98a9b281a537b5cc033913c26b3e649bba6aa26a2baa60c51e679b11b0f15efe

Analysis

max time kernel
1043s
max time network
1051s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RELPZ36.exe
Size

5.7MB
MD5

c9d3653b2b612ba6087767ca6972289d
SHA1

55716813bec9dd2377e2f4c2bc3457a1ebf1f982
SHA256

98a9b281a537b5cc033913c26b3e649bba6aa26a2baa60c51e679b11b0f15efe
SHA512

458f51d756a829e09a35fdb56b515110584d78dbda44246541a20c08254f36ed6fe79390da0b4abe99cc68e489300d36bbaee70953c90930d4f3540ccffb9d26
SSDEEP

98304:x0NFx6666666666666666666666666666666x666666666666666fwwwwwwwwww2:YdUcT+ApWkdjQgmg7Ynn30jpKca6iPdz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

$RELPZ36.exe

pid process

3344 $RELPZ36.exe
Loads dropped DLL 5 IoCs

Processes:

$RELPZ36.exe$RELPZ36.exe$RELPZ36.exe$RELPZ36.exe$RELPZ36.exe

pid process

372 $RELPZ36.exe
4944 $RELPZ36.exe
3344 $RELPZ36.exe
432 $RELPZ36.exe
1228 $RELPZ36.exe

pid	process
3344	$RELPZ36.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileCoAuthLib64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDrive.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

$RELPZ36.exe$RELPZ36.exe

description	ioc	process
File opened (read-only)	\??\D:	$RELPZ36.exe
File opened (read-only)	\??\F:	$RELPZ36.exe
File opened (read-only)	\??\D:	$RELPZ36.exe
File opened (read-only)	\??\F:	$RELPZ36.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\certmgr.msc mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\certmgr.msc	mmc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exetaskmgr.exeWINWORD.EXE

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDrive.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

Processes:

OneDrive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ = "ILoginCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID\ = "FileSyncOutOfProcServices.FileSyncOutOfProcServices.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\FileSyncClient.AutoPlayHandler\CurVer	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /autoplay"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\FileSyncClient.FileSyncClient\CLSID\ = "{7B37E4E2-C62F-4914-9620-8FB5062718CC}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ProgID\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\ = "SyncEngine Type Library"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\ = "SyncingOverlayHandler2 Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\\1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\ = "OOBERequestHandler Class"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\ = "IGetSyncStatusCallback"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\VersionIndependentProgID\ = "BannerNotificationHandler.BannerNotificationHandler"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\OOBERequestHandler.OOBERequestHandler\CLSID\ = "{94269C4E-071A-4116-90E6-52E557067E4E}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\ = "FileSync ThumbnailProvider"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\OOBERequestHandler.OOBERequestHandler\CurVer\ = "OOBERequestHandler.OOBERequestHandler.1"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

3908 regedit.exe
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEOneDrive.exe

pid process

2736 WINWORD.EXE
2736 WINWORD.EXE
2776 OneDrive.exe

pid	process
3908	regedit.exe

pid	process
2736	WINWORD.EXE
2736	WINWORD.EXE
2776	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeregedit.exemmc.exe

pid process

3592 taskmgr.exe
3908 regedit.exe
1000 mmc.exe
Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid

4
4
4
4
4
656
4
4
4
4

pid
4
4
4
4
4
656
4
4
4
4

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskmgr.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	3592	taskmgr.exe
Token: SeSystemProfilePrivilege	3592	taskmgr.exe
Token: SeCreateGlobalPrivilege	3592	taskmgr.exe
Token: 33	3592	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3592	taskmgr.exe
Token: 33	1000	mmc.exe
Token: SeIncBasePriorityPrivilege	1000	mmc.exe
Token: 33	1000	mmc.exe
Token: SeIncBasePriorityPrivilege	1000	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

$RELPZ36.exeWINWORD.EXEOneDrive.exemmc.exe

pid	process
372	$RELPZ36.exe
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2776	OneDrive.exe
1000	mmc.exe
1000	mmc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

$RELPZ36.exe$RELPZ36.exe

description	pid	process	target process
PID 372 wrote to memory of 4944	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 4944	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 4944	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 3344	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 3344	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 3344	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 432	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 432	372	$RELPZ36.exe	$RELPZ36.exe
PID 372 wrote to memory of 432	372	$RELPZ36.exe	$RELPZ36.exe
PID 432 wrote to memory of 1228	432	$RELPZ36.exe	$RELPZ36.exe
PID 432 wrote to memory of 1228	432	$RELPZ36.exe	$RELPZ36.exe
PID 432 wrote to memory of 1228	432	$RELPZ36.exe	$RELPZ36.exe

