purelogstealer | hxxps://www[.]mediafire[.]com/file/5f2sbgx4qqftwcz/TreeSizePro9[.]1[.]5[.]1885x64[.]7z/file

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/5f2sbgx4qqftwcz/TreeSizePro9.1.5.1885x64.7z/file

Score

10^/10

purelogstealer discovery stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe	family_purelog_stealer
behavioral1/memory/2684-673-0x00000232C2DD0000-0x00000232C2F52000-memory.dmp	family_purelog_stealer
behavioral1/memory/4820-873-0x00000228FE390000-0x00000228FE512000-memory.dmp	family_purelog_stealer

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TreeSize.exeTreeSize.exeTreeSize.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TreeSize.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TreeSizePro9.1.5.1885x64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	TreeSizePro9.1.5.1885x64.exe

Executes dropped EXE 11 IoCs

Processes:

TreeSizePro9.1.5.1885x64.exeHook.exeTreeSize-x64-Full.exeTreeSize-x64-Full.tmpLicenseManager.exeLicenseManager.exeLicenseManager.exeTreeSize.exeTreeSize.exeTreeSize.exeLicense.exe

pid	process
4056	TreeSizePro9.1.5.1885x64.exe
1932	Hook.exe
2904	TreeSize-x64-Full.exe
6084	TreeSize-x64-Full.tmp
2684	LicenseManager.exe
1484	LicenseManager.exe
5040	LicenseManager.exe
4820	TreeSize.exe
5840	TreeSize.exe
5008	TreeSize.exe
5472	License.exe

Loads dropped DLL 3 IoCs

Processes:

TreeSize.exeTreeSize.exeTreeSize.exe

pid process

4820 TreeSize.exe
5840 TreeSize.exe
5008 TreeSize.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4820	TreeSize.exe
5840	TreeSize.exe
5008	TreeSize.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TreeSize.exe

description	ioc	process
File opened (read-only)	\??\Y:	TreeSize.exe
File opened (read-only)	\??\Z:	TreeSize.exe
File opened (read-only)	\??\E:	TreeSize.exe
File opened (read-only)	\??\G:	TreeSize.exe
File opened (read-only)	\??\R:	TreeSize.exe
File opened (read-only)	\??\M:	TreeSize.exe
File opened (read-only)	\??\Q:	TreeSize.exe
File opened (read-only)	\??\W:	TreeSize.exe
File opened (read-only)	\??\I:	TreeSize.exe
File opened (read-only)	\??\K:	TreeSize.exe
File opened (read-only)	\??\L:	TreeSize.exe
File opened (read-only)	\??\J:	TreeSize.exe
File opened (read-only)	\??\O:	TreeSize.exe
File opened (read-only)	\??\P:	TreeSize.exe
File opened (read-only)	\??\U:	TreeSize.exe
File opened (read-only)	\??\V:	TreeSize.exe
File opened (read-only)	\??\A:	TreeSize.exe
File opened (read-only)	\??\B:	TreeSize.exe
File opened (read-only)	\??\H:	TreeSize.exe
File opened (read-only)	\??\X:	TreeSize.exe
File opened (read-only)	\??\N:	TreeSize.exe
File opened (read-only)	\??\S:	TreeSize.exe
File opened (read-only)	\??\T:	TreeSize.exe

Drops file in Program Files directory 56 IoCs

Processes:

