hxxps://87[.]237[.]139[.]46/

Analysis

max time kernel
174s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 13:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://87.237.139.46/

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 12 IoCs

pid	Process
4912	Update.exe
4140	Update.exe
3812	Update.exe
1132	Update.exe
4664	Squirrel.exe
1132	Update.exe
1388	Squirrel.exe
5096	KerioConnect.exe
3856	Update.exe
656	KerioConnect.exe
900	KerioConnect.exe
3144	KerioConnect.exe

Loads dropped DLL 18 IoCs

pid	Process
5096	KerioConnect.exe
5096	KerioConnect.exe
5096	KerioConnect.exe
5096	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
900	KerioConnect.exe
900	KerioConnect.exe
900	KerioConnect.exe
900	KerioConnect.exe
900	KerioConnect.exe
3144	KerioConnect.exe
3144	KerioConnect.exe
3144	KerioConnect.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\KerioConnect\\app-9.3.1.18176\\KerioConnect.exe\" \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\KerioConnect\\app-9.3.1.18176\\KerioConnect.exe\" -mailto \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\FriendlyAppName = "Kerio Connect"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\ApplicationCompany = "Kerio Technologies Inc."	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto\ = "Kerio Connect MAILTO Handler"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Applications\KerioConnect.exe\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\KerioConnectClient.mailto\shell	reg.exe