C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe
"C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe
C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2a0,0x2a4,0x2a8,0x29c,0x2ac,0x74e44208,0x74e44214,0x74e44220
2⤵
- Loads dropped DLL
PID:4944

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\$RELPZ36.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\$RELPZ36.exe" --version
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3344

C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe
"C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=1 --general-interests=1 --general-location=1 --personalized-content=1 --personalized-ads=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=372 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240428202031" --session-guid=318f2410-de92-4c85-8850-2c87b7117409 --server-tracking-blob=MTc1ZThkNGY4MGY2MDNhZDEzMmJjZWI0YjBhMmM1YjI1ZGE4YmM5NDA5Y2UyNWRjNjdiOWEyNDY3MmRiNTQzOTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6eyJuYW1lIjoib3BlcmFfZ3gifSwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9HQl9IVlJfV0VCXzM3MDEmZWRpdGlvbj1zdGQtMiZ1dG1fY29udGVudD0zNzAxXzM4MF92c19nbF8yeDJfb3BlcmFfZ2JfY2hyb21lX2ZkMjNkNGU2JnV0bV9pZD1hY2FhNWY5ZWY4ZGU0MzZkYTdjZDg2OTk3OWI1NWRiNSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmdldCUyRm9wZXJhLWd4JTNGdXRtX2NvbnRlbnQlM0QzNzAxXzM4MF92c19nbF8yeDJfb3BlcmFfZ2JfY2hyb21lX2ZkMjNkNGU2JTI2dXRtX3NvdXJjZSUzRFBXTmdhbWVzJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEUFdOX0dCX0hWUl9XRUJfMzcwMSUyNnV0bV9pZCUzRGFjYWE1ZjllZjhkZTQzNmRhN2NkODY5OTc5YjU1ZGI1JTI2ZWRpdGlvbiUzRHN0ZC0yJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGZ2V0JTJGb3BlcmEtZ3gmdXRtX2lkPWFjYWE1ZjllZjhkZTQzNmRhN2NkODY5OTc5YjU1ZGI1JmRsX3Rva2VuPTY1NzQyNjQyIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzE0MzM0OTQ2LjcxODUiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI0LjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiJQV05fR0JfSFZSX1dFQl8zNzAxIiwiY29udGVudCI6IjM3MDFfMzgwX3ZzX2dsXzJ4Ml9vcGVyYV9nYl9jaHJvbWVfZmQyM2Q0ZTYiLCJpZCI6ImFjYWE1ZjllZjhkZTQzNmRhN2NkODY5OTc5YjU1ZGI1IiwibGFzdHBhZ2UiOiJvcGVyYS5jb20vZ2V0L29wZXJhLWd4IiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjBkMTNhZjM1LWNlZDgtNDY5Mi1iMWQ2LTkxNzkyMWI2YmZhZCJ9 --desktopshortcut=1 --wait-for-package --initial-proc-handle=F806000000000000
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe
C:\Users\Admin\AppData\Local\Temp\$RELPZ36.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2b0,0x2b4,0x2b8,0x27c,0x2ac,0x72534208,0x72534214,0x72534220
3⤵
- Loads dropped DLL
PID:1228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:744

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1104

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:3908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4320

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:3828

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe" /applySettings
1⤵
PID:4120

C:\Windows\system32\UserAccountControlSettings.exe
"C:\Windows\system32\UserAccountControlSettings.exe"
1⤵
PID:2100

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\certmgr.msc
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\AssertConvertTo.vst
Filesize
277KB

MD5
156ff6dc733a3a5134c2e02836043d6f

SHA1
7273f7bf8bf50499c1203bd8358f166257294bd0

SHA256
fdfe202925cfaaad0b023bc7c6ee1862d1711eefb2ba5e4ec951fb23896c8a58

SHA512
b4bf75ebe305f52754c89186f422f06498e211f2f62e6fe601d8627015c65ecf6fe7f91595211330fea246f8cde2ef863deba5474dcc6d0157abe0527c1c7993

Download Submit
C:\Program Files\CompareProtect.3gp2
Filesize
267KB

MD5
04767464a4b19bad6f51d96efac737f8

SHA1
f3c089cba4196eab72c87fc1f7c0c237c03851f2

SHA256
2b06611acfbc9e1786784c8c0c0a789b39c63cde39a36f263e4a4848db1493b6

SHA512
3ad65a607f84f1205d3ab611fb13348467a968a1e5d98dc18f97f8ea631512df29072e2312c2c43cda428df3d09b4b538e6021d4e19db746403f45541abeaee9