TreeSize-x64-Full.tmpHook.exe

description	ioc	process
File opened for modification	C:\Program Files\JAM Software\TreeSize\Microsoft.IdentityModel.Abstractions.dll	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\Jam.Net.Mail.Interop.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-N9K0O.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\version.dll	Hook.exe
File opened for modification	C:\Program Files\JAM Software\TreeSize\version.dll	Hook.exe
File opened for modification	C:\Program Files\JAM Software\TreeSize\Redemption64.dll	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\Jam.OAuth2.Interop.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Inno Setup\is-1U4BC.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-R1556.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\TreeSize.chm	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\Jam.Logging.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\PasOpenCL\is-U5VD9.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-48S78.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software	Hook.exe
File created	C:\Program Files\JAM Software\TreeSize\__tmp_rar_sfx_access_check_240683000	Hook.exe
File opened for modification	C:\Program Files\JAM Software\TreeSize\TreeSizeContextMenu.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-D418C.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize	Hook.exe
File created	C:\Program Files\JAM Software\TreeSize\is-L50KK.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-RVVRS.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\GLScene\is-USJC3.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\LicenseManager.exe	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-N6L6U.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\SynPDF\is-ELRUP.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-LSER1.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\Jam.Interop.dll	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\libbz2.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Windows Ribbon Framework for Delphi\is-1QI00.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\unins000.msg	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\TreeSize.exe	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\WebView2Loader.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-PKP09.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-3CJ9L.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-KM2DN.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\Microsoft.Identity.Client.dll	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\ChartAssembly.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-5FARA.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-TJGV7.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-S0TGT.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-01AA9.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\SQLite3.dll	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\WindowsFirewallHelper\is-H8KJJ.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Spring4D\is-3V4SV.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-4O403.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-V7LCR.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Virtual TreeView\is-CM5KC.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Abbrevia\is-QAAKJ.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-ALUGE.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-PKRVF.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-SFDCB.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\BouncyCastle\is-3ER36.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-VACLE.tmp	TreeSize-x64-Full.tmp
File opened for modification	C:\Program Files\JAM Software\TreeSize\unins000.dat	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\unins000.dat	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\LicenseFiles\Jedi Component Library\is-K3POT.tmp	TreeSize-x64-Full.tmp
File created	C:\Program Files\JAM Software\TreeSize\is-FE9A1.tmp	TreeSize-x64-Full.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TreeSize.exeTreeSize.exeTreeSize.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TreeSize.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TreeSize.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TreeSize.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	TreeSize.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

TreeSize.exeTreeSize.exeTreeSize.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TreeSize.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	TreeSize.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	TreeSize.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	TreeSize.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeTreeSize.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\ = "&TreeSize"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\AppliesTo = "System.ParsingName:<>\"::{645FF040-5081-101B-9F08-00AA002F954E}\" AND System.ParsingName:<>\"::{679f85cb-0220-4080-b29b-5540cc05aab6}\" AND System.ParsingPath:~!\"::{26EE0668-A00A-44D7-9371-BEB064C98683}\" AND System.IsFolder:=System.StructuredQueryType.Boolean#True"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH /TABS CustomSearch /SCAN \"%1\""	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Basic\ = "&Find files"	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\command	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate\command	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\command	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Duplicate\command	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate\command	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\ = "&Advanced File Search"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs\ = "&Advanced File Search"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH /TABS CustomSearch /SCAN \"%W\""	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\command	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Basic	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Duplicate\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\command	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Duplicate\ = "Find &duplicate files"	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\command	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Basic\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH /TABS \"Basic Search\" /SCAN \"%W\""	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Duplicate\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH:Start /TABS \"Duplicate Search\" /SCAN \"%1\""	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs\command	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_fs	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Duplicate	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Basic\command	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\command	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\ = "&TreeSize"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\AppliesTo = "System.ParsingName:<>\"::{645FF040-5081-101B-9F08-00AA002F954E}\" AND System.ParsingName:<>\"::{679f85cb-0220-4080-b29b-5540cc05aab6}\" AND System.ParsingPath:~!\"::{26EE0668-A00A-44D7-9371-BEB064C98683}\" AND System.IsFolder:=System.StructuredQueryType.Boolean#True"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate\ = "Find &duplicate files"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\AppliesTo = "System.ParsingName:<>\"::{645FF040-5081-101B-9F08-00AA002F954E}\" AND System.ParsingName:<>\"::{679f85cb-0220-4080-b29b-5540cc05aab6}\" AND System.ParsingPath:~!\"::{26EE0668-A00A-44D7-9371-BEB064C98683}\" AND System.IsFolder:=System.StructuredQueryType.Boolean#True"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Basic	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\command	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SCAN \"%W\""	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH /TABS \"Basic Search\" /SCAN \"%1\""	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize_Duplicate\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SEARCH:Start /TABS \"Duplicate Search\" /SCAN \"%W\""	TreeSize.exe
Key deleted	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_fs\command	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\command\ = "\"C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe\" /SCAN \"%1\""	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\Icon = "C:\\Program Files\\JAM Software\\TreeSize\\TreeSize.exe,0"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Directory\Background\shell\TreeSize	TreeSize.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize_Basic\ = "&Find files"	TreeSize.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Folder\shell\TreeSize\	TreeSize.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

