8f227bc5da1de26c1458babeaef1855429e956a4d6fd086140ee356267a5dc77

Resubmissions

14-03-2023 14:39

230314-r1jp3sga54 8

14-03-2023 14:30

230314-rvkeeshh5z 8

Analysis

max time kernel
81s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inno-setup-5.6.0-installer_M1-nMK1.exe
Size

1.7MB
MD5

41ae06d18ed5af6e6a0a4568b6bb7cc4
SHA1

b5d5e7e8a951e96e88215ca140c04b892e2d53de
SHA256

a350cd18e1b18c350088512a4baeaeb0ce8ae7e2bfae80636c61c5ba17103b04
SHA512

81228bac5babd3c602804bea5e1c1f9c4d97ddb7896aec6bcea14ef8cd34b83c5ddcc63a6c3a257698910663e2dfd85355a461ea5d02ceefaa2e25cead16c166
SSDEEP

24576:Y7FUDowAyrTVE3U5Fmi05np8tydyPaJPfrT90eKc4cgFLNPfs8duMpmsDGB:YBuZrEUOp8odywPH9RHgFLRdp/M

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1072	inno-setup-5.6.0-installer_M1-nMK1.tmp
1372	inno-setup-5.6.0-installer.exe
556	inno-setup-5.6.0-installer.tmp

Loads dropped DLL 3 IoCs

pid	Process
1084	inno-setup-5.6.0-installer_M1-nMK1.exe
1072	inno-setup-5.6.0-installer_M1-nMK1.tmp
1372	inno-setup-5.6.0-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\C#\is-5TV9L.tmp	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\isbzip.dll	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\ISetup.chm	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-4UPR0.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-M3M2P.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-G7GMF.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-L93V1.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-8S423.tmp	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\ISPP.chm	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-LJV50.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-VP2HL.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\C\is-5TBHL.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-JNLMT.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-UK8AG.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-6LHP6.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-NTR9J.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-ALEB2.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-63VIS.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\C\is-JRI19.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-O2E0A.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-81V7B.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-DDN4E.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-GDBDK.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-TFUND.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-R1QJO.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-264ES.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-23VFR.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-JG0IC.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-8TT3A.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-96D0C.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-RNOMA.tmp	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\Examples\MyProg-x64.exe	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-0DOCQ.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-03NQS.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\unins000.msg	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-7OUE1.tmp	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\isbunzip.dll	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\ISCmplr.dll	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\Examples\MyProg.exe	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\iszlib.dll	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-MHNUH.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-8FVR1.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-BKKIQ.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\C#\Properties\is-2VH9S.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-VUAGM.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-0LUG7.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-8J66T.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-05HKT.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-3BD2N.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-7SGKV.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-5D4QH.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-P7AKU.tmp	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\islzma32.exe	inno-setup-5.6.0-installer.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 5\isunzlib.dll	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-GF334.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-QU8H6.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-LPD0G.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-DIPV4.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\is-MPJJ5.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\Delphi\is-IK0C0.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Examples\MyDll\C#\is-DTOBG.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\unins000.dat	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\is-4A6C5.tmp	inno-setup-5.6.0-installer.tmp
File created	C:\Program Files (x86)\Inno Setup 5\Languages\is-AA9DI.tmp	inno-setup-5.6.0-installer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 80003100000000006e56f0731100444f574e4c4f7e310000680008000400efbe545662b06e56f0732a000000ea0100000000020000000000000000003e000000000044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000545662b01100557365727300600008000400efbeee3a851a545662b02a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c00310000000000545688bc100041646d696e00380008000400efbe545662b0545688bc2a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	inno-setup-5.6.0-installer_M1-nMK1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	inno-setup-5.6.0-installer_M1-nMK1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	inno-setup-5.6.0-installer_M1-nMK1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	inno-setup-5.6.0-installer_M1-nMK1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	inno-setup-5.6.0-installer_M1-nMK1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	inno-setup-5.6.0-installer_M1-nMK1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
556	inno-setup-5.6.0-installer.tmp
556	inno-setup-5.6.0-installer.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1072	inno-setup-5.6.0-installer_M1-nMK1.tmp
556	inno-setup-5.6.0-installer.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1084 wrote to memory of 1072	1084	inno-setup-5.6.0-installer_M1-nMK1.exe	26
PID 1072 wrote to memory of 1576	1072	inno-setup-5.6.0-installer_M1-nMK1.tmp	27
PID 1072 wrote to memory of 1576	1072	inno-setup-5.6.0-installer_M1-nMK1.tmp	27
PID 1072 wrote to memory of 1576	1072	inno-setup-5.6.0-installer_M1-nMK1.tmp	27
PID 1072 wrote to memory of 1576	1072	inno-setup-5.6.0-installer_M1-nMK1.tmp	27
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1704 wrote to memory of 1372	1704	explorer.exe	30
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31
PID 1372 wrote to memory of 556	1372	inno-setup-5.6.0-installer.exe	31