Download Submit
C:\Program Files\CompareUnblock.aifc
Filesize
227KB

MD5
f06db8f0a21547b52a058e0bb695485d

SHA1
ebe238be4e4056f22b201863f30911b9020ea136

SHA256
acd2d68478d5b8f3e741800b5bcbf590763a66e2b685c17a570c4fdf926691e0

SHA512
16dca8612b21e71f452d780253c24bab799516be9a5f59f17e24314d98e820e547dd867debfdea7c2ec4b7776aca1e793b28e3344fb2ca6963a6cbc5d274f499

Download Submit
C:\Program Files\CompleteGroup.txt
Filesize
348KB

MD5
c98ddf95f2dadfcebc12d835a1d5c3d9

SHA1
225b2b6c34f0f5140c894a3b435392579b14595c

SHA256
06ce55b040e23d2c45c7fbaf0159785ad0e60f3f81677a56b0818de92736f51b

SHA512
ae863c150593a3b9785bbbe95aafc207f2aaf4ecb33cea0d5dafdd9c2374c8c8300fb47679ef1794091035188424e110aa5ee0febf0bd48483e1ae478ec8db88

Download Submit
C:\Program Files\CompressUnblock.3gp2
Filesize
207KB

MD5
3c97cb82ac7dc2c6a9b2540d12795c06

SHA1
de5b4d6fbb343f305bcacf073cfc41020a75c9f1

SHA256
d54eb8067fd508b46b7dd1b7f6d5ba361c4d62bc8bf1bd0603df67716764a0ed

SHA512
c41d53db5172a68a4906fc19e57dd2488a862e3cebc5586fc61f885b1820b41f51df3bb7514b7d51b78d8da37b013e1144245d8be1fcbffa2104205ad10f0bb9

Download Submit
C:\Program Files\ConvertCompress.jpeg
Filesize
550KB

MD5
79586b1438000f99cd6f61e38ef693e2

SHA1
29fc2c8c65224722a0cdaa42a2b3016237b4ebf4

SHA256
a1902b731395c6970585fbd8cd2accea8bf26b28c16f4c8f2a7caf74bfd4bd84

SHA512
437fe788e2080296eee3b151060fca604ed5ead69bb0185cae459635db3a1968b090aed6cd591c9561f16116344e0ccd7859e1c0b9581644e333364a94ad5ecd

Download Submit
C:\Program Files\CopyConvertTo.lnk
Filesize
257KB

MD5
fa36ca3be807daac2e4a7bbbba6910f3

SHA1
21d1c6a95727fa1a367537a3711e27e1ad969197

SHA256
c406a745eea111e8ecda4d39984bb3ac455d3907871868004016270a5452b52a

SHA512
204963e3d14a4df649cfc21258e6f3f538f818f4583344dea7ae0fbc3bbcb08bef4dc86e68bc018c186b8910bd757e1c04974243757900e1d2d505e66529f1ac

Download Submit
C:\Program Files\DebugNew.wmv
Filesize
217KB

MD5
d3377305e4ee3c9942f5b856b2faba8d

SHA1
7c57a6bcb1013571140ef01dff19193aaa7a38c5

SHA256
df99cf0a36913ba86b6a53a7e71fdfad233a59be45df5f4824cb157bfc311334

SHA512
5849766f8ec35674a42eec544ab7f7465c264a0383293aa8fb873756248f1d78b04fdbaa1dc545c82d037a6546d3480f651c27eae4818ca4a81b457f5c64c326

Download Submit
C:\Program Files\EditBackup.wdp
Filesize
777KB

MD5
4fa7f65dd939a42182930e0e05ed2a2c

SHA1
346e20af960ae76b950dc9cc931c32ac989c8530

SHA256
3be41e18a38f5af21e63f273cb91c7ad5fe0fdf5fc55ad3e6a1915a8913411b3

SHA512
30cff46c3efa3c53aa1c5af38dc8d8de7011ba9878ad72db2ce24fdf0d682129a57a7a1c70456a3759783fe81fb0bc96850f0698cf1bea34c9b3ad5711a01c13

Download Submit
C:\Program Files\EnableSelect.pps
Filesize
328KB

MD5
5ca62a939e4b0fcbd198c47363efe750

SHA1
6c1e64d5d2b8fced962470004e1145092acf37c9

SHA256
70b286d8cc410c570d3e4d259006a0ff6170d5c96dfecd8207de0c4ff677faed

SHA512
39723d7c6b7962d2342adc04ce8375b8592ab6024c6b245fe6381727927727b80741571d34413fe7c6afb00423947c8ec7868eceeb84fbd71eea549d3a6977f9

Download Submit
C:\Program Files\EnterFormat.raw
Filesize
530KB

MD5
f11f59e3bac1eb8e7c8f5be21586ca7a

SHA1
d1ec216166ed98351b82604c707888635f635264

SHA256
fe08117b65b161ad58982eb051dbea2cb6d0c996e7f30f1e4a1bdec5fccea558

SHA512
3897dffe313d38f311f9a75ad7694104244f7f7eaa81ad5d77a942abbdafda279e0c8aea6b2342a3db37a016b3c6e263546ad94fe55dcdf2d5f65058b487a1da