LicenseManager.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c0000000100000004000000001000000400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	LicenseManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	LicenseManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	LicenseManager.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeTreeSize-x64-Full.tmpTreeSize.exeTreeSize.exe

pid	process
2960	msedge.exe
2960	msedge.exe
1396	msedge.exe
1396	msedge.exe
6028	identity_helper.exe
6028	identity_helper.exe
5216	msedge.exe
5216	msedge.exe
6084	TreeSize-x64-Full.tmp
6084	TreeSize-x64-Full.tmp
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
4820	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4792 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

7zG.exeLicenseManager.exeLicenseManager.exeLicenseManager.exe

description	pid	process
Token: SeRestorePrivilege	4388	7zG.exe
Token: 35	4388	7zG.exe
Token: SeSecurityPrivilege	4388	7zG.exe
Token: SeSecurityPrivilege	4388	7zG.exe
Token: SeDebugPrivilege	2684	LicenseManager.exe
Token: SeDebugPrivilege	1484	LicenseManager.exe
Token: SeDebugPrivilege	5040	LicenseManager.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

OpenWith.exeTreeSize.exeTreeSize.exeTreeSize.exe

pid	process
4792	OpenWith.exe
4820	TreeSize.exe
4820	TreeSize.exe
5840	TreeSize.exe
5840	TreeSize.exe
5008	TreeSize.exe
5008	TreeSize.exe
5008	TreeSize.exe
5008	TreeSize.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1396 wrote to memory of 760	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 760	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3648	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2960	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2960	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1172	1396	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/5f2sbgx4qqftwcz/TreeSizePro9.1.5.1885x64.7z/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bfd646f8,0x7ff9bfd64708,0x7ff9bfd64718
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8108 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,624299360609063298,517058664634414440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20398:108:7zEvent20045
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Users\Admin\Downloads\TreeSizePro9.1.5.1885x64.exe
"C:\Users\Admin\Downloads\TreeSizePro9.1.5.1885x64.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4056
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hook.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hook.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\TreeSize-x64-Full.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TreeSize-x64-Full.exe" /silent
  2⤵
  - Executes dropped EXE
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\is-T0ES4.tmp\TreeSize-x64-Full.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-T0ES4.tmp\TreeSize-x64-Full.tmp" /SL5="$20272,36635092,857088,C:\Users\Admin\AppData\Local\Temp\RarSFX0\TreeSize-x64-Full.exe" /silent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe
      "C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe" /register /language en /product TreeSize /version 9.1.5 /title ' Setup - TreeSize V9.1.5' /parentHandle 197424 /silent
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe
      "C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe" /GetLicenseType
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe
      "C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe" /addFirewallRule /product TreeSize /executable 'C:\Program Files\JAM Software\TreeSize\TreeSize.exe'
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Program Files\JAM Software\TreeSize\TreeSize.exe
      "C:\Program Files\JAM Software\TreeSize\TreeSize.exe" /nogui /installcertificate
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4820
  - - C:\Program Files\JAM Software\TreeSize\TreeSize.exe
      "C:\Program Files\JAM Software\TreeSize\TreeSize.exe" /NOGUI /SETADMINFLAG "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize (Administrator).LNK" /SETADMINFLAG "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize File Search (Administrator).LNK" /SETADMINFLAG "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize Duplicate File Search (Administrator).LNK" /Language "en"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5840
  - - C:\Program Files\JAM Software\TreeSize\TreeSize.exe
      "C:\Program Files\JAM Software\TreeSize\TreeSize.exe" /NOGUI /ContextMenuEntries 6 /INSTALL /SAVESETTINGS /REGISTERPACKAGE /Language "en"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5008
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe"
  2⤵
  - Executes dropped EXE
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cybermania.ws/
  2⤵
  PID:5124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9bfd646f8,0x7ff9bfd64708,0x7ff9bfd64718
    3⤵
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\JAM Software\TreeSize\Jam.Interop.dll

