wrote to memory of 3828	4260	4mekey.exe	71
PID 4260 wrote to memory of 3828	4260	4mekey.exe	71
PID 3828 wrote to memory of 4848	3828	NetFrameCheck.exe	72
PID 3828 wrote to memory of 4848	3828	NetFrameCheck.exe	72
PID 3828 wrote to memory of 4848	3828	NetFrameCheck.exe	72
PID 4848 wrote to memory of 2328	4848	Tenorshare 4MeKey.exe	74
PID 4848 wrote to memory of 2328	4848	Tenorshare 4MeKey.exe	74
PID 4848 wrote to memory of 2328	4848	Tenorshare 4MeKey.exe	74
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 4848 wrote to memory of 640	4848	Tenorshare 4MeKey.exe	80
PID 4848 wrote to memory of 640	4848	Tenorshare 4MeKey.exe	80
PID 640 wrote to memory of 4512	640	autoInstall64.exe	83
PID 640 wrote to memory of 4512	640	autoInstall64.exe	83
PID 4512 wrote to memory of 4472	4512	cmd.exe	86
PID 4512 wrote to memory of 4472	4512	cmd.exe	86
PID 36 wrote to memory of 3840	36	svchost.exe	91
PID 36 wrote to memory of 3840	36	svchost.exe	91
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 4848 wrote to memory of 68	4848	Tenorshare 4MeKey.exe	92
PID 4848 wrote to memory of 68	4848	Tenorshare 4MeKey.exe	92
PID 4848 wrote to memory of 68	4848	Tenorshare 4MeKey.exe	92
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 3996 wrote to memory of 4628	3996	MicrosoftEdgeCP.exe	79
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97
PID 4272 wrote to memory of 948	4272	MicrosoftEdgeCP.exe	97

C:\Users\Admin\AppData\Local\Temp\4mekey.exe
"C:\Users\Admin\AppData\Local\Temp\4mekey.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\4mekey_ts\4mekey_ts4.0.9.exe
  /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\4MeKey\" /LANG=en /LOG="C:\Users\Admin\AppData\Local\Temp\4MeKey_Setup_20221027030553.log"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\is-C2S1J.tmp\4mekey_ts4.0.9.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-C2S1J.tmp\4mekey_ts4.0.9.tmp" /SL5="$70080,99570974,373248,C:\Users\Admin\AppData\Local\Temp\4mekey_ts\4mekey_ts4.0.9.exe" /VERYSILENT /SP- /NORESTART /DIR="C:\Program Files (x86)\Tenorshare\4MeKey\" /LANG=en /LOG="C:\Users\Admin\AppData\Local\Temp\4MeKey_Setup_20221027030553.log"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:516
- C:\Program Files (x86)\Tenorshare\4MeKey\NetFrameCheck.exe
  "C:\Program Files (x86)\Tenorshare\4MeKey\NetFrameCheck.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Program Files (x86)\Tenorshare\4MeKey\Tenorshare 4MeKey.exe
    "C:\Program Files (x86)\Tenorshare\4MeKey\Tenorshare 4MeKey.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Checks SCSI registry key(s)
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\Monitor.exe
      "C:\Program Files (x86)\Tenorshare\4MeKey\Monitor\Monitor.exe" 4848(#-+)UA-167618528-2(#-+)4MeKey(#-+)4.0.9.1(#-+)&cd1=4.0.9.1&cd2=0&cd3=TS&cd4=EN(#-+)1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2328
  - - C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\autoInstall64.exe
      "C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\autoInstall64.exe" "C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\UsbDrivers64\usbaapl64.inf"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c pnputil -i -a "C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\UsbDrivers64\usbaapl64.inf"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\system32\pnputil.exe
        
        pnputil -i -a "C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\UsbDrivers64\usbaapl64.inf"
        6⤵
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        
        PID:4472
  - - C:\Program Files (x86)\Tenorshare\4MeKey\AppleMobileDeviceProcess.exe
      "C:\Program Files (x86)\Tenorshare\4MeKey\AppleMobileDeviceProcess.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:68

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3304

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:36
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f8ab52c5-ef55-e640-bed7-d3e95b23e1a8}\usbaapl64.inf" "9" "4d0dfacff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files (x86)\Tenorshare\4MeKey\iTunesRepairResources\x64\UsbDrivers64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tenorshare\4MeKey\AgentSupportCLR.dll

Filesize
582KB

MD5
3fc4dddf43a817d24aca6328a172f44c

SHA1
3e2082d60c9ac7ecba031d15d00f87d40879b6fd

SHA256
3a5dcb6f628a0db429d1d02e08170cf4d5a46af03ab5ff9839dee696e1093769

SHA512
cef8ada7cb12a4755a54953fefe349732b551c6cbde24d77a764105e88d3cab8678c43539f0d51cea0c4b262b11d324acd1a84ed329aae8926ca69425bfb0ec3

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\AppService.dll

Filesize
65KB

MD5
0bdfc232b727bcddb1cfeddd3aa24aed

SHA1
ad981939281ecd86ad4483139478b7253a9f0499

SHA256
3bffa199643f406b323070854064aba34de2af652dc31f946b10d4e0d856ef78

SHA512
f868cb65be1a4c1d746e87e26204a6988f7d199e1c8319217acb04e2226f8313dd30a0bb5c48f4d5bef78ab010317bf726a342f30fa44df778b31c54130c37fe

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\BugSplat.dll

Filesize
313KB

MD5
34bfe32eefe92957c916489fc37f5a75

SHA1
cf41602c69ee2e080dfbc27337d18fa1c6f4eec0

SHA256
e25f8dc56883d2556116d0900f29e480860b31ec53d4a477592c1ff479177f9d

SHA512
5cc3ae4a82ebcef801b4f287b20871cc4b0786fd200e8147c75899c72828365d9202443eafb5e654283108b51d44024ef0388a627cfa56c876dcd5407e99caac