Modifies registry key 1 TTPs 17 IoCs

Modify Registry

T1112

pid	Process
3452	reg.exe
4568	reg.exe
3076	reg.exe
524	reg.exe
1764	reg.exe
4176	reg.exe
3260	reg.exe
4504	reg.exe
4228	reg.exe
3608	reg.exe
4848	reg.exe
4936	reg.exe
3732	reg.exe
4852	reg.exe
4024	reg.exe
4036	reg.exe
4436	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1132	Update.exe
1132	Update.exe
3812	Update.exe
3812	Update.exe
1132	Update.exe
1132	Update.exe
5096	KerioConnect.exe
5096	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
900	KerioConnect.exe
900	KerioConnect.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	Update.exe
Token: SeIncreaseQuotaPrivilege	3548	WMIC.exe
Token: SeSecurityPrivilege	3548	WMIC.exe
Token: SeTakeOwnershipPrivilege	3548	WMIC.exe
Token: SeLoadDriverPrivilege	3548	WMIC.exe
Token: SeSystemProfilePrivilege	3548	WMIC.exe
Token: SeSystemtimePrivilege	3548	WMIC.exe
Token: SeProfSingleProcessPrivilege	3548	WMIC.exe
Token: SeIncBasePriorityPrivilege	3548	WMIC.exe
Token: SeCreatePagefilePrivilege	3548	WMIC.exe
Token: SeBackupPrivilege	3548	WMIC.exe
Token: SeRestorePrivilege	3548	WMIC.exe
Token: SeShutdownPrivilege	3548	WMIC.exe
Token: SeDebugPrivilege	3548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3548	WMIC.exe
Token: SeRemoteShutdownPrivilege	3548	WMIC.exe
Token: SeUndockPrivilege	3548	WMIC.exe
Token: SeManageVolumePrivilege	3548	WMIC.exe
Token: 33	3548	WMIC.exe
Token: 34	3548	WMIC.exe
Token: 35	3548	WMIC.exe
Token: 36	3548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3548	WMIC.exe
Token: SeSecurityPrivilege	3548	WMIC.exe
Token: SeTakeOwnershipPrivilege	3548	WMIC.exe
Token: SeLoadDriverPrivilege	3548	WMIC.exe
Token: SeSystemProfilePrivilege	3548	WMIC.exe
Token: SeSystemtimePrivilege	3548	WMIC.exe
Token: SeProfSingleProcessPrivilege	3548	WMIC.exe
Token: SeIncBasePriorityPrivilege	3548	WMIC.exe
Token: SeCreatePagefilePrivilege	3548	WMIC.exe
Token: SeBackupPrivilege	3548	WMIC.exe
Token: SeRestorePrivilege	3548	WMIC.exe
Token: SeShutdownPrivilege	3548	WMIC.exe
Token: SeDebugPrivilege	3548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3548	WMIC.exe
Token: SeRemoteShutdownPrivilege	3548	WMIC.exe
Token: SeUndockPrivilege	3548	WMIC.exe
Token: SeManageVolumePrivilege	3548	WMIC.exe
Token: 33	3548	WMIC.exe
Token: 34	3548	WMIC.exe
Token: 35	3548	WMIC.exe
Token: 36	3548	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3812	Update.exe
4912	Update.exe
4140	Update.exe
1132	Update.exe
4912	Update.exe
1132	Update.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
656	KerioConnect.exe
656	KerioConnect.exe
656	KerioConnect.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4912	4256	kerio-connect-client-win64-9.3.1.18176.exe	116
PID 4256 wrote to memory of 4912	4256	kerio-connect-client-win64-9.3.1.18176.exe	116
PID 4256 wrote to memory of 4912	4256	kerio-connect-client-win64-9.3.1.18176.exe	116
PID 4800 wrote to memory of 4140	4800	kerio-connect-client-win64-9.3.1.18176.exe	117
PID 4800 wrote to memory of 4140	4800	kerio-connect-client-win64-9.3.1.18176.exe	117
PID 4800 wrote to memory of 4140	4800	kerio-connect-client-win64-9.3.1.18176.exe	117
PID 456 wrote to memory of 3812	456	kerio-connect-client-win64-9.3.1.18176.exe	122
PID 456 wrote to memory of 3812	456	kerio-connect-client-win64-9.3.1.18176.exe	122
PID 456 wrote to memory of 3812	456	kerio-connect-client-win64-9.3.1.18176.exe	122
PID 1844 wrote to memory of 1132	1844	kerio-connect-client-win64-9.3.1.18176.exe	124
PID 1844 wrote to memory of 1132	1844	kerio-connect-client-win64-9.3.1.18176.exe	124
PID 1844 wrote to memory of 1132	1844	kerio-connect-client-win64-9.3.1.18176.exe	124
PID 4912 wrote to memory of 4664	4912	Update.exe	126
PID 4912 wrote to memory of 4664	4912	Update.exe	126
PID 4912 wrote to memory of 4664	4912	Update.exe	126
PID 1124 wrote to memory of 1132	1124	kerio-connect-client-win64-9.3.1.18176.exe	133
PID 1124 wrote to memory of 1132	1124	kerio-connect-client-win64-9.3.1.18176.exe	133
PID 1124 wrote to memory of 1132	1124	kerio-connect-client-win64-9.3.1.18176.exe	133
PID 1132 wrote to memory of 1388	1132	Update.exe	134
PID 1132 wrote to memory of 1388	1132	Update.exe	134
PID 1132 wrote to memory of 1388	1132	Update.exe	134
PID 1132 wrote to memory of 5096	1132	Update.exe	135
PID 1132 wrote to memory of 5096	1132	Update.exe	135
PID 5096 wrote to memory of 2132	5096	KerioConnect.exe	136
PID 5096 wrote to memory of 2132	5096	KerioConnect.exe	136
PID 5096 wrote to memory of 4624	5096	KerioConnect.exe	138
PID 5096 wrote to memory of 4624	5096	KerioConnect.exe	138
PID 4624 wrote to memory of 1600	4624	cmd.exe	140
PID 4624 wrote to memory of 1600	4624	cmd.exe	140
PID 5096 wrote to memory of 4308	5096	KerioConnect.exe	141
PID 5096 wrote to memory of 4308	5096	KerioConnect.exe	141
PID 4308 wrote to memory of 2380	4308	cmd.exe	143
PID 4308 wrote to memory of 2380	4308	cmd.exe	143
PID 2380 wrote to memory of 3548	2380	cmd.exe	144
PID 2380 wrote to memory of 3548	2380	cmd.exe	144
PID 4308 wrote to memory of 524	4308	cmd.exe	146
PID 4308 wrote to memory of 524	4308	cmd.exe	146
PID 4308 wrote to memory of 1764	4308	cmd.exe	147
PID 4308 wrote to memory of 1764	4308	cmd.exe	147
PID 4308 wrote to memory of 3608	4308	cmd.exe	148
PID 4308 wrote to memory of 3608	4308	cmd.exe	148
PID 4308 wrote to memory of 3452	4308	cmd.exe	149
PID 4308 wrote to memory of 3452	4308	cmd.exe	149
PID 4308 wrote to memory of 4852	4308	cmd.exe	150
PID 4308 wrote to memory of 4852	4308	cmd.exe	150
PID 4308 wrote to memory of 4568	4308	cmd.exe	151
PID 4308 wrote to memory of 4568	4308	cmd.exe	151
PID 4308 wrote to memory of 4176	4308	cmd.exe	152
PID 4308 wrote to memory of 4176	4308	cmd.exe	152
PID 4308 wrote to memory of 3260	4308	cmd.exe	153
PID 4308 wrote to memory of 3260	4308	cmd.exe	153
PID 4308 wrote to memory of 4024	4308	cmd.exe	154
PID 4308 wrote to memory of 4024	4308	cmd.exe	154
PID 4308 wrote to memory of 4848	4308	cmd.exe	155
PID 4308 wrote to memory of 4848	4308	cmd.exe	155
PID 4308 wrote to memory of 4936	4308	cmd.exe	156
PID 4308 wrote to memory of 4936	4308	cmd.exe	156
PID 4308 wrote to memory of 4504	4308	cmd.exe	157
PID 4308 wrote to memory of 4504	4308	cmd.exe	157
PID 4308 wrote to memory of 3732	4308	cmd.exe	158
PID 4308 wrote to memory of 3732	4308	cmd.exe	158
PID 4308 wrote to memory of 4036	4308	cmd.exe	159
PID 4308 wrote to memory of 4036	4308	cmd.exe	159
PID 4308 wrote to memory of 3076	4308	cmd.exe	160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://87.237.139.46/
1⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5776 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5812 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=6068 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4824 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5132 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5104 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5276 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6384 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6460 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6296 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=2552 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6720 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7436 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3356

C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe
"C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\Squirrel.exe
    "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:4664

C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe
"C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\ProgramData\Admin\SquirrelTemp\Update.exe
  "C:\ProgramData\Admin\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6468 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6468 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6480 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:2364