Filesize
57KB

MD5
9c8979c7a0c7e611b7470b2ed4e09932

SHA1
a2eda5a0c076a7f6725ed126706d3e9744a8e614

SHA256
61f1c49499ce6691637e52d28306728702bd38d6278297559308ef215ed02b85

SHA512
22f34606cba234ef414959c16d35d2e15e6d05135ca95329eec08ac730c47e4518c4808c8e30edf72dd42d12204f81931f10303aa5dcdb3de93bf9e209d1d92c

Download Submit
C:\Program Files\JAM Software\TreeSize\Jam.Logging.dll

Filesize
21KB

MD5
16bd9f798fda178c404608ca8b261ccd

SHA1
aea571dcff9b4f13c1e1a468621648d1e462fd8a

SHA256
f82562b0b6cad52f514290dee76cf330e7289a8f571325a624e97d87652229c7

SHA512
4c152cae25f45481e454bb4af0a20913e023f09dd56268e2185a60ce440224c0c78b75b226eddee48d3a87d831397d54d8923d6daf299f6f85fa88e74eda7992

Download Submit
C:\Program Files\JAM Software\TreeSize\License.rtf

Filesize
49KB

MD5
911eaf50af90a456f537cee153fd0869

SHA1
b61cb4d6b68eab0faab4df9704f1b29339e26f41

SHA256
0c9f2ec14f247d3ff74f68a98daf129b0b5ef287d075867a9470f78734e2f681

SHA512
ef174b4b9f9b4b75917cbca9f820b24a62c4ef5a8e859b8dea2efae9c2c6e0ee5bd7d8517d15d47b8c7d1c916a15057e986a1fe76343df69984b1a0c80882e63

Download Submit
C:\Program Files\JAM Software\TreeSize\version.dll

Filesize
14KB

MD5
e0996071bdff657b61d8e495c274875d

SHA1
a70bd52c439c78ad41e26cf95d2aa131a38a8773

SHA256
db795bd254bc54b425441ba8c8b67f1a53498e892be9f3cf2c357e8962138f8d

SHA512
6748da299ad5c19e8e702fe22de86859922b3bfd4d360dccfdcda62bebc275aca2f94b13d855c72ae98eea2f479aacf7e560461aa9164762cfa4a1bea5a01a67

Download Submit
C:\ProgramData\Licenses\05E70BE193D4EAA94D2734139C6593C3C069A50A7C677A9202C8B2E60DD8E297

Filesize
456B

MD5
dff790254b97577715e788ba93f97496

SHA1
549252029ffa9099aad75d9e5e17607340d156c1

SHA256
b4cfdac677386c921963cd12ecf134396db0fe19c68ddb42d950493c09117916

SHA512
5583f803205165a24967c8529082a0e8978cbd3b59eb434e92d090355f84125488daa83bc957c61e6d647a6b699a181ae7c3830285bdab13d1c0c220b4ff0e30

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize (Administrator).LNK

Filesize
1KB

MD5
228aa44d5ad526045b423d4893e4bf41

SHA1
0f9a4bdac3a0647d3c53ddda35d6c7a22ab4c84e

SHA256
0acd325199c35f088ea7e76b2f92eecda3329ec56c05e1b7377c8cb4e649161c

SHA512
6b53a73190a9d66f48397012637bd0f53730be0b22304c081fab7f5368c4c9a063510b85e4b9b660383c7963627e177468e37fee5a4695f9140d564d86a0f1cc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize Duplicate File Search (Administrator).LNK