Download Submit
C:\Program Files\ExportSend.rle
Filesize
196KB

MD5
4b8917db046ee8e2576f2492621ba216

SHA1
a92983cc26f37345b31ff2d6e40eeabbfadb1e68

SHA256
5d2be463857c99ebc799dc4c906af5799001a5367abcdff5e7601de6f090a517

SHA512
5e2ef831f09c7c96f76ff784b33121f504906955290f57400726964ec24e0d8653ae21eb35d5a2a50b8a73ce16e918b6ad9dbf618d11e22933a35c5b7fdd0fb1

Download Submit
C:\Program Files\FindDebug.lnk
Filesize
237KB

MD5
570aa6bf06a2c92de3a133ee70a74bd0

SHA1
779448bec47350454cc537235d351b35796b7f56

SHA256
f90b498b29fb87dab29e7fc27daa0793414502ca2030c1707dcaf5ce72661b54

SHA512
443f6ea851f91125bc9f7e0e92878f8d440831a59ec14e83b5fbdd71f1093a09ed9acaec4cc52586cc15c6c030f79237de596fa959856721274495517e4824f3

Download Submit
C:\Program Files\FormatComplete.png
Filesize
338KB

MD5
e57a95c64951fc8fb86cb23212c8d436

SHA1
a6a06b4b6d5999ce14925ab316f8cd6481c31834

SHA256
5537032b7e6334c97fc95d83b84494bf8916b16c08eb0ce9ecc93b02bbf85912

SHA512
8a48a61c22600ea1989c1253148754241ad0e3a7c00505b2407d99e07203db7354d152a74314c9b475d902660cd16713d8d6e8f60fc7209252bb1c080d8e6aef

Download Submit
C:\Program Files\InvokeUnblock.lnk
Filesize
540KB

MD5
122f6f1e5077d0ba5c3a51f80e5aa18f

SHA1
1a13affa7cf271f0273c992890dd769e88793b2f

SHA256
6842c63eb0e61daacc10de24782ddcc3efd568526869159d3f1020a6d4326f29

SHA512
b9603017f11ac591bada795776d8db0ac2d544cc321fdba08567314a151a25df05d425c929f2bbcf15b516af43f6de94e4db95a035a91abec4d10b974f84f0c2

Download Submit
C:\Program Files\JoinCompare.odp
Filesize
469KB

MD5
bd8a8003d54a7928080764371e4c1e04

SHA1
b8b49a57a08d6ab7ac0bf34836f36d7ac8805f9a

SHA256
2d4129346682304228e6d2df363e11df72a52127f5d614d1f526258e768d6702

SHA512
ce9d3d967c6b2092880339822a02c62f3e50a034e4cd4e2358762cdca6fb4d8c36c2fb88319451d5568f638d5265870b389be67a52403fefdb0ab7a7ed51fb2c

Download Submit
C:\Program Files\LimitImport.rm
Filesize
398KB

MD5
88f55796c9529b2ef69183b48ea7be2c

SHA1
b7310a205452b70ab510fc5f78d867b7ef2cb42c

SHA256
609d62bd68e3cd74f75c346c5afd44a4774984d77fabccb610d1408d1dd723b5

SHA512
db7549f6bf073dceacef96b860701733a2922c9b90f3d85e1ab9af897d6fa50f1d7565b2c39471aaf1984bf3c3d191030bab69c1bb23fc74eafe534e51839444

Download Submit
C:\Program Files\LimitSave.m4v
Filesize
429KB

MD5
e84a8f47772fc4b5391dc05ad56a8ef3

SHA1
7938c13573b8ff60c377f6e1317dbbf26a56dffa

SHA256
7a26007eb9168980b32c495b67edaeb5fbb28deeacf87bd31eb3b111fc1d91cf

SHA512
85fc2c70c175c44c25cb6750ced5cf307b130f28558d01ad30be183fe787498d0bee2aaa5394dcc92b63921ce33d1a10ba2f505fe263b6ad0552e3b29292ac32

Download Submit
C:\Program Files\LimitStop.css
Filesize
378KB

MD5
67d5faafc456966e12f2260f108e6b7d

SHA1
588963950d89de55ffd6455c5fde30481fc670c3

SHA256
1ab11eaeddffefea0c019ec8fe272f19e22f8b3b502c348ec735a727f7653a9f

SHA512
39be07e1c7ca412224e49ff02ac8e4dfe17abb92a92b01e162bd0ffb66171ff62c8889719e1f299b0d5642de0e30bcd66186e46e286cb8a77f1241497b382602