C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe
"C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3812

C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe
"C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=5440 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6752 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=6804 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:1
1⤵
PID:2120

C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe
"C:\Users\Admin\Downloads\kerio-connect-client-win64-9.3.1.18176.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\Squirrel.exe
    "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe
    "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe" --squirrel-install 9.3.1.18176
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /s /c "copy /Y /B "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\app.ico" "C:\Users\Admin\AppData\Local\KerioConnect""
      4⤵
      PID:2132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /s /c "REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KerioConnect /f /v DisplayIcon /d "C:\Users\Admin\AppData\Local\KerioConnect\app.ico""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KerioConnect /f /v DisplayIcon /d "C:\Users\Admin\AppData\Local\KerioConnect\app.ico"
        5⤵
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /s /c ""C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\extensions\mapiDll\registerClient.cmd" install "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic os get version /value
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get version /value
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Classes\Applications\KerioConnect.exe /v FriendlyAppName /t REG_SZ /d "Kerio Connect" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:524
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Classes\Applications\KerioConnect.exe /v ApplicationCompany /t REG_SZ /d "Kerio Technologies Inc." /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1764
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Classes\Applications\KerioConnect.exe\shell\open\command /ve /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe\" \"%1\"" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:3608
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient /f /ve /d "Kerio Connect"
        5⤵
        Modifies registry key
        
        PID:3452
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\RegisteredApplications /v KerioConnectClient /t REG_SZ /d "Software\Clients\Mail\KerioConnectClient\Capabilities" /f
        5⤵
        Modifies registry key
        
        PID:4852
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities /f /v ApplicationDescription /t REG_SZ /d "Kerio Connect client"
        5⤵
        Modifies registry key
        
        PID:4568
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities /f /v ApplicationName /t REG_SZ /d "Kerio Connect"
        5⤵
        Modifies registry key
        
        PID:4176
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities /f /v ApplicationIcon /t REG_SZ /d "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe"
        5⤵
        Modifies registry key
        
        PID:3260
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities\StartMenu /f /v Mail /t REG_SZ /d "KerioConnectClient"
        5⤵
        Modifies registry key
        
        PID:4024
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities\UrlAssociations /f /v mailto /t REG_SZ /d "KerioConnectClient.mailto"
        5⤵
        Modifies registry key
        
        PID:4848
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities\FileAssociations /f
        5⤵
        Modifies registry key
        
        PID:4936
    - - C:\Windows\system32\reg.exe
        
        REG DELETE HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\Capabilities\FileAssociations /f /ve
        5⤵
        Modifies registry key
        
        PID:4504
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Classes\KerioConnectClient.mailto /f /ve /d "Kerio Connect MAILTO Handler"
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:3732
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Classes\KerioConnectClient.mailto\shell\open\command /f /ve /d "\"C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe\" -mailto \"%1\""
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:4036
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient /f /v DLLPath /d "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\extensions\mapiDll\MapiDll.dll"
        5⤵
        Modifies registry key
        
        PID:3076
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\DefaultIcon /f /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe"
        5⤵
        Modifies registry key
        
        PID:4436
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKCU\SOFTWARE\Clients\Mail\KerioConnectClient\shell\open\command /f /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe"
        5⤵
        Modifies registry key
        
        PID:4228
  - - C:\Users\Admin\AppData\Local\KerioConnect\Update.exe
      C:\Users\Admin\AppData\Local\KerioConnect\Update.exe --createShortcut KerioConnect.exe
      4⤵
      Executes dropped EXE
      PID:3856
- - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe
    "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:656
  - - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe
      "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe" --type=renderer --no-sandbox --primordial-pipe-token=C7D154522D968207260A9BF1DB30E37E --lang=en-US --app-user-model-id=com.squirrel.KerioConnect.KerioConnect --node-integration=true --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="656.0.1973986385\863888189" --mojo-platform-channel-handle=2148 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:900
  - - C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe
      "C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\KerioConnect.exe" --type=renderer --no-sandbox --primordial-pipe-token=A7DD7CC91FD2C9E2B4D7BFAC64C8D8D2 --lang=en-US --app-user-model-id=com.squirrel.KerioConnect.KerioConnect --node-integration=true --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="656.1.1912081771\859690320" --mojo-platform-channel-handle=2460 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\SquirrelSetup.log

Filesize
192B

MD5
36810e7d704412940dbf0658db52761d

SHA1
cd4936255f395fc7d88d8c8348c04fd3c654717c

SHA256
e3b5aaba9cdaf84d12b2db401fed9b70a6da8e4e0f2199260c9a40e43dfd6080

SHA512
6dcacfbe9aa9fa07be5afdcbf00d9fd209cee5fefa4a294d7cdab7af0d114ed750fe7fc6955d54f28faa7315e29c9b7b12c6484a916bdcf1d32a47ef214047d2

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\LICENSE

Filesize
1KB

MD5
532767e203e2b0dcc6130bc5dc9827ad

SHA1
02b70a701b37c70687f16126cd0bfd72849ae998

SHA256
dd299025b9cafc43995be91599d15566ec19892a6cf9e9c2fc96f0b778ce6318

SHA512
cc70e998d5a6aba734cf038a22d27216b5bfe38a36a6cb8ba0e723785695710e08054b939edd470d28594fbe6c274b5d950cd3869dcac89f89d8f8e84dbcf48d