Filesize
1KB

MD5
508d20542ff8fd6cee79d7caadcbc9ee

SHA1
4ee777a5fb705e2dcb33777bb6c5889bc746d61f

SHA256
e24330a4faaa69d55b0bfc46573f736e770279d7624b79742eed7cb698ef6f14

SHA512
4b12213fcb17c1a0ad1e524eb4863e89eda9bc48479de4ceb85d931ab9a7c8f5bd27807975c5534ef76df53a535a86bd98450e17f1bfaaa83eb7216094be80d8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TreeSize\TreeSize File Search (Administrator).LNK

Filesize
1KB

MD5
4949c49f94ed2eb44c86569286f7d8fd

SHA1
aaa029ef8389d91d3928073002bf3e5cc167a2d9

SHA256
b363591261196ac5e37852c29390823911913344e339bd4a88a9458fc55e1a4f

SHA512
7b692626b3ddfa76e08c4973f3024e58fa319bff225a3ea41d6c3d1ebbe14061451f859880c90464b9da174b145a84e20cfb0034b5385b156c6120cf9ba71985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LicenseManager.exe.log

Filesize
1KB

MD5
68a16d48ad3271ff799c369f0db52d92

SHA1
c8aa3b6a590d32995aad0d4c3e62278446e1a3a5

SHA256
657f05bc2104673a24bfa29f18e6176f1dae21a9704bfd1237eb40a6621fe44d

SHA512
5759c555f4d523aaf2c3628363a6851e6e21b465735cef6430b8b7a66d71d0d6d7f901cb803dbc9f48c2bdc68459a5c29b2e86b1adf727041b9fd36c0a5a4dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TreeSize.exe.log

Filesize
2KB

MD5
5962a00a2264bd85dd65ae797d2c1e54

SHA1
39f2bf8565b63cfe583d35b873bdd6ba64fc976a

SHA256
52355046f9fbdf0f03b787c07ab251c3674d474d31a7d839c07bf6c4da9964ed

SHA512
78a7cad8dac5449efb6e3df988ee000f1c97efb437ce5430d34ee680850ecbb6089bc2ea204662949c4ab1bd2f48c76b3e40d4cc1114ac4877cd0778fe8fbefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9dfc817d-0de1-4c7b-aac6-8e1cb2a6d706.tmp

Filesize
5KB

MD5
43a600e338c6c53fb5d0b8386a1f1b19

SHA1
a3862eea7425eba4c8a84c10c7303e0335aa965e

SHA256
77f37ced6131b53009e8a602025c812beb90d164eb41ae504470188a54a13cfd

SHA512
47766ff5b7f5a7aaf78647a589b72cd0c8d988a1aa1a1f82a6751cc19f3065894f21a71dc3efb143d9062d66cccb96dc95417bc5c27b35fdb78e2e6ff051205c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

Filesize
19KB

MD5
3811a84079fd710635626275664e51a1

SHA1
f998ea367562d553bbb389332cd28d397750edce

SHA256
6d368394fca86cfe6157ed13d36a107a1597000921459413882544a9d72ade3b

SHA512
75c6746b24ea432e3f5883b6ed87076ad4c4e25c3322e58449d5e2268ce0df9497245561e480d59d916b8e84d79ac148c7cada8a3ed1714bb74aa701bb0b3295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
20KB

MD5
baa80a18dd87df5735d95654441feed0

SHA1
e600bd34f9822eacbe76dccac24d70178a839d2c

SHA256
cd12b1ca0960d19a282b891a804a3c21729d00ef26ea23b674e908465d4a691a

SHA512
ba381c34f3be056d6d44debc209d97921c2bdd8e3af66a8a899e4ba2b67d163395789e32aae31ee80c7d0d0c35685c01d1e734ebcb7645ffa54a72f0729adab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
468f91f4848cd812fa601cf16a500d2c