Download Submit
C:\Program Files\MergeClose.ram
Filesize
287KB

MD5
9dcadefd8385750a4257d0daba886b9e

SHA1
53bbd9313ba4f779394597d60a743ea5a3eace15

SHA256
a94bdc12855e8a2d2904fb54b2a4f0774e7a64af41d6ddb1812ebc2bd06db9e0

SHA512
ff64bae4a5b5aa593f07c49d2697c6c9d242150a0d1ecc0213046de5aa0a8538744da01d755b87606557a7feb62f908fbb7c6393a0cda87f3d3f9d9254c35e36

Download Submit
C:\Program Files\MountRestart.csv
Filesize
439KB

MD5
f3bd2c87bb06fe8f36e1b2ac1bedc8dc

SHA1
eb30d43dd53a85571f536fce7ee00918b7d7d5ac

SHA256
51a4d1cc331d772900244a7948046457b03df56c8b1e0353f0564c4d9a8e0f25

SHA512
864dcbf61d386901d5be3cccfe6a4d2f31241ba2e6a316d076e8c13407bda3194914a8f127130195a72ab2a39862ea1916d5f1393c2ee420976c98f86e6db0f7

Download Submit
C:\Program Files\OpenCompare.cab
Filesize
449KB

MD5
a54e41f6d0cf40e7659c256259c50583

SHA1
e73faf564397d80a30225bac12f1cf02881309e6

SHA256
281c797d0ec9f2aaca53350632591508589a47d9738766e6f389684f21f9c8da

SHA512
3a4079e70825a74e16595d50a50ccff81a7c2d95aa1e96dc9b4ef8b3c8e3078d6031744ee9c6404a7508e4dce8904fb5724a0d42e637c18686eab052b97d8761

Download Submit
C:\Program Files\OutPing.xla
Filesize
499KB

MD5
a245eaeed313a17384628f7945b1fcfe

SHA1
81df20448a7c73880552916cbf25a450fcc4040c

SHA256
d4a5166a75c63d6fd51a534877b2d87be1dec455026ecc70436da53e77c886ce

SHA512
be414a6110b803afa40ca084c3541bc02deb88145db4aff247d929d157e4e83fa9f44fb1a3abde812f6d49fc72ffe5506642da5817c125a4a9c1073e70506597

Download Submit
C:\Program Files\PingExit.txt
Filesize
459KB

MD5
daca9a3dc3f93e96c1ee70160be3fe76

SHA1
5122c9ef0f0253a0709f146edd7af83f1faa3733

SHA256
5be90863a778a0ba05240c70fa840cd3421eaf7d5dd0761c8f4821183cda2594

SHA512
49f621d2f560907a1f275a134c8a86e2ea6597471a130559574ed79c3dcb77e96d8b293d72f22f734fa277f8887d249871ee44232a785c3e74ddd71330a9af14

Download Submit
C:\Program Files\ReceiveSuspend.rtf
Filesize
509KB

MD5
24c05cb1679e5d2d8867b31352a0afbd

SHA1
91539e41b67c0dea4a9bfdc94ffbde79cd1c2d65

SHA256
17845f0a9bdf866b4690bfbb60661cc4a3b337fd0400d2316bf20c2ff5595980

SHA512
e7d8ddee6b43d73a067a3d5db44a56b369e7e612453ec81cce53b9876df01b0b56f31ee55abc065099810d583d5fde79a1717e1749f0c9f68dd58cdeefead700

Download Submit
C:\Program Files\RedoProtect.pptx
Filesize
388KB

MD5
a079492e75075bacd34ed92be1d35ec7

SHA1
22fe36825226ecc5feb9a0fbfc2f0168b67c3460

SHA256
7ee755c89dcba8757987f293d830b62a51461d37d1a9d39758436bf614b92b90

SHA512
a1f06eefec0be1a4baa5765ef8dc3a84b35bd2badb6146bfe7ebe30d1d261b859da80a1e2e7fc9bebbb5411f05a91e9c7c1d59c109a09afada80fb3a9eeebcaf

Download Submit
C:\Program Files\RedoUpdate.ico
Filesize
560KB

MD5
88e6452dc6755a6bcf16e9e5c32843b6

SHA1
d40a24539c12a3aa7acbd732debf02bf5a111476

SHA256
00b129b593a4313b8dcbc5d249e30c282e98136765098469a2022c306dd4c44d

SHA512
6646ed10ee88d9c7089e19fdfb1270f48a62a5dc4b07a0f374f555674d713f72b316e2632ac4987a1bf4ea87fca1f737f8b616c83b6538984eb8810ebee3f384