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\content_resources_200_percent.pak

Filesize
15B

MD5
7c321056f805aabd5a503821fa1994cd

SHA1
9c690875c9189c66c93ebd4c0971739653bccd19

SHA256
261e6aad3ad0a5f608b5694919ee39026c4c3eb4256540068f7c1aa46be9315a

SHA512
8a5f4b3726e4513251475ac470f86f0daa0d5ae42bb750019ce96ed871cb04a7391cea2cef79e67c585e3a982041575e60d0f79b3a5bb9ad09be53362787f090

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\content_shell.pak

Filesize
9.2MB

MD5
3aa9b40393d8f2a8f9a12288b8fcc567

SHA1
2459b5cdfa0ef04193a8b56b859589ec4d9e3adb

SHA256
03eeaeca9ee6f9d6018231fd5a0c08fb24251f7feed6e84f1c620fea3618dd87

SHA512
5a46da806ab1110a5253c7a8cb957a2d7440b91f21fb021ebd7dda55b83fa2fd9104d8de83be1b21864ab32975bc3e4df6b999ffa5cf7a4fa0c90f0b7cb42f74

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\d3dcompiler_47.dll

Filesize
4.0MB

MD5
b0ae3aa9dd1ebd60bdf51cb94834cd04

SHA1
ee2f5726ac140fb42d17aba033d678afaf8c39c1

SHA256
e994847e01a6f1e4cbdc5a864616ac262f67ee4f14db194984661a8d927ab7f4

SHA512
756ebf4fa49029d4343d1bdb86ea71b2d49e20ada6370fd7582515455635c73d37ad0dbdeef456a10ab353a12412ba827ca4d70080743c86c3b42fa0a3152aa3

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\ffmpeg.dll

Filesize
2.2MB

MD5
8842bcd37bf11d36a50f9f1f1c82b7b5

SHA1
5f5e35e35f213e36263c5805594f4a3d670a9135

SHA256
163944e0a2ccaeb9cc804415beeb19dfc0cb82159f1e62da958c1fcd26a26dcb

SHA512
6868b81d552d6f56953b4f5fc874fcf4b5f6163c2bb7a43571ffc000f6f34ce19b1ec3a7366b3a870137abe73b44e67666d627e068705b41badd8b3068ecd165

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\icudtl.dat

Filesize
9.7MB

MD5
902390b21dacb5a9ffca556d48750ce1

SHA1
7c401afe79968c4e8ba632e8b3e8d7927d9143bf

SHA256
77a8e391713d2d7e2c082e20a1fdb5e7cd8a907f33a773d491dbef981e838b05

SHA512
8b9381c7dc22e4b56b4b39a63beb0e4cdcb1bb974b0d6eba2c3af080e9d4a9381d0f16fa53d4b6508d1175a906e27eb6123cd6c13d8eb6453fd5732900697dac

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\libEGL.dll

Filesize
92KB

MD5
a89fbef1eea4d3727c34bd026b1a4d91

SHA1
4afe81cf426d0ed56ef9dd36f205ca16ebc2ef61

SHA256
ff9d7d30031a344e6d55372e077ebacdb6affb99d15e2176479de23e0895c524

SHA512
8130730e99dc6d02c3912e12d21cf5a9a59b9ba4d2b05466fcc5c67139e4e81722dfac0fb1c079b9d7ef61df3d77af0b891a2d1765027f23ba04f76bd0aa3ce2

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\libGLESv2.dll

Filesize
2.7MB

MD5
c6a166a6bc37c100b098faee09f933c2

SHA1
ae15f65502e4ebd2b131e57bd6c779273593592d

SHA256
a8cfffb92d6979b26b51395623f77fd85957fad303f6e38aeae7ad5db3baa06b

SHA512
a20794167de29b916dc126179452ba8c7f76221dcfec124ffe8c1a2709ffa385677cc5f18fcca9164634f002bd49da610f93d0e2603e99a922d6e5e69536c246

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\natives_blob.bin

Filesize
405KB

MD5
f212164aba342775d8042312d1c6f4ca

SHA1
77ec0cd819dec553a586cc25c0c06991c1e3cff3

SHA256
1336eb54032265fb934b5f595c46fbd758f20510cb4c5fa4c561575610158b1d

SHA512
8d83a47e7d58a068a7b54419868fa3eaf167144660b4c3c81044a234ad7453585946a44fba3aac813fd51986a427617861087b60492e205a1dba742df2902d2e

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\lib\net45\node.dll

Filesize
15.3MB

MD5
44b48b03f8658d6bb2a4ee6551a1cb47

SHA1
325b60648c38b7bc009879c55fbcd1502d6a5b54

SHA256
a9f2685b60f66b8826272757bafba17d8d324806dc562832711a02be53b2d36b

SHA512
82581b49bffd2e2c322a22962589f3c3a1868759f6e95fa74f872d244774cc7d1a22f5d079bf8cd61bd485f108f976c6a8961eeb3a9b1223cb11f8595d80ac2a