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\CommonRegister.dll

Filesize
762KB

MD5
e3c9f0b8e31eb96a3b8c89463e3dbdbc

SHA1
82a15fd01f3adea2708e210005c3f706e76d1bd2

SHA256
c421f3099417eaccb8cf34c733bd25c70322c7047a0a92149b797c76c3a51e5b

SHA512
efe69efb63f8999bad1c0a12dc1b4aea27df1f7491173cc5e51ba2e658467fbb3c7b4a0f256189d335430fdffba0331571f20cd9408372c9a8828546227bc930

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\IosManager.dll

Filesize
262KB

MD5
a755ef6f20dae7574825c5ecaa1e1674

SHA1
66136f926c56e8532680ef1ff6e6c48cecf4a3f4

SHA256
a4fe75d621141dbb92404c8a559db8aca207c2c4ef6b8b263dff3f5d05cae94d

SHA512
c3cbfa8c0e0eb0619254f26b5b60b414fa0b56864394014001910053a430abe10c71ec6ecb1fc6349b308e1eaa2c6201cc09c46b720529c029dc36574d9b6310

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\MSVCP140.dll

Filesize
451KB

MD5
5db0754b2b86e2782f254e42ece26bf9

SHA1
ee9c6a1865141cdbb98b41175b25c6212836ac81

SHA256
17cab5f95dfab200374c7750196edbf3d7a7402ce21881a625432d7787b3857c

SHA512
38518f88a60d3ee002c309b736911ea25ee5bd1ff7256c30fcac0539af6e00d315a3eb20ba1972f0d43e97fc671789b0718e78d58d29db0d6aaae6a493cedbb5

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\NetFrameCheck.db

Filesize
10KB

MD5
1cded0579dac00bd788056ae09b73b64

SHA1
73dcc8d49fbf023cf04481f037bdba72a53c0221

SHA256
6ba057eeccafc058649411f28a3d1a6f2f29f9f87b0fa06b87aac0f1a723c3c4

SHA512
743ebb057e97ba0d86e3b40ad78481215f129ad47fcfddc6aea4e040c68b4a6bf3ae7528178243c06bef17b7ba2b672a25ab9fade8ebc65fd35700c52d6c9ac1

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\NetFrameCheck.exe

Filesize
4.1MB

MD5
19e9509041f5c2679aa694814959554d

SHA1
b6ea7d24924e91004ecc6c02eba24db55ccd56fb

SHA256
c4a0e25e0ffe33d83b0e73e40fbcb7fa603de9de13aa6988d0fe0b007abbb9d6

SHA512
0a8ce479ea4ff266987085c10afcd378318de47b58caf9d8d27a4a0887ca832880cd2d4b7f27537e8f3973ad9a681f75d0426ae48ca28a01419488431bebc5b9

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\NetFrameCheck.exe

Filesize
4.1MB

MD5
19e9509041f5c2679aa694814959554d

SHA1
b6ea7d24924e91004ecc6c02eba24db55ccd56fb

SHA256
c4a0e25e0ffe33d83b0e73e40fbcb7fa603de9de13aa6988d0fe0b007abbb9d6

SHA512
0a8ce479ea4ff266987085c10afcd378318de47b58caf9d8d27a4a0887ca832880cd2d4b7f27537e8f3973ad9a681f75d0426ae48ca28a01419488431bebc5b9

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\SecurityLaunchCLR.dll

Filesize
322KB

MD5
f483973abdf703157f41083d1271d33e

SHA1
7edb8785cbe9bfc99364f9d999fd86f309b1be58

SHA256
74360d7d6c6d87c7698052f323e636e18325d20132be5858dd67ee952f79f8c0

SHA512
32a89b1417928fae175038a39717ade3ab9ce93867d46a8d652c642d3c5499bd8922f83ddac90e5f15e27014cdc9c81bd69b010b0742aae23f2043b57efb79a9

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\System.Windows.Interactivity.dll

Filesize
59KB

MD5
7a5a51c365e9c9f4de6111707421ef4d

SHA1
bdb43a0e1eb17abd0232594bc1e465943a172d25

SHA256
86fe1bc59f2c08ba21490d71b1f857a14835c1a36ee463af0bbd4142251499d9

SHA512
66c0aa7578f78a8f7aafc80f85c9c1d38868b31af4f2c400dee152966f6b3ab12f5e814fbf9de43af4badfa484fe782f919078c9d11ec59cf1df62d284dc6ee1

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\TS.Common.dll

Filesize
311KB

MD5
91b45ff8fdcb21f3d86b8e9e86f1bb4f

SHA1
aee1bcef2aee705b9bbd672c83e7a57626bdb59d

SHA256
883c112b1ad60087bbde46234118f62976476a543fd78d68d3b8cf74133a41b3

SHA512
0626b6331f6834bb664a0d83cac0da5fc151ae5e0d9100bbb277a1990273fee49e0242fa1ed8286df4056a2a916d9345145e7dca4561ff9b539c296c7f145eee

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\TS.MvvmLight.dll

Filesize
1.7MB

MD5
d77a72570b76263fe345e29f33743875

SHA1
912654ff2f38632010d1e93182e48c565e5dd1ef

SHA256
7392255dc5c4a70d4ac85594b0fe241da64b8cb04e1b43b1c5b9100441befe2e

SHA512
da78c17d3132acd9f2686ad9a58297ce5268c83063c5fb553ff34f583aa0e0842f4952535c38ed8f3e4ab6bd716c48f9ddb5a3dfb9147f63261995fdf22992d2