Download Submit
C:\Program Files\RepairConvertTo.tiff
Filesize
297KB

MD5
261dcfea49db04862383f096ea75d430

SHA1
b510513faa1f6e6b7addda221bc407555351a822

SHA256
7d289bb16963ab3b4f5a06c2ded7166e9a465ff6c1bb8d8eff7ee5677b5a1a12

SHA512
b4023a156d19e4aa0e15c6e5cf751541592788a8dff32803fa3421438b0371722ccbefd029a85056896243ba8110148120118e472491344c1bab0e2e6439999b

Download Submit
C:\Program Files\RepairSplit.M2V
Filesize
358KB

MD5
5df1cc8b6fb5d63deee3941439e2b9b3

SHA1
4d0ad24edf1ea051d505b8118a6d4b906261ea56

SHA256
036b78d514268b8a7eed9d4d3bb078e340350128d7434a53b52917dafac6f7b8

SHA512
7853613ae3bb9733e2365727c2076fafee7764ccd4e37506510715353c1633ea46396fb0acedeaaa1fb5d8a963b3589c5a49e31cff320a1c11a31c936591e1c6

Download Submit
C:\Program Files\ResolveRemove.emf
Filesize
308KB

MD5
651e417be02a0a6a1b300bb20c4d44e8

SHA1
d5ef7b498b84e131fa5672e9f6e790d92627011a

SHA256
370b840f83a299a1ebe020f076cb705da941e76ec6e46877402bec105714e493

SHA512
0de1d7524e39cc3f4ba5c735d1f0d5db9a440e467140b3940d8d1eb041995c606e9985e7555a330017ed547ad7c6e551c576be8181fa5454a7e2c997ee422733

Download Submit
C:\Program Files\RestartConnect.mp3
Filesize
520KB

MD5
a3ab41b0c35297f414c1460de9bc335e

SHA1
319bae384a6c72acff1f90ae7c3682f2d77b4e99

SHA256
9dbede7ffce0f277ec7ce95fac8b5537267882ccca359f3d2db87398aa263768

SHA512
e0c6413051b8a65172e66be0074e1ceff5efb971a2602db481b969b49d75d01c2c0bab9ba419e1dd0f4a2a5ae098394db0703502e0727ba46b0ec01b1598de85

Download Submit
C:\Program Files\SelectRedo.xlt
Filesize
570KB

MD5
3917b0256abb567b8f6d45af650a8ea7

SHA1
1adecf8beaf3fac7de77bce087db6be9d41da169

SHA256
5ec01d5866bba13418cfef4703ed7ad4f87e79062f58fa803ea0ba2aff1a6a65

SHA512
884cd137ab74ad0574d7a3ce367873a92763938fcf1cb147d22ac0c55917b73402e83803d777385a2e1f4c74e23d7770fe493f52181b0881ac896e6dbcf0be91

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\$RELPZ36.exe
Filesize
5.7MB

MD5
c9d3653b2b612ba6087767ca6972289d

SHA1
55716813bec9dd2377e2f4c2bc3457a1ebf1f982

SHA256
98a9b281a537b5cc033913c26b3e649bba6aa26a2baa60c51e679b11b0f15efe

SHA512
458f51d756a829e09a35fdb56b515110584d78dbda44246541a20c08254f36ed6fe79390da0b4abe99cc68e489300d36bbaee70953c90930d4f3540ccffb9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240428202029698372.dll
Filesize
5.2MB

MD5
d9381da82bb61f1c9a062efc9cd97ad1

SHA1
5735dd07793e53d0a03e71460f28758e4d723044

SHA256
9d3843246ca4774fcefe7c55fa90018c661a0e54c6f92f9d24aebfa07124b519

SHA512
bba0b159e90ea1eec4e2f1798500e6ca482a0b583142b11da530fb86a3fdee2fd9a17b7ba020d3ab2a49cc0a603e29533b811246c345c996ae753b16671dfd91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
13cf4d295a7c7560692451769ed5177f

SHA1
ba3db3acea7799e053aa61c4d849978af1331307

SHA256
e8d4c1ca71176152a920e3bfffe8748410653b544b7890996bcc0d2ca6ea5d86

SHA512
0632533e14bb8edd8006658bdd4486a90c68fa395800246e04d97015bcfa84a8fbdf3559cf76c09b2ef2f00699c502c99bc2207aff0e7e4e5c8d939c39ec171b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat
Filesize
40B

MD5
f9be96be38e7026b430f8fd3af9ab429

SHA1
8bb52e568489c0a978b6250e5cd4014452b08326

SHA256
66be44c4b0a89e32c468248817b950a8fc1d4447a3f6444b829ef0722c11561c

SHA512
d7acee79811093d30497511eece882d51676434a8dd50246a90e9a8328bf32aaaed20b548eea84c705b3e54c3e40b1abca3884ac3c421965e7d14138e0af50a5