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\am.pak

Filesize
5KB

MD5
527a8f14249ef5d5d58c52af4f9b677c

SHA1
e6214577b5d427bc08ede94ee8b3d610e51bc0f7

SHA256
16c4278c1e6d0901dca86158714c89c0de8300398d5a2acdc17269518f339884

SHA512
0a0c63718e8395ab95c840bdb6143cd6c0a87c760c9b3bf7dcaa246160ff368fe08d20d7c701d038a9af3a8c0085792e515a4ac776421ea8e874a429f28bc3f7

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\ar.pak

Filesize
5KB

MD5
98b92a31b5c09a056955b87b717ae833

SHA1
592c47eb75c8614fc4a59799749465cb64a6fe25

SHA256
311c2084469e4d5449fb3ee21852aadcfeaa97a6c64690c9e040be141a6135e3

SHA512
52744fe7e84f6928578e929e74aed469294e2a38b9646aed465591a6456e486e362e3b78c3a165c798e11ddad4b5a31991d5a6d27ae5263255e0a0c71a26f952

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\bg.pak

Filesize
6KB

MD5
bcddd374d0a791002e884ca34e5461a0

SHA1
c583d1546bf65cde633c32301a2933933998fae5

SHA256
2eb0bcd8f032327df3cb2d22ea170e017d6187511a9b5a37cf2869621244e97e

SHA512
f97ff99fc263c88adf164851d5b6cc36396809d0513737ad3bb06578de121b000d7622ee5515686b2f66b3dd9b52c2942f5c0bd0afe65e68b79aaad64818be3b

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\bn.pak

Filesize
8KB

MD5
067b1686949a7faa887d0b1a00060476

SHA1
8516d69b0e1e84a5c31cff011658beeec7abe20e

SHA256
bfa9a19a4d80dad047f134a714a9309571b0743ed3d41844412d003fce5b1c9e

SHA512
1667c4ede050db3d220c0a50dcc23e7ae466251331188232038a6b545d7b1fa30d6582b0520d98cd535761fb3864c3e442243a055b08c30addebd88fa675c460

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\ca.pak

Filesize
4KB

MD5
687af8fd3516e64e4adb0b00f23776fb

SHA1
2d4ab7297683e434e6b178464677c872d373d2e0

SHA256
f0424c6cfe34306eb1aa91e2422dbda49382815bbf2749982fd133869feef13f

SHA512
ff4e0d2f949afe6773780657de047c6765b27e9cdbdca8bc06149daa185a62af8cab681523d5d8b25fc532560f295b24b98e40796283190e7c8a6195e9a24bf8

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\cs.pak

Filesize
3KB

MD5
a6ac52df4f57fae88bb86ca4b3d03549

SHA1
00158513bb465a1df23fbf4cc4276556dbab7af4

SHA256
d343782c6e9d9f698b176fb9ff8511cafcfae2321399df623260b0a523b07e94

SHA512
944de676fda11bbab3431665384187c1b9c573f0ef7767a15d37938ea161acfd09e94d31f8c55ae5ec032aac5551357724dd8eb727b444e9e3e41cd9eb5e77d4

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\da.pak

Filesize
3KB

MD5
1514e0f6a81c59c01d61fea4f995aab6

SHA1
31e62b07a376d2dc3f175fa024b4090001ce4066

SHA256
51b09ba0c637d34a22c2f447cec2566c24a1150183f36ab6a29892d61e12bcef

SHA512
932234ed34f9a431e4aa362b67fd6a105041496be84b0fd04ebce6178d5701117c3db0310416bf7c96e15870be0693783577fdb651efb1156ed2b720eb9b34f4

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\de.pak

Filesize
3KB

MD5
6e679a749762c319a51a30ad2488fc09

SHA1
3961089c9f87c10b954f75b2533184779e930d17

SHA256
f0cd6cdd4cfcc172b239764e3d890f39f3834cf32c242da53d25de104d27bed8

SHA512
7a96b167adb444d3d9eaac8f36b1487deb500fe670deb96e0b951874d471fcd4d42f8c100f317f3979b52812eecc5f036e4929d60d8cacc298a0d58c3c09fe96

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\el.pak

Filesize
7KB

MD5
5b495e5658c214ae3805f5d83ef2c8d7

SHA1
2d9ee99f7105881e8e7bfa2d6509194c8ff30461

SHA256
c83ffcd5425e83d33cee08be756d688ba4f5ca46ba5e2cf2d0d36870e0cb3223

SHA512
ae189f504030d8379a3b4735ed995044796b86e401718e3655c4cb3a9eb29f98546e9dc7db3f7e5732a1e6b37298d836e8eb22a004fe0909eb9ddd769d5dda1f

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\en-GB.pak

Filesize
3KB

MD5
d19be184bbec556675e8fc6c29d22036

SHA1
4bdb4eea3192eae9ddccd92fe89a2b15f73cdf37

SHA256
5a032bffec4f5c46e5197fa6f989f5fba9f60edfa82f291b6df445729a769063

SHA512
2c35b9a53ef44aef73226e39778ac6e76844efa9fdaecb938c7358d5e8885100a91d9cdd5a11f4c025130f35dd159f78f1eaf239fba43bc9f80684c5a04df183