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\TS.UI.dll

Filesize
337KB

MD5
0786824ea79705c1739d1f8cd98f6d30

SHA1
1ef971a06d55e55515fe4a43f4f017223fa51ecf

SHA256
c7120839ea57cd93b18adbc1e1091d8d6473f5af914612ed5fabbf2b96da41af

SHA512
ed3bc0d71b2a797714cc0c76c74268592166a9c30d2badeea249194378f0cee4b90a822c621dbf020fc64af00cd3790ad3f3983666a1c92b54296be1cfbfd800

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\Tenorshare 4MeKey.exe

Filesize
57.6MB

MD5
3955bcb6f477257c34092aab05fbd4ed

SHA1
54b24a69eb72a03c991a08e818b2a5d1d649fd51

SHA256
fb55d9f26d0c50db71d4a900093d5fbbefb93bd196672a61fd88e6d6f1a67085

SHA512
f782f84cfedee61bf50fea5c027639bb227c33eee09d32044e09afec3fa7cb9a6b948db6647376372fef9e1c9f80a8e7a7ff15024e6cc9ed427fc726aded167f

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\Tenorshare 4MeKey.exe

Filesize
57.6MB

MD5
3955bcb6f477257c34092aab05fbd4ed

SHA1
54b24a69eb72a03c991a08e818b2a5d1d649fd51

SHA256
fb55d9f26d0c50db71d4a900093d5fbbefb93bd196672a61fd88e6d6f1a67085

SHA512
f782f84cfedee61bf50fea5c027639bb227c33eee09d32044e09afec3fa7cb9a6b948db6647376372fef9e1c9f80a8e7a7ff15024e6cc9ed427fc726aded167f

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\ThreadCore.dll

Filesize
77KB

MD5
81f340b67399270511489be654006e07

SHA1
4c10edac6a8c54a1947bc36f67983c3e7fa3286e

SHA256
ce9e097092f3a9471cff1da8e8fac6828b613ddeede4be7f99810754191fc6b7

SHA512
c3c309f41b897fa3809499cc26e36c9373e189e1c27a69fa3746e39a4bada7f6749acd4db453242a22995bc5e1110f854fd6e226e1bb71f235882fa33c6a8004

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\VCRUNTIME140.dll

Filesize
85KB

MD5
e6974159625bc914c8f398cfe96db664

SHA1
2dd73934e0cbf11fd66c3a3c9c8fc714dc2a1ef3

SHA256
b253cd95f5310e154677138a2674cdcdbfca882853e7c871e96122c986a76dba

SHA512
535f4eaa96bcd4b988a30c986294861b16ef71c0f92238ec186b78b53c217dd01968f1e22d92c81654e2ad3a7ebf11084d7a7e3f0f1a4144826de081a67504bf

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\ios_manager.dll

Filesize
1.6MB

MD5
dddc0b4174f890ccd090a0bf9594d4ce

SHA1
e222b0d81b5e80e27b81ef338bbe7028f7391125

SHA256
8d71789d3b4fac12e88bfb6a36fae6c2ea42e2e3be932d427b66da4d6ea13efd

SHA512
afa6b99173f30395d3cac69babc8144c3fb2d44ccb844f8a4d02658657d55604961a17c9dfeacdd5416d097108eb9dc1ce71676e37efa5c974b1dc293a3d7694

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\itunes_manager.dll

Filesize
157KB

MD5
301296b981c588415991e8ade21a6edc

SHA1
ade287d2b1bbebc2281998cac2688539cd47013b

SHA256
471261a02045513776989699fba4ef411f251b7157aa0bd3f8362ba2ad5b3f4d

SHA512
09cd4ba14b923573c023abf521a2ac52dd75b4637eca377be33a22b26f7d08bb7cad528ef4277013097d7c9e83c7eea67c0aff0658557c6effcfcb66592cd5f7

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\libcurl.dll

Filesize
408KB

MD5
58e6d3a775da9c1e73811f7060fd4dc7

SHA1
ae07862970d244e6d1c540f9f7134f658418a88a

SHA256
f2b669a54e17b5e1434d61759c3da4a788c4f90bb3ad55640ea1c6b24ac604fb

SHA512
b120df4661e463381f7328d8b4dab10503a37b904ccd18f0b69e8c2f06c3083dc404485d73043d3debc93888dbb6299aed995e25e7e134181101cdbb977ff53d

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\log4net.dll

Filesize
284KB

MD5
1bb06ce3653e84eb96e43776e58e9eb0

SHA1
3e6990088fe8c0b62c2b8090287d17a91792cc41

SHA256
b98e78518bc455107977deaf4dd5742651bf162c7e970850af93ba203cc9c1e0

SHA512
180b22916e3e01c4b317281a792bdbe4a948e2986f7ae50e530c3096b4a6c565ec03f83c73ddc339b9ae9d80eaba01bbda15cc2d26baf6f0304880d1e49ae4ca

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\ts_base.dll

Filesize
239KB

MD5
36f84f0949c8699448ff36578dfa16d0

SHA1
2878037d9067231706843f67938b7c4faf3b5876

SHA256
a2cdaae438c71e6c6df98d08282867f2a5604ae93c9a7ce2bab6074a64c346ed

SHA512
9109a5629d16d1f77d28c0c6861db7bc653aea9072d640169da38ad1d282044daf082143cf8f0741552caa3a390073e6594ad0d39595b3f8d99052f2d011a993

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\ts_client.dll

Filesize
90KB

MD5
aed9e7f0472bbdcbceed3e02c61ec7d2

SHA1
28ccdfbb75a5558eaf30196a4a64553001713ee9

SHA256
cf2dfb5ecbc33cd1e433db1702d4f6694090908d79b29bb5008a293f2a98589d

SHA512
fb01508129f2365862097af7bec01650e86a1aaca5e4bda53eecf6990017eddc892af4499b2098e8ff53a0e7e920ceeeb5d44fad8db6c479633ba54cb5025426