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
Filesize
379KB

MD5
7f85f0b8147018aa58cfa4dc5426d14b

SHA1
630f9c67460aa6bd77588142ccb9b8bff254481c

SHA256
615255e5edb1e946116b3f61df70b529ee67b93831d2bbdfc74f7a1ea032a2bd

SHA512
3578e59534635d5443585804018d9bcdefc861f8979ad5bd3dfd7f9aba90c5d77155f75fa0738556903c3504f05986d9bee8dbed2c94d94bc81bb27723b73388

Download Submit
C:\vcredist2010_x64.log.html
Filesize
85KB

MD5
4f7239cbe486e3fea4359a7d26734d50

SHA1
81e0b362ddc1e69240b831ab2004be84cfeb6ed3

SHA256
f7c990ec51c9bf21cd7af40d4f49431d1321488e1b6d99fda2d48d3d131b147b

SHA512
e3d5fc896d1f460ae7ab68c3944e267c9aadacdbeecf8045fbd102a11dc6c9fa2193f48f29f52f43d8132bc66424f0dc1780e300fa57c2e7d7ce5336671751ed

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
Filesize
394KB

MD5
6e097f8e8fdacd696e82b0cce41a0023

SHA1
ab8f0acfc55c22b8f03a7d04451ab0566a13cb85

SHA256
dbfad32715bdeabd62b9583bdf0a9ab97d70f30604f68c13e56b73c8fdb4244d

SHA512
55af701761b101bf63dc649a6e9b26fb0b6d3e24df23ea17d6a631fd1b3d30d39c547e4d2ded13d22e142fa0aca09c57925e9410db09176da02d01a7c07fb6c5

Download Submit
C:\vcredist2010_x86.log.html
Filesize
80KB

MD5
cea5f3b71fc53579ef3596c0ddc390ac

SHA1
f72500c5b28d4b6042037b2f6e493a0fcefe65fc

SHA256
51ad21ad71a12c41c6c8551025b20b87ca573ecb8995ea0ee8cb6bdcbf9a4c94

SHA512
32cb4f116f0a5d4b4096cc1e53e3d6f5f4270e90d876d8364e9ef3224fecaecfff041ac51daedc3af4cc6a27f27876f7c0e6143968f60af9535763ef93951f15

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
Filesize
167KB

MD5
72066bd4214863d05d1c87b52dfabb7d

SHA1
84e1704b67ec8389df597e4b3f589fc2f1fcfca9

SHA256
16d8d27935d47ac75dd4e616e7444de39545409f3d32189a4e6719905f63b945

SHA512
787363e3dd9138a476d6fad27d8fbee172e963d28c94601eebd658d789434a56aaf1d256a47dbfd0db88528e44d0b59bb5e48af583aa990dfb251e50d9da190d

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
Filesize
195KB

MD5
f951c34a0480ea7ecce1f5334d373de9

SHA1
5e5d8d73ebe2583f1b1498da4ba956438ffaa8b6

SHA256
81c025ed8a89b5d869b7f14b9ae88954c6671ef740c263db5bfac0e18a8743f7

SHA512
a7d3fb7060f48f3ac21d6c5f191e0f9a1aef7d360ede879ddc5ed4e70f3b4d0504335c3dbf307fae1fa1157b76e69b065a6dccb0a07996ff5ff926b620cad317

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
Filesize
170KB

MD5
c9d5a65aa784825d1cadedf1727bf585

SHA1
f2fefa18906177f5b68a1a927d7a4268fa2d8607

SHA256
d2f0e010f36ffc376e35ad99af1213da9d6dfb7c6338887df51b0d7a06effa9d

SHA512
3978dcfc7006c4ea424bcfac43955dd37c6bfac96304adb65a7c84a31ea3d5be955332a0cba88f5c70ee67a8a7b9cd36b811a37be6c528f19035c2352caeb6bf

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
Filesize
208KB

MD5
803f22c7f6c4d31ee80c3d781d299ee3

SHA1
d762c83d2f42d2e6f68809d9b9bcccc6e89f3de8

SHA256
481d4a36de5e0c5557f2e3ad9d0c2628dc90ff0165b7a44722efee3820f22f31

SHA512
d39a9034fe5cc5538740ad0fa0bd1b0b3b4ca306e2f5d5295b3c7ab71b0985acbe381437930929039a38f557ee1634a3665dc4628b0d4423c697ce0285eda2c9

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
Filesize
170KB

MD5
f1b7aa4ac80f3bea4ec8a75ddd542970

SHA1
634aecde15233798b53434a3e64a1cebe10e7b88

SHA256
b0c4b1c3c690c9286c789f7478abe8c67275c8f94bd19a48dfcb036af67a626d

SHA512
ff7867ec72ac5016a12cb65af4e50bc13b89bdd71a08a28a74a92bbae7deb28af0020112f90206eb2439328e425aee5b730da698f52d440290f4b7d604f1e676