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\en-US.pak

Filesize
3KB

MD5
d93989e6291de5c831e917daadb72e52

SHA1
a34e1c5c3be5606268d882b98eba04f090cd942e

SHA256
eea905ecb2bd81f6502fdda8c2161b1cfa073c49b908af041e768f936813999d

SHA512
539a97e3c3e830ec82109a0201c880982618eaf02aba4e45e95f56bab4e922726e595e78b4434107f290aca0df087c02fd3dc0edc6e373047a3133f0e6fde08f

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\es-419.pak

Filesize
4KB

MD5
9300d09fba5b633e7cca75803427aa1c

SHA1
4dca0b4c0789fabb917f8331ab7162a1ddd9edba

SHA256
dc63717d75c1a0d766e38a2624e1cae29186cbc95b2d62b4358d42a5fc751dbd

SHA512
b4571e3820f81f27693ff3ef946e4ed757c45dfb0dd08fbe5bb95fec4f1bdef7fcc0c4fcf8ee9f4f2cbc2566ba98baa2a684d86e642e6596f192e4aa326d4a2f

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\es.pak

Filesize
4KB

MD5
5807de7975d7b8ba87510087b4f73961

SHA1
42d05989dea0a75e9a1269b9e3d7cb319ec3862e

SHA256
4ea5f6b7763d96305b139efac1137a311963376b0a4e411f1b866617ed21f953

SHA512
d375d64dd0303f2f12a29065367eb25ec89e2a6c41888a8237aa9f773ec85ea4382ec5168d345738ce56b5884fd0f0bdbd558bf26fee7ec89428d125401ec6fb

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\et.pak

Filesize
3KB

MD5
fbada345754b62426b6f6a24db80775f

SHA1
c32d6b34241222e69171315773b9cdba76510f81

SHA256
ce80c07c86d251c70af7407fc1441eda00c7b7def479c25bfdb6740127c4130e

SHA512
024d91149ef5d37139bf7ae3024d9250029d7a86a04c6bb13f23058729d59db4ea7140efb78346b0716114818bcd779e04e8976239adfcd30863178a8bc07b8c

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\fa.pak

Filesize
5KB

MD5
04f5350e24e021fb1cd3ab7a5e7ba8b3

SHA1
beb2c41ebb65066e60f17d1e49ed3388e2b03cd8

SHA256
dd549987202de5e072570e953ca19027d5d4b313bdd6189a803c06635beaac6d

SHA512
d2e77940974888bbbfb2c5b0012946cf36b12d77e69d61f21acff6e83f02c19f9478ad43da0c40363b568272470b2ff1669fe8fe28cc2e3ef21d44431718c977

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\locales\fake-bidi.pak

Filesize
5KB

MD5
d25423e8c1addca588b8093067680b2c

SHA1
2519df579f651883d1969d469f947b890c22a66a

SHA256
08b8ca74040c77eb902cfd00354e41b6d9a19e4657444e4289d11523c818c723

SHA512
a3a3e15e7b983b5c0f9279beba97e71c7e1c78e4d18052870c3e72d92ce498f5b565e5533f48e0d0f11f434058fb4f45552b12db32c668ec23e905ca8dd72a0d

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\async-license.txt

Filesize
1KB

MD5
d3ceb88c2d8ca1376ddb2a85dfe73761

SHA1
5a94d99131370003814d42b83f7d7126c39296a7

SHA256
470a94daf03a9c7c680dc2e779bf1bf265e4977532204bea7dde483a0d0fddf3

SHA512
0104dc8fa05f42ee4ca910ca0f6de67700284e5b94b032fc0527dc16d87de84328e89a65d6d93d9f969a523e56d1022b504f63300b6a7695ff5cefb616d8d7a6

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\electron-license.txt

Filesize
1KB

MD5
4bedce236fbab01d7f246502e649bfd8

SHA1
ded9e8dbe2725734261e16824061053843bcc8b1

SHA256
22b7384c299bfc05f51c078ed5539884a9de761de8f8c5f55a8ae8b50974577e

SHA512
0bfb4497fa8ebb5ee728b5766d20294781bcae0ebac668f33b45e4c81b6e0b8c3971ffda1c174ab3ee22997de012957fb6e4ec82365ea3307af1a6be242b9c39

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\file-api-license.txt

Filesize
11KB

MD5
d2794c0df5b907fdace235a619d80314

SHA1
c700a8b9312d24bdc57570f7d6a131cf63d89016

SHA256
cb5e8e7e5f4a3988e1063c142c60dc2df75605f4c46515e776e3aca6df976e14

SHA512
46cd9ba0455e2eeddb70b7c793a6476cfbb75fa306c3e3e4f66973cb3e4f3143a358ee6dd3b065d17ba06b2d63c2bc7cab8e1d01ede19a3eaa4fc18ce952cf65

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\html-entities-license.txt

Filesize
1KB

MD5
f99919fd26ee44344fc093f0f3f187e8

SHA1
f10f3a5e9b16a526fbf6abc4be406e6f07ecad93

SHA256
f8bcf3c7ea910a266c97007a3b93a11a4a9d735c2d1a86b71132a4dffd7cf8e8

SHA512
34905de3f90ab724cac985d0a51ec505ef3b9e9ef579e7195696e67913868902f51c27b6edf07cf4dda782a35ac98fa59698835db0421b259adada7db8620ede