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\ts_sqlite3.dll

Filesize
652KB

MD5
7b62949589dad27c149480414fcea712

SHA1
817fdc59a199d1cbebe600f3336188b3c6fb3cf7

SHA256
d904d82c94ae72f012424935adc0986859cdff33223ab52178adce2bdaf5c42c

SHA512
f8e9721299af42b6e54a8499cd1f4bc981e59db70e282919f0fb0f51b8642a2e2800c297865ac6392827b358ca3d406dfadf2b1a93e1acb8a8ca46941cf36a91

Download Submit
C:\Program Files (x86)\Tenorshare\4MeKey\zlib1.dll

Filesize
87KB

MD5
2bab6dda264bfa52a4f32da1e8d0ce55

SHA1
f1a6c8c521c42254de774adc66ec98aaa95e304a

SHA256
8210811889d265d9fdfc222eb8da90edf16527b9d2605aa714d9950e48d1f147

SHA512
271d8bd38874799503f023f955f30f7e3967b9f6e7951d38a0becffb010ba86fdd72ef6b25312c4428d9732ecc8b8159156232fc18d1c0d241b0b6ae12e749e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4mekey_ts\4mekey_ts4.0.9.exe

Filesize
95.5MB

MD5
a2aa846d23c5f078732d8b56c6d7874a

SHA1
509372e53d9ff38faf05dd13e7a28c9fd934f302

SHA256
ea6fed89765e4b7216a20d648f75701b1955aaeab81fa68946c9841fa10e701b

SHA512
ed7ac04c9702c96736269cf618059a382b8ed3dfcfd00a833a0c4161c96ec97d995efacfe6d9ecbe56e1dda6b420835c0f9795974729c85d4a9426a4366103af

Download Submit
C:\Users\Admin\AppData\Local\Temp\4mekey_ts\4mekey_ts4.0.9.exe

Filesize
95.5MB

MD5
a2aa846d23c5f078732d8b56c6d7874a

SHA1
509372e53d9ff38faf05dd13e7a28c9fd934f302

SHA256
ea6fed89765e4b7216a20d648f75701b1955aaeab81fa68946c9841fa10e701b

SHA512
ed7ac04c9702c96736269cf618059a382b8ed3dfcfd00a833a0c4161c96ec97d995efacfe6d9ecbe56e1dda6b420835c0f9795974729c85d4a9426a4366103af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C2S1J.tmp\4mekey_ts4.0.9.tmp

Filesize
1.4MB

MD5
0ac3ffe750c445ac2cd144d43f2adf16

SHA1
7e7f14f24374692e21a3445837323ac4cf766b24

SHA256
101c8f41571812299ccdac429164b8dbe953289bfb9c50c70b203ef08e37e117

SHA512
24e3dc206e8b9318b7d2f9e87dbcea223b2496306b99be2c29b5064f354928df8737c0ee720e7d6248e46f5dbb0fe656d08410170d6bfe412cfe85918d90f6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C2S1J.tmp\4mekey_ts4.0.9.tmp

Filesize
1.4MB

MD5
0ac3ffe750c445ac2cd144d43f2adf16

SHA1
7e7f14f24374692e21a3445837323ac4cf766b24

SHA256
101c8f41571812299ccdac429164b8dbe953289bfb9c50c70b203ef08e37e117

SHA512
24e3dc206e8b9318b7d2f9e87dbcea223b2496306b99be2c29b5064f354928df8737c0ee720e7d6248e46f5dbb0fe656d08410170d6bfe412cfe85918d90f6e5

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\AgentSupportCLR.dll

Filesize
582KB

MD5
3fc4dddf43a817d24aca6328a172f44c

SHA1
3e2082d60c9ac7ecba031d15d00f87d40879b6fd

SHA256
3a5dcb6f628a0db429d1d02e08170cf4d5a46af03ab5ff9839dee696e1093769

SHA512
cef8ada7cb12a4755a54953fefe349732b551c6cbde24d77a764105e88d3cab8678c43539f0d51cea0c4b262b11d324acd1a84ed329aae8926ca69425bfb0ec3

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\AgentSupportCLR.dll

Filesize
582KB

MD5
3fc4dddf43a817d24aca6328a172f44c

SHA1
3e2082d60c9ac7ecba031d15d00f87d40879b6fd

SHA256
3a5dcb6f628a0db429d1d02e08170cf4d5a46af03ab5ff9839dee696e1093769

SHA512
cef8ada7cb12a4755a54953fefe349732b551c6cbde24d77a764105e88d3cab8678c43539f0d51cea0c4b262b11d324acd1a84ed329aae8926ca69425bfb0ec3

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\AgentSupportCLR.dll

Filesize
582KB

MD5
3fc4dddf43a817d24aca6328a172f44c

SHA1
3e2082d60c9ac7ecba031d15d00f87d40879b6fd

SHA256
3a5dcb6f628a0db429d1d02e08170cf4d5a46af03ab5ff9839dee696e1093769

SHA512
cef8ada7cb12a4755a54953fefe349732b551c6cbde24d77a764105e88d3cab8678c43539f0d51cea0c4b262b11d324acd1a84ed329aae8926ca69425bfb0ec3

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\AppService.dll

Filesize
65KB

MD5
0bdfc232b727bcddb1cfeddd3aa24aed

SHA1
ad981939281ecd86ad4483139478b7253a9f0499

SHA256
3bffa199643f406b323070854064aba34de2af652dc31f946b10d4e0d856ef78

SHA512
f868cb65be1a4c1d746e87e26204a6988f7d199e1c8319217acb04e2226f8313dd30a0bb5c48f4d5bef78ab010317bf726a342f30fa44df778b31c54130c37fe