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
Filesize
190KB

MD5
5903797b2d0644ffac2bb19f7ddafbce

SHA1
44688ca94544b4a9e5d9984c9e5d4261e0c95ab5

SHA256
b231fe413335c82f7a968627be1950ee1c6286e312c2c8deec593af2d305b77d

SHA512
fd2b0e97e972fba1657fc2bee95a204b88ee8184d91defb474787de870eef981ea85238adec264440226cf5d151c718772d57e04f3f3d309feb6b2c47cacd7eb

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
Filesize
170KB

MD5
8c253ed92c609fd8e7564b69bc325ddb

SHA1
197647bca277f10b12513df5fd49aa772ddf3043

SHA256
36b5908a51fc30b2587d4cea7c76d3ebe07160351c9e23b41cc730acf6515152

SHA512
6e36f57a7bfbc6a75d071e72345b891b8a74f4fe4f7de588893e22365d364fc03799c40796d170323233995c8e5e95d77437c1634de0d7d02688726300e9a267

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
Filesize
198KB

MD5
e8a7937c7ad944ab456fd9e57f41346a

SHA1
32824ab71d4ea72b23038bcb4abf29138be54e90

SHA256
5cc85283f5f0111b34e4fbe49f8cbca8a666b5cb1d26f7b7257347ad30207436

SHA512
576b5bc24c7f790e4f171fda8bebb55d3a2959a590551f8968964bf579f63240dd232b6aa07d1eec8eefa29caaadd00e7f6a273a701b9d2c8124aa46b6428815

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
Filesize
123KB

MD5
4b994a17054d5b043fd08694a8fdc48d

SHA1
2490c39f318dfed9a6ae5217fea685eb5a71f819

SHA256
7d542d20da2c831780f871f292eff4355e55908bde2d15367adaf068b6df1f66

SHA512
b303257b732f5c6bd12acb872bdd5619f3444da266979e3598ae4e713e48aa5e04c4be37db181fa88fc1e83f90833f4f73de3d2bcec8ee725cc84c5497f9f22c

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
Filesize
129KB

MD5
24c41370a01121a8a30edfd14d81746d

SHA1
d2f482b7e854e0cdb64ac74ef10badf7fbdd7a02

SHA256
57b5c7316792919fbf1ff1a47cb261be4df07742f46f9dcc51918252d9bfeba1

SHA512
c245e8bae4dae3f4d670fc7cbd58d12eb705c9a31ecdd771569bdd89d73f10ed2218f34050b1c9cf2d978d1d5a4c0fcb2643f18296580521b1edcabd3b2be499

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log
Filesize
123KB

MD5
4e6b3fe6593fd5a5a9182173770d4013

SHA1
4442e71fa297a441f271746b808d956d098db4af

SHA256
b5477c2215003d16f93955b90f76b402089ba20017a761557b00af7e5d0dc64e

SHA512
b719218711cbfa921b0e3c9dd42d47adfc2aff4985e5febba0ae6d979fc1ad857fffa64bbf68afab3d6ef6956d0289e1d6b0d8eccb01e5a72ab0c1d2cf873414

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log
Filesize
135KB

MD5
186a61a5844dac11ab082f56eb295cb9

SHA1
2e957e01322150deb3f564d865212e69d923ceea

SHA256
126c284074e3bfc56394af81b953d7a395695a95e743c62bdf408482d32b1a2f

SHA512
a20c56ad91052c5247615ad7e8e1080d706c3a2317590b7534283414ff6f022631f339ba0988dcab22474ca6e809fd11b959f5ea59615a899ed2fb9ed8ed59db

Download Submit
memory/2736-42-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-87-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-88-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-85-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-44-0x00007FF8C4C40000-0x00007FF8C4C50000-memory.dmp

Filesize
64KB

Download
memory/2736-43-0x00007FF8C4C40000-0x00007FF8C4C50000-memory.dmp

Filesize
64KB

Download
memory/2736-86-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-41-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-40-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-39-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/2736-38-0x00007FF8C6CF0000-0x00007FF8C6D00000-memory.dmp

Filesize
64KB

Download
memory/3592-30-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-31-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-32-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-33-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-35-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-36-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-26-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-25-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download
memory/3592-24-0x0000015BE2ED0000-0x0000015BE2ED1000-memory.dmp

Filesize
4KB

Download

pid	process
372	$RELPZ36.exe
4944	$RELPZ36.exe
3344	$RELPZ36.exe
432	$RELPZ36.exe
1228	$RELPZ36.exe