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\keyboard-layout-license.txt

Filesize
1KB

MD5
dd413c962a5a67c951cc5dd842060ace

SHA1
1ba7748029a7b07f97ea2864e81ea11ef855226d

SHA256
d5af8fc171f6f600c0ab4e7597dca398dda80dbe6821ce01cef78e859e7a00f8

SHA512
7fc2b15f54a7f56e2f305ad48f4f5210675d3d34c46ffe7234d33e1b5fb9ad3d28494b3494be7bf64210b9feeba2a209290ae9c1722acc07abf1d75c4e14baae

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\resources\doc\keytar-license.txt

Filesize
1KB

MD5
a125ce57bc1a2a8f705ec4e556d26437

SHA1
17d148f53ea6396a0a71d0a3ddd5c942a6d43e5a

SHA256
224fcc506ef97afd088b487edab374abcad7e3d4de55fb8cce4f04328397213f

SHA512
ca664e9ec12e6e23878c55f2b56e44fac50fc8b88c71499a4794fe3a0e8de18008c7435970628c8386410534dd5cc27af3ea5e7a818d6244f6159bc183969638

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\snapshot_blob.bin

Filesize
646KB

MD5
5f9965f859e0c7463d7d2eb457d9ebbd

SHA1
a3d9de9a0314f599405982a54c99a13171462bfa

SHA256
099c2be7d425ff941ad20b844b72ce9ffb04a6b1d5a3e56e3a0c32552455fe2c

SHA512
06ce26834d89c588ae7259fda90cdaedffc9dbcd599e7dc6e313661ab920ff871e4a6efc0feb1776580595e30fd37457f856aaf55f36b4921bcb90c63113b714

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\squirrel.exe

Filesize
1.5MB

MD5
80fcd6a284e99937caee13823c2e649d

SHA1
89fe89979fe25639c65119186c4f64b3db08e91e

SHA256
0622491345e878716061e743888b78c2c7921fea8a8c786f45b96163ea151068

SHA512
29189e9965d5696e7c628fc224bbb849bcc603dc9bb27327b11f86aa5a2e3ef7362f8318ea0378eb498a03226be1efea61f5300aad3cd45319738ca32c92511c

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\ui_resources_200_percent.pak

Filesize
77KB

MD5
36d066788d56a024a41c61e61efe53f0

SHA1
e3272cfb326771b66c316dc9f1c5dbb24aa756c1

SHA256
cec4c4fb02a5d631fddf0d46667fc26d320cac19b75c5bccc4917344b3225422

SHA512
10fd56fda15372d57d99ea48ffdaaaf8feca4654dd71dddc186d3d4ee908ce25ec0771b1609c8534d755eaaf43a9506f76a881728427d828ca7704bf65b4b43d

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app-9.3.1.18176\xinput1_3.dll

Filesize
104KB

MD5
bfb3091b167550ec6e6454813d3db244

SHA1
87e86a7c783f607697a4880e7e063ab87bf63034

SHA256
756cad002e1553cfa1a91ebe8c1b9380ffabe0b4b1916c4a4db802396ddfbef8

SHA512
ce2ead2480a3942081af4df4baee32de18862b5f0288169b9e8135cc710eb128f9a2b8a36bda87212c53fd4317359349c94d38b5da082638230dcb5669efede9

Download Submit
C:\Users\Admin\AppData\Local\KerioConnect\app.ico

Filesize
19KB

MD5
0325890f24d7184048083ea3d569d8f3

SHA1
b2a0b52e2331a5ab015b9939c5d169f5461fe09a

SHA256
ca65f2050714ec35a18573cb1039283d15f3feb5105d55b0836f9b352b83c586

SHA512
f0bf991b8e524b44f2418bbee3b6383b72d6b7f9fa96e751013f052102816d42b7dc3423c99c3adc962b18a77b62de3a00128ce3fb5bd26c81b74b7e50269d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
2KB

MD5
73a190cbc25ea3bb8b9ae7a794e456f2

SHA1
e0329ed2f1edec56bfea776de89a7181ecb6a591

SHA256
8644f2ca66814c21579b989f41c7bc344f0b6cdebbc34c1167c45bea1df7dd83

SHA512
6eeef58b8849bfc9eeaa722c0214f525685f16265ac019d03e45b1a6d23f7fe49532b65662b69fe3d40109adb8200ccbf15d4a6d77296d12bf28b088b76454ea

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
88B

MD5
e98d249328a92e629cdbe1979fe5ea79

SHA1
422e309fdc606ba248aa59880a9ea587147ca3e2

SHA256
a1c50150f6291a7a0f13acadcb1f106d52421b816e120c6a3c646684b8000b7f

SHA512
adc376acf8dde6d536cb315c007e2d03fbfa8b4266ceee24b40d6b678a3849768e44a8927fd7e767559346a62aca4f04b8854888957dca3a05b6758096ce833b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
3a92becda630aef286a75e91b35d5fdc