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\AppService.dll

Filesize
65KB

MD5
0bdfc232b727bcddb1cfeddd3aa24aed

SHA1
ad981939281ecd86ad4483139478b7253a9f0499

SHA256
3bffa199643f406b323070854064aba34de2af652dc31f946b10d4e0d856ef78

SHA512
f868cb65be1a4c1d746e87e26204a6988f7d199e1c8319217acb04e2226f8313dd30a0bb5c48f4d5bef78ab010317bf726a342f30fa44df778b31c54130c37fe

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\BugSplat.dll

Filesize
313KB

MD5
34bfe32eefe92957c916489fc37f5a75

SHA1
cf41602c69ee2e080dfbc27337d18fa1c6f4eec0

SHA256
e25f8dc56883d2556116d0900f29e480860b31ec53d4a477592c1ff479177f9d

SHA512
5cc3ae4a82ebcef801b4f287b20871cc4b0786fd200e8147c75899c72828365d9202443eafb5e654283108b51d44024ef0388a627cfa56c876dcd5407e99caac

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\BugSplat.dll

Filesize
313KB

MD5
34bfe32eefe92957c916489fc37f5a75

SHA1
cf41602c69ee2e080dfbc27337d18fa1c6f4eec0

SHA256
e25f8dc56883d2556116d0900f29e480860b31ec53d4a477592c1ff479177f9d

SHA512
5cc3ae4a82ebcef801b4f287b20871cc4b0786fd200e8147c75899c72828365d9202443eafb5e654283108b51d44024ef0388a627cfa56c876dcd5407e99caac

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\CommonRegister.dll

Filesize
762KB

MD5
e3c9f0b8e31eb96a3b8c89463e3dbdbc

SHA1
82a15fd01f3adea2708e210005c3f706e76d1bd2

SHA256
c421f3099417eaccb8cf34c733bd25c70322c7047a0a92149b797c76c3a51e5b

SHA512
efe69efb63f8999bad1c0a12dc1b4aea27df1f7491173cc5e51ba2e658467fbb3c7b4a0f256189d335430fdffba0331571f20cd9408372c9a8828546227bc930

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\CommonRegister.dll

Filesize
762KB

MD5
e3c9f0b8e31eb96a3b8c89463e3dbdbc

SHA1
82a15fd01f3adea2708e210005c3f706e76d1bd2

SHA256
c421f3099417eaccb8cf34c733bd25c70322c7047a0a92149b797c76c3a51e5b

SHA512
efe69efb63f8999bad1c0a12dc1b4aea27df1f7491173cc5e51ba2e658467fbb3c7b4a0f256189d335430fdffba0331571f20cd9408372c9a8828546227bc930

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\IosManager.dll

Filesize
262KB

MD5
a755ef6f20dae7574825c5ecaa1e1674

SHA1
66136f926c56e8532680ef1ff6e6c48cecf4a3f4

SHA256
a4fe75d621141dbb92404c8a559db8aca207c2c4ef6b8b263dff3f5d05cae94d

SHA512
c3cbfa8c0e0eb0619254f26b5b60b414fa0b56864394014001910053a430abe10c71ec6ecb1fc6349b308e1eaa2c6201cc09c46b720529c029dc36574d9b6310

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\IosManager.dll

Filesize
262KB

MD5
a755ef6f20dae7574825c5ecaa1e1674

SHA1
66136f926c56e8532680ef1ff6e6c48cecf4a3f4

SHA256
a4fe75d621141dbb92404c8a559db8aca207c2c4ef6b8b263dff3f5d05cae94d

SHA512
c3cbfa8c0e0eb0619254f26b5b60b414fa0b56864394014001910053a430abe10c71ec6ecb1fc6349b308e1eaa2c6201cc09c46b720529c029dc36574d9b6310

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\IosManager.dll

Filesize
262KB

MD5
a755ef6f20dae7574825c5ecaa1e1674

SHA1
66136f926c56e8532680ef1ff6e6c48cecf4a3f4

SHA256
a4fe75d621141dbb92404c8a559db8aca207c2c4ef6b8b263dff3f5d05cae94d

SHA512
c3cbfa8c0e0eb0619254f26b5b60b414fa0b56864394014001910053a430abe10c71ec6ecb1fc6349b308e1eaa2c6201cc09c46b720529c029dc36574d9b6310

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\SecurityLaunchCLR.dll

Filesize
322KB

MD5
f483973abdf703157f41083d1271d33e

SHA1
7edb8785cbe9bfc99364f9d999fd86f309b1be58

SHA256
74360d7d6c6d87c7698052f323e636e18325d20132be5858dd67ee952f79f8c0

SHA512
32a89b1417928fae175038a39717ade3ab9ce93867d46a8d652c642d3c5499bd8922f83ddac90e5f15e27014cdc9c81bd69b010b0742aae23f2043b57efb79a9

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\SecurityLaunchCLR.dll

Filesize
322KB

MD5
f483973abdf703157f41083d1271d33e

SHA1
7edb8785cbe9bfc99364f9d999fd86f309b1be58

SHA256
74360d7d6c6d87c7698052f323e636e18325d20132be5858dd67ee952f79f8c0

SHA512
32a89b1417928fae175038a39717ade3ab9ce93867d46a8d652c642d3c5499bd8922f83ddac90e5f15e27014cdc9c81bd69b010b0742aae23f2043b57efb79a9

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\SecurityLaunchCLR.dll

Filesize
322KB

MD5
f483973abdf703157f41083d1271d33e

SHA1
7edb8785cbe9bfc99364f9d999fd86f309b1be58

SHA256
74360d7d6c6d87c7698052f323e636e18325d20132be5858dd67ee952f79f8c0

SHA512
32a89b1417928fae175038a39717ade3ab9ce93867d46a8d652c642d3c5499bd8922f83ddac90e5f15e27014cdc9c81bd69b010b0742aae23f2043b57efb79a9