C:\Users\Admin\AppData\Local\Temp\inno-setup-5.6.0-installer_M1-nMK1.exe
"C:\Users\Admin\AppData\Local\Temp\inno-setup-5.6.0-installer_M1-nMK1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\is-O3CSS.tmp\inno-setup-5.6.0-installer_M1-nMK1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-O3CSS.tmp\inno-setup-5.6.0-installer_M1-nMK1.tmp" /SL5="$70124,879088,832512,C:\Users\Admin\AppData\Local\Temp\inno-setup-5.6.0-installer_M1-nMK1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /select,"C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe"
    3⤵
    PID:1576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe
  "C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\is-6JP7T.tmp\inno-setup-5.6.0-installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6JP7T.tmp\inno-setup-5.6.0-installer.tmp" /SL5="$90122,1617805,58368,C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Inno Setup 5\unins000.exe

Filesize
712KB

MD5
99ec3280ffd7fe50b11b198b57534dd1

SHA1
15e99feb98b5318b480b0abb626ecf59798ed3d6

SHA256
fc581ec80b0b43376432220af7610d784ac63d040449ce8809f06b8d06eb1cd3

SHA512
8b59f6577cc94b42db23b999ecfa1eb9eeaa7b52a0fb653f6a4e3d3ba036af99c9e7bfdccafc9ef777c84de728a941aecf25693d47abbdcc188e0b1ce9b1eb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
36efd0e10565494dc626d0285e799ac5

SHA1
3b1224a9e33f8a6a9fbde70989af03ab77c6a441

SHA256
9f8f9f386e676f718ee41938e7fb920e9483b6ca5daf52bf892070c4a0ba61a9

SHA512
36e1c9351eecde8c942fc82a8c17891b701cd3ac4598604799dce3cbf3acfbba34543d3c47a4283114954e23c7457bef4160e369d97dfbefba38c53efd241925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
543d17fc9926461594ad05df2b485edb

SHA1
a075618ad9a1ed7018aed2f1ef5a4fec1a69b0d9

SHA256
1b9a6e242e0a94f2094d51eea3903837822ee01a43c06b12464c917a09fc43ab

SHA512
9f5869d39023c98d66288bf207fcb230cc33204ef46d07c02096c5058e906081e0a2b02dfd0b55214e52c4ceeb6fcf1d0369c20550cf1633dac0f1835087fc1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4022e5f72990985b699d89e752ceabc3

SHA1
d927e2e27ba62a5878bd80a69f3d398fd14002df

SHA256
8c4c0f3328507c093131ae2041d0b2054b44abf6aa3cdf7518f56abf0920bb84

SHA512
5c836de43f887969fe4f8bee160c5a960b85f3869d419661345d8c5e7289c9bae2f4af047fd7b0d9c746504a8cd8af6cddc98fabbb6e456634b828973a20ded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar94B9.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6JP7T.tmp\inno-setup-5.6.0-installer.tmp

Filesize
712KB

MD5
99ec3280ffd7fe50b11b198b57534dd1

SHA1
15e99feb98b5318b480b0abb626ecf59798ed3d6

SHA256
fc581ec80b0b43376432220af7610d784ac63d040449ce8809f06b8d06eb1cd3

SHA512
8b59f6577cc94b42db23b999ecfa1eb9eeaa7b52a0fb653f6a4e3d3ba036af99c9e7bfdccafc9ef777c84de728a941aecf25693d47abbdcc188e0b1ce9b1eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6JP7T.tmp\inno-setup-5.6.0-installer.tmp

Filesize
712KB

MD5
99ec3280ffd7fe50b11b198b57534dd1

SHA1
15e99feb98b5318b480b0abb626ecf59798ed3d6

SHA256
fc581ec80b0b43376432220af7610d784ac63d040449ce8809f06b8d06eb1cd3

SHA512
8b59f6577cc94b42db23b999ecfa1eb9eeaa7b52a0fb653f6a4e3d3ba036af99c9e7bfdccafc9ef777c84de728a941aecf25693d47abbdcc188e0b1ce9b1eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F999R.tmp\mainlogo

Filesize
2KB

MD5
308ad34a86d32a4a2249f1740076f1b7

SHA1
57ed4188e01ee82c572fa327e41e1704f8cf0fc1

SHA256
36f2488f3eb5c3af6e94cb382460dca9cc8f9865dd6d12932ca4bd6f8cc0f2a2

SHA512
dbb107a454d31651e7089f1f55f1c30da9a0bc08527071a9b943dcacc0a63f1a1550edc7975f4edb3b13c460b80988e1f30c1adfa488f71e65fd416dd03415ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F999R.tmp\v_in_black_circle.png

Filesize
1KB

MD5
a0f78df30ebc15bda8858e4c490a5eb1

SHA1
07140fdad7c7415fbb23461e243d7b576eb08749

SHA256
0c679e463254ec4652917110ca1387fb3663d464e4bd792d97c2d853e156d900

SHA512
f5539152f7faf5fa3505a2ebd1ccbe3145ee46564b814549a96b63f385a73b7e69176ca853d07adef386ea0cc7c0cea4989c74bd4334997b389d85a2f8db1508