SHA1
57b868846b1b1b13efb730d798ce04fe264d6b72

SHA256
0920783a56c230f40a26d6f7ab2a3d3f3b433b63cef73e8a4cc5bfdd034947b3

SHA512
80607ac4e9913cfa6641c968affb79b27cd98a1ec275a7b47a4b7714a2ab9ca2cfa131cc82bb3c434748e11f32cc7dc2c9ad540a62673c8d2cbd093384d81305

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
10KB

MD5
a132dcb71f77ec670f4f8a02201a2f19

SHA1
2ee4e59c655588c7d2a12019c1aeed967cb72fdd

SHA256
faba64d03f99e96862a20402ff3705054ce582a2b1b7669e9dd428f1c0d27236

SHA512
44bd4ebe7fd631241f0ed898f9e9ed4687bc42183e8a6fcf08e819b5f0fb3b68e6a489c343d2681dc7ef420563d5b524f013027c6cedda73689394c95858922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C5C.tmp.node

Filesize
475KB

MD5
fad007bca1238462e801bc766fe93ed8

SHA1
5248e4955ae9401070d797f29c69b83928bb62f2

SHA256
04968458fcb27137f0a220db7c3c33aa79b899b6cf7ca952e6ae03d659ea8abd

SHA512
c6d45b65dbac7aa55fadeb4cfc3815fae109d7c8774947d4bf12368dc45c0475fbb12cdb1b46a496f14385d4c7bf6f29abadab250e3cd5e418bb11ee6a84931e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CAB.tmp.node

Filesize
153KB

MD5
b572116a483c4698bf2e034c3df959f7

SHA1
bbfdba3c20121d248d65a1d61a2c198a484e272b

SHA256
8e69613ff0d5076423bd803bf1cd6ad3219d0ace716c9d109d8e3bf1583fb9ab

SHA512
899901398b6d6aadcab8aa2e0839ae488fcc649a1e76a304e9921a9df8d70d721fc034e1f6579e515d98cd0a6e1e31f0284e8dd757342092aecf534f8a9c2565

Download Submit
C:\Users\Admin\AppData\Local\Temp\667C.tmp.node

Filesize
99KB

MD5
3cc665c777a4b7bcf4b0845dffa00608

SHA1
1423e9d8caea56ac182a721728abd8aa851fa549

SHA256
8c7804c1ac6f237b26c7fb407f9a4d5bfacf639a2a6dd50f0567ca30b06fcc14

SHA512
c077251dc56d399bd9bfba85e6abd49a2b633cd88d4ca15e2cc8ebd6193be251c4f5dfb7c1dcb6751052e38a5f2e097f1d52fc1779952cbaa1ed92d6f0d7ee32

Download Submit
C:\Users\Admin\AppData\Roaming\Kerio Connect\config.json

Filesize
62B

MD5
0e1449a0670036560d44fc6917ce1e90

SHA1
4b34d1266289c7f8db4a7ffe54c90597285ada91

SHA256
0cfcf966ce6569c1e8cc79d85d13d6894e71a08598ebe76dced1957d46e4a823

SHA512
7b0eeb58ddda8270a0daed64557c058b8725ccf081e7b6519128d576f4d608c076480ae70019b0aac94e8eb59dd1ee8f9c36c6dd1b1deca63be8a9c86da07bfd

Download Submit
C:\Users\Admin\AppData\Roaming\Kerio Connect\config.json

Filesize
96B

MD5
c4a0ce4f348a2e6ba290b962777b4adc

SHA1
4ca3a06239538a424f202fe3d6747fda33e01818

SHA256
c19d0aaa26943d4ef702460c3bf5a4e8da47856fa83c20db309daf6b5680ba47

SHA512
667fc177db2a459211c423808c77d08ef11a13092e1db3cb47c0fd93556a7a96c618fcd91855f5831444bb99fa935c266f3d6e0b6c83f21f1bc747686b1798be

Download Submit
C:\Users\Admin\AppData\Roaming\Kerio Connect\log.txt

Filesize
5KB

MD5
2d4db3553bcaaa4445f29f9a15620f8a

SHA1
bec409d4decbe26fde31a57f7598f3b801949207

SHA256
97fb353403c9c600ba49dab252e8f06dc9c77fe6a8f86541512199c058bd7a5d

SHA512
e0748eb03acb34434e94d88ce9749c5291de6607b5865715a08346bdafcf1fcb77e91a6bb6c872f4539e1178f9aacf8d849fbdf68d197a46624697c8d7ae4923

Download Submit
memory/4664-250-0x0000000000510000-0x0000000000690000-memory.dmp

Filesize
1.5MB

Download
memory/4912-253-0x0000000009320000-0x00000000093B2000-memory.dmp

Filesize
584KB

Download
memory/4912-255-0x00000000092B0000-0x00000000092D0000-memory.dmp

Filesize
128KB

Download
memory/4912-185-0x0000000005DC0000-0x0000000005DF8000-memory.dmp

Filesize
224KB

Download
memory/4912-14-0x0000000000200000-0x000000000037E000-memory.dmp

Filesize
1.5MB

Download
memory/4912-186-0x0000000005D90000-0x0000000005D9E000-memory.dmp

Filesize
56KB

Download