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\System.Windows.Interactivity.dll

Filesize
59KB

MD5
7a5a51c365e9c9f4de6111707421ef4d

SHA1
bdb43a0e1eb17abd0232594bc1e465943a172d25

SHA256
86fe1bc59f2c08ba21490d71b1f857a14835c1a36ee463af0bbd4142251499d9

SHA512
66c0aa7578f78a8f7aafc80f85c9c1d38868b31af4f2c400dee152966f6b3ab12f5e814fbf9de43af4badfa484fe782f919078c9d11ec59cf1df62d284dc6ee1

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\System.Windows.Interactivity.dll

Filesize
59KB

MD5
7a5a51c365e9c9f4de6111707421ef4d

SHA1
bdb43a0e1eb17abd0232594bc1e465943a172d25

SHA256
86fe1bc59f2c08ba21490d71b1f857a14835c1a36ee463af0bbd4142251499d9

SHA512
66c0aa7578f78a8f7aafc80f85c9c1d38868b31af4f2c400dee152966f6b3ab12f5e814fbf9de43af4badfa484fe782f919078c9d11ec59cf1df62d284dc6ee1

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\TS.Common.dll

Filesize
311KB

MD5
91b45ff8fdcb21f3d86b8e9e86f1bb4f

SHA1
aee1bcef2aee705b9bbd672c83e7a57626bdb59d

SHA256
883c112b1ad60087bbde46234118f62976476a543fd78d68d3b8cf74133a41b3

SHA512
0626b6331f6834bb664a0d83cac0da5fc151ae5e0d9100bbb277a1990273fee49e0242fa1ed8286df4056a2a916d9345145e7dca4561ff9b539c296c7f145eee

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\TS.MvvmLight.dll

Filesize
1.7MB

MD5
d77a72570b76263fe345e29f33743875

SHA1
912654ff2f38632010d1e93182e48c565e5dd1ef

SHA256
7392255dc5c4a70d4ac85594b0fe241da64b8cb04e1b43b1c5b9100441befe2e

SHA512
da78c17d3132acd9f2686ad9a58297ce5268c83063c5fb553ff34f583aa0e0842f4952535c38ed8f3e4ab6bd716c48f9ddb5a3dfb9147f63261995fdf22992d2

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\TS.MvvmLight.dll

Filesize
1.7MB

MD5
d77a72570b76263fe345e29f33743875

SHA1
912654ff2f38632010d1e93182e48c565e5dd1ef

SHA256
7392255dc5c4a70d4ac85594b0fe241da64b8cb04e1b43b1c5b9100441befe2e

SHA512
da78c17d3132acd9f2686ad9a58297ce5268c83063c5fb553ff34f583aa0e0842f4952535c38ed8f3e4ab6bd716c48f9ddb5a3dfb9147f63261995fdf22992d2

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\TS.UI.dll

Filesize
337KB

MD5
0786824ea79705c1739d1f8cd98f6d30

SHA1
1ef971a06d55e55515fe4a43f4f017223fa51ecf

SHA256
c7120839ea57cd93b18adbc1e1091d8d6473f5af914612ed5fabbf2b96da41af

SHA512
ed3bc0d71b2a797714cc0c76c74268592166a9c30d2badeea249194378f0cee4b90a822c621dbf020fc64af00cd3790ad3f3983666a1c92b54296be1cfbfd800

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\TS.UI.dll

Filesize
337KB

MD5
0786824ea79705c1739d1f8cd98f6d30

SHA1
1ef971a06d55e55515fe4a43f4f017223fa51ecf

SHA256
c7120839ea57cd93b18adbc1e1091d8d6473f5af914612ed5fabbf2b96da41af

SHA512
ed3bc0d71b2a797714cc0c76c74268592166a9c30d2badeea249194378f0cee4b90a822c621dbf020fc64af00cd3790ad3f3983666a1c92b54296be1cfbfd800

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\ThreadCore.dll

Filesize
77KB

MD5
81f340b67399270511489be654006e07

SHA1
4c10edac6a8c54a1947bc36f67983c3e7fa3286e

SHA256
ce9e097092f3a9471cff1da8e8fac6828b613ddeede4be7f99810754191fc6b7

SHA512
c3c309f41b897fa3809499cc26e36c9373e189e1c27a69fa3746e39a4bada7f6749acd4db453242a22995bc5e1110f854fd6e226e1bb71f235882fa33c6a8004

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\ios_manager.dll

Filesize
1.6MB

MD5
dddc0b4174f890ccd090a0bf9594d4ce

SHA1
e222b0d81b5e80e27b81ef338bbe7028f7391125

SHA256
8d71789d3b4fac12e88bfb6a36fae6c2ea42e2e3be932d427b66da4d6ea13efd

SHA512
afa6b99173f30395d3cac69babc8144c3fb2d44ccb844f8a4d02658657d55604961a17c9dfeacdd5416d097108eb9dc1ce71676e37efa5c974b1dc293a3d7694

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\itunes_manager.dll

Filesize
157KB

MD5
301296b981c588415991e8ade21a6edc

SHA1
ade287d2b1bbebc2281998cac2688539cd47013b

SHA256
471261a02045513776989699fba4ef411f251b7157aa0bd3f8362ba2ad5b3f4d

SHA512
09cd4ba14b923573c023abf521a2ac52dd75b4637eca377be33a22b26f7d08bb7cad528ef4277013097d7c9e83c7eea67c0aff0658557c6effcfcb66592cd5f7

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\libcurl.dll

Filesize
408KB

MD5
58e6d3a775da9c1e73811f7060fd4dc7

SHA1
ae07862970d244e6d1c540f9f7134f658418a88a

SHA256
f2b669a54e17b5e1434d61759c3da4a788c4f90bb3ad55640ea1c6b24ac604fb

SHA512
b120df4661e463381f7328d8b4dab10503a37b904ccd18f0b69e8c2f06c3083dc404485d73043d3debc93888dbb6299aed995e25e7e134181101cdbb977ff53d