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IEPIT.tmp\ISPP.ico

Filesize
4KB

MD5
3aa7f8322b5d9fac04fd5181b7c11e9c

SHA1
0680431457273982543a228a05df9964358b672c

SHA256
4da1ac3689166164e0bedbb5bb2f7f1f0306c27fb044620da9c0960dabb5c395

SHA512
85069124bcddb346acea73d68368c666083a0020bf51907344a94316a6a1e97ab960b8841e70839d9fc6d9117157226787dae8d4816840397ac28a1cfef9764f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3CSS.tmp\inno-setup-5.6.0-installer_M1-nMK1.tmp

Filesize
3.0MB

MD5
570ac7dec62a51b18b9359d1e9f3e23b

SHA1
0791494b26ba013034c5861c4b006cb6a9f66a36

SHA256
8c5ffa58d84d9d8eef793c780c20297f0ca93db40ea40fe0c15150718b9f046a

SHA512
44d68db3a30b99093db264b21ff680a6c74c4b6dcb7d1d49df4eaf0124dd52ad726dd0dd9419f89b89fe841852d6fda68c9383fbe80a681b15577f80e8bc617a

Download Submit
C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe

Filesize
1.9MB

MD5
d7489fc8b9b1ee4e642da490d33366ba

SHA1
fef2fe89615584dc874f8a6b0fcf180df77db139

SHA256
1f941a91d93048476a6af05a836689042aa75f03ea91802a30f327e6a6f465d2

SHA512
a22f9a1110ec2d355e6250598febacde7a7893916417dd9691eb733ab368040466b25d51d6597bdb1bf0680e48b2c0a24ab01d1b19cb0b09be4abd1872e29f7a

Download Submit
C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe

Filesize
1.9MB

MD5
d7489fc8b9b1ee4e642da490d33366ba

SHA1
fef2fe89615584dc874f8a6b0fcf180df77db139

SHA256
1f941a91d93048476a6af05a836689042aa75f03ea91802a30f327e6a6f465d2

SHA512
a22f9a1110ec2d355e6250598febacde7a7893916417dd9691eb733ab368040466b25d51d6597bdb1bf0680e48b2c0a24ab01d1b19cb0b09be4abd1872e29f7a

Download Submit
C:\Users\Admin\Downloads\inno-setup-5.6.0-installer.exe

Filesize
1.9MB

MD5
d7489fc8b9b1ee4e642da490d33366ba

SHA1
fef2fe89615584dc874f8a6b0fcf180df77db139

SHA256
1f941a91d93048476a6af05a836689042aa75f03ea91802a30f327e6a6f465d2

SHA512
a22f9a1110ec2d355e6250598febacde7a7893916417dd9691eb733ab368040466b25d51d6597bdb1bf0680e48b2c0a24ab01d1b19cb0b09be4abd1872e29f7a

Download Submit
\Users\Admin\AppData\Local\Temp\is-6JP7T.tmp\inno-setup-5.6.0-installer.tmp

Filesize
712KB

MD5
99ec3280ffd7fe50b11b198b57534dd1

SHA1
15e99feb98b5318b480b0abb626ecf59798ed3d6

SHA256
fc581ec80b0b43376432220af7610d784ac63d040449ce8809f06b8d06eb1cd3

SHA512
8b59f6577cc94b42db23b999ecfa1eb9eeaa7b52a0fb653f6a4e3d3ba036af99c9e7bfdccafc9ef777c84de728a941aecf25693d47abbdcc188e0b1ce9b1eb80

Download Submit
\Users\Admin\AppData\Local\Temp\is-F999R.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-O3CSS.tmp\inno-setup-5.6.0-installer_M1-nMK1.tmp

Filesize
3.0MB

MD5
570ac7dec62a51b18b9359d1e9f3e23b

SHA1
0791494b26ba013034c5861c4b006cb6a9f66a36

SHA256
8c5ffa58d84d9d8eef793c780c20297f0ca93db40ea40fe0c15150718b9f046a

SHA512
44d68db3a30b99093db264b21ff680a6c74c4b6dcb7d1d49df4eaf0124dd52ad726dd0dd9419f89b89fe841852d6fda68c9383fbe80a681b15577f80e8bc617a

Download Submit
memory/556-355-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/556-363-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/556-536-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/556-459-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/556-364-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1072-270-0x00000000036B0000-0x00000000036BF000-memory.dmp

Filesize
60KB

Download
memory/1072-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1072-332-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1072-324-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1072-262-0x00000000036B0000-0x00000000036BF000-memory.dmp

Filesize
60KB

Download
memory/1072-269-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1072-333-0x00000000036B0000-0x00000000036BF000-memory.dmp

Filesize
60KB

Download
memory/1072-342-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1084-268-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1084-344-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1084-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1372-362-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1372-348-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1372-537-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1704-345-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1704-346-0x000007FF17540000-0x000007FF1754A000-memory.dmp

Filesize
40KB

Download
memory/1704-334-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download