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\log4net.dll

Filesize
284KB

MD5
1bb06ce3653e84eb96e43776e58e9eb0

SHA1
3e6990088fe8c0b62c2b8090287d17a91792cc41

SHA256
b98e78518bc455107977deaf4dd5742651bf162c7e970850af93ba203cc9c1e0

SHA512
180b22916e3e01c4b317281a792bdbe4a948e2986f7ae50e530c3096b4a6c565ec03f83c73ddc339b9ae9d80eaba01bbda15cc2d26baf6f0304880d1e49ae4ca

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\log4net.dll

Filesize
284KB

MD5
1bb06ce3653e84eb96e43776e58e9eb0

SHA1
3e6990088fe8c0b62c2b8090287d17a91792cc41

SHA256
b98e78518bc455107977deaf4dd5742651bf162c7e970850af93ba203cc9c1e0

SHA512
180b22916e3e01c4b317281a792bdbe4a948e2986f7ae50e530c3096b4a6c565ec03f83c73ddc339b9ae9d80eaba01bbda15cc2d26baf6f0304880d1e49ae4ca

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\msvcp140.dll

Filesize
451KB

MD5
5db0754b2b86e2782f254e42ece26bf9

SHA1
ee9c6a1865141cdbb98b41175b25c6212836ac81

SHA256
17cab5f95dfab200374c7750196edbf3d7a7402ce21881a625432d7787b3857c

SHA512
38518f88a60d3ee002c309b736911ea25ee5bd1ff7256c30fcac0539af6e00d315a3eb20ba1972f0d43e97fc671789b0718e78d58d29db0d6aaae6a493cedbb5

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\ts_base.dll

Filesize
239KB

MD5
36f84f0949c8699448ff36578dfa16d0

SHA1
2878037d9067231706843f67938b7c4faf3b5876

SHA256
a2cdaae438c71e6c6df98d08282867f2a5604ae93c9a7ce2bab6074a64c346ed

SHA512
9109a5629d16d1f77d28c0c6861db7bc653aea9072d640169da38ad1d282044daf082143cf8f0741552caa3a390073e6594ad0d39595b3f8d99052f2d011a993

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\ts_client.dll

Filesize
90KB

MD5
aed9e7f0472bbdcbceed3e02c61ec7d2

SHA1
28ccdfbb75a5558eaf30196a4a64553001713ee9

SHA256
cf2dfb5ecbc33cd1e433db1702d4f6694090908d79b29bb5008a293f2a98589d

SHA512
fb01508129f2365862097af7bec01650e86a1aaca5e4bda53eecf6990017eddc892af4499b2098e8ff53a0e7e920ceeeb5d44fad8db6c479633ba54cb5025426

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\ts_sqlite3.dll

Filesize
652KB

MD5
7b62949589dad27c149480414fcea712

SHA1
817fdc59a199d1cbebe600f3336188b3c6fb3cf7

SHA256
d904d82c94ae72f012424935adc0986859cdff33223ab52178adce2bdaf5c42c

SHA512
f8e9721299af42b6e54a8499cd1f4bc981e59db70e282919f0fb0f51b8642a2e2800c297865ac6392827b358ca3d406dfadf2b1a93e1acb8a8ca46941cf36a91

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\vcruntime140.dll

Filesize
85KB

MD5
e6974159625bc914c8f398cfe96db664

SHA1
2dd73934e0cbf11fd66c3a3c9c8fc714dc2a1ef3

SHA256
b253cd95f5310e154677138a2674cdcdbfca882853e7c871e96122c986a76dba

SHA512
535f4eaa96bcd4b988a30c986294861b16ef71c0f92238ec186b78b53c217dd01968f1e22d92c81654e2ad3a7ebf11084d7a7e3f0f1a4144826de081a67504bf

Download Submit
\Program Files (x86)\Tenorshare\4MeKey\zlib1.dll

Filesize
87KB

MD5
2bab6dda264bfa52a4f32da1e8d0ce55

SHA1
f1a6c8c521c42254de774adc66ec98aaa95e304a

SHA256
8210811889d265d9fdfc222eb8da90edf16527b9d2605aa714d9950e48d1f147

SHA512
271d8bd38874799503f023f955f30f7e3967b9f6e7951d38a0becffb010ba86fdd72ef6b25312c4428d9732ecc8b8159156232fc18d1c0d241b0b6ae12e749e1

Download Submit
memory/4260-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-206-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/4260-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-420-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/4260-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-115-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-125-0x0000000000400000-0x00000000007D4000-memory.dmp

Filesize
3.8MB

Download
memory/4260-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-264-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4336-334-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4336-351-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4848-585-0x000000001D140000-0x000000001D152000-memory.dmp

Filesize
72KB

Download
memory/4848-561-0x000000001C3E0000-0x000000001C480000-memory.dmp

Filesize
640KB

Download
memory/4848-557-0x000000001C1C0000-0x000000001C296000-memory.dmp

Filesize
856KB

Download
memory/4848-558-0x000000001C7A0000-0x000000001CC9E000-memory.dmp

Filesize
5.0MB

Download
memory/4848-559-0x000000001C2A0000-0x000000001C332000-memory.dmp

Filesize
584KB

Download
memory/4848-560-0x000000001C110000-0x000000001C132000-memory.dmp

Filesize
136KB

Download
memory/4848-588-0x000000001D160000-0x000000001D17A000-memory.dmp

Filesize
104KB

Download
memory/4848-562-0x000000001C340000-0x000000001C39B000-memory.dmp

Filesize
364KB

Download
memory/4848-563-0x000000001C560000-0x000000001C634000-memory.dmp

Filesize
848KB

Download
memory/4848-564-0x000000001C480000-0x000000001C4E6000-memory.dmp

Filesize
408KB

Download
memory/4848-565-0x000000001D1D0000-0x000000001D6FC000-memory.dmp

Filesize
5.2MB

Download
memory/4848-566-0x000000001CCA0000-0x000000001CFF0000-memory.dmp

Filesize
3.3MB

Download
memory/4848-568-0x000000001C4F0000-0x000000001C53B000-memory.dmp

Filesize
300KB

Download
memory/4848-570-0x000000001C680000-0x000000001C6BC000-memory.dmp

Filesize
240KB

Download
memory/4848-571-0x000000001C720000-0x000000001C776000-memory.dmp

Filesize
344KB

Download
memory/4848-572-0x000000001C640000-0x000000001C65E000-memory.dmp

Filesize
120KB

Download
memory/4848-573-0x000000001C660000-0x000000001C67C000-memory.dmp

Filesize
112KB

Download
memory/4848-574-0x000000001DBD0000-0x000000001E09A000-memory.dmp

Filesize
4.8MB

Download
memory/4848-575-0x000000001CFF0000-0x000000001D06D000-memory.dmp

Filesize
500KB

Download
memory/4848-577-0x000000001C6E0000-0x000000001C6FE000-memory.dmp

Filesize
120KB

Download
memory/4848-578-0x000000001C700000-0x000000001C712000-memory.dmp

Filesize
72KB

Download
memory/4848-579-0x000000001D070000-0x000000001D090000-memory.dmp

Filesize
128KB

Download
memory/4848-580-0x000000001D0D0000-0x000000001D102000-memory.dmp

Filesize
200KB

Download
memory/4848-581-0x000000001D110000-0x000000001D132000-memory.dmp

Filesize
136KB

Download
memory/4848-582-0x000000001D090000-0x000000001D0AA000-memory.dmp

Filesize
104KB

Download
memory/4848-589-0x000000001E0A0000-0x000000001E1C2000-memory.dmp

Filesize
1.1MB

Download
memory/4848-587-0x000000001D850000-0x000000001D894000-memory.dmp

Filesize
272KB

Download
memory/4848-586-0x000000001D8D0000-0x000000001D99E000-memory.dmp

Filesize
824KB

Download
memory/4848-547-0x000000001BE40000-0x000000001BED5000-memory.dmp

Filesize
596KB

Download
memory/4848-556-0x000000001BCA0000-0x000000001BCAE000-memory.dmp

Filesize
56KB

Download
memory/4848-584-0x000000001D180000-0x000000001D1BE000-memory.dmp

Filesize
248KB

Download
memory/4848-590-0x000000001D1C0000-0x000000001D1C8000-memory.dmp

Filesize
32KB

Download
memory/4848-555-0x000000001BF10000-0x000000001BF22000-memory.dmp

Filesize
72KB

Download
memory/4848-594-0x000000001D800000-0x000000001D810000-memory.dmp

Filesize
64KB

Download
memory/4848-535-0x000000001BB20000-0x000000001BB66000-memory.dmp

Filesize
280KB

Download
memory/4848-531-0x000000001BCC0000-0x000000001BD80000-memory.dmp

Filesize
768KB

Download
memory/4848-476-0x000000001B650000-0x000000001B690000-memory.dmp

Filesize
256KB

Download
memory/4848-472-0x000000001B6B0000-0x000000001B706000-memory.dmp

Filesize
344KB

Download
memory/4848-598-0x000000001D9A0000-0x000000001D9F4000-memory.dmp

Filesize
336KB

Download
memory/4848-468-0x000000001B810000-0x000000001B9CA000-memory.dmp

Filesize
1.7MB

Download
memory/4848-461-0x0000000006350000-0x0000000006362000-memory.dmp

Filesize
72KB

Download
memory/4848-451-0x0000000017790000-0x000000001B314000-memory.dmp

Filesize
59.5MB

Download
memory/4848-603-0x000000001DA50000-0x000000001DAA0000-memory.dmp

Filesize
320KB

Download
memory/4848-444-0x0000000000810000-0x00000000041AE000-memory.dmp

Filesize
57.6MB

Download
memory/4848-604-0x000000001E1D0000-0x000000001E280000-memory.dmp

Filesize
704KB

Download
memory/4848-606-0x000000001DB10000-0x000000001DB76000-memory.dmp

Filesize
408KB

Download
memory/4848-607-0x000000001E340000-0x000000001E3FA000-memory.dmp

Filesize
744KB

Download
memory/4848-608-0x000000001DA00000-0x000000001DA12000-memory.dmp

Filesize
72KB

Download
memory/4848-609-0x000000001D8C0000-0x000000001D8CA000-memory.dmp

Filesize
40KB

Download
memory/4848-610-0x000000001DA20000-0x000000001DA2A000-memory.dmp

Filesize
40KB

Download
memory/4848-612-0x000000001E280000-0x000000001E330000-memory.dmp

Filesize
704KB

Download
memory/4848-621-0x0000000008AC8000-0x0000000008ACB000-memory.dmp

Filesize
12KB

Download
memory/4848-625-0x000000001EBB0000-0x000000001EBDB000-memory.dmp

Filesize
172KB

Download
memory/4848-554-0x000000001C0A0000-0x000000001C0D8000-memory.dmp

Filesize
224KB

Download
memory/4848-553-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/4848-552-0x000000001BEE0000-0x000000001BF02000-memory.dmp

Filesize
136KB

Download
memory/4848-550-0x000000001BFA0000-0x000000001C052000-memory.dmp

Filesize
712KB

Download
memory/4848-551-0x000000001BF30000-0x000000001BF80000-memory.dmp

Filesize
320KB

Download