SHA1
f7e13696f85ce345aa490ec00ba017a4b98ca4f6

SHA256
a9a32c04b6094856e84dfa5a2ed5e93db801e5e4e0aff98f0fe6d00eaa02d1df

SHA512
f53733c77526958af738f1a4d4e29559ff0d2976c639eb585620d1f1c5819c59727e6ee207a814a2f994593e16702b73c7c1ba6dd86a4ac0d0e149f95b76ee02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3bf234fe42f61de68f5c84df069af731

SHA1
5697ef0dd1f8c4449b210436d208627c9419f4fc

SHA256
99b5af142f17bee754183c183c476713d994727baaf24ce7bc41520f0b5f0e21

SHA512
61847bfd0ce4b2a8805354f58782c1e113c3a92bae92f5bbf5f6b3a101e03c4c7852d4c8115ad450f183f18d3a41db3bbba323a9247a5fc4cb276fbcfe006d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
477568e0f92f8799b1df0e9ddf453a27

SHA1
4b200b3e1820499eecbe551873ddf906d72348fd

SHA256
c7ccd2514547f886c90eb5139f3366e270ee66ac7cbbe84ced0eb185a0883b5a

SHA512
f150072c996638df3dd5ab4b0fd8dc714bd7abe461fbfddeaf1f7166523a22daba7dbde37025b962ff18d92ad516cba2ad3b337887b73af61847d41120bb16f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
11KB

MD5
c51948ef7a0622bc57719dc2da457a5c

SHA1
679516a1c8d8a59e61a9a0fab7103ca45de2f9f9

SHA256
cc399db7db884d246e48f6439e848cd2c63d14812ad2a01fd50b89d4946df2ca

SHA512
042dd3420f1545b98194809b578a1448898790661dcff53b3b11e162805eb4bfc126ad4b0b4c1549aca0055cce777324259176f0b2f1522503f1df619746c3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d51e0f42721898d38522b3d7d3861937

SHA1
cbe32b2c9e804c2b193d1a27b72c4635bb1e43c8

SHA256
963c5c949f502a16a60ff917a13d5a2e9b6a3d175a1149b2f6d67428e1f1bebe

SHA512
365a1091c4e9cc45da3227d57ae13e78841034cf70e01ca0474cbcfd5c273710c4b3f6b7f20e80172511b029cc8fa30decd5d50354d697b8c9ae2dc7b1d14413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
740f160eeaa6aa98f3405c095e7bb406

SHA1
79f2bc9e59516dee4b987941900b3cf515c7d9c8

SHA256
d62a131dee93a1ac94d7b928d8a8a7680101c3d94588acb217dfa62c5a75c615

SHA512
f1d2cb25d52a996584b63c8f1f22944edd176d9313256f62f1240051d79f32d0a360e4504a9dc15fad09128f5e26994e01754821a38e199752e301c6fa7c064c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
7c6184f0838e015c70b4222f5c5b0cf4

SHA1
d7257e384c28c3d3263b502d483e06cc5f5b2afc

SHA256
f606836a96be4c10362a05ebd1681a3873cf2d0936d9b99e80eab5e2ba78c1fe

SHA512
94177943aba62a077b7ee06a6fb0d4e490ed04e1b6a52e20c2b40c32dd9598e5a49d5ce4e6c016869298631825bd6840d89d95bf4d5dc57a112b127eb0a69014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
a97cb4450def927aa2df2d845cfc4685

SHA1
b4370077d48cd08de0ae8910c805e36b5aaebfca

SHA256
5311ec77c2df0f03cba0b4b45931a1a22ddf15aeb930d6df2d7f2e13c88849e0

SHA512
e0c045b5fd0820bbc12b3e386a95a78c854f73712f093f6ef0a33b6874debcb6b8f8c04d61e8ce1dbe6187d189e82acea6cfde55ff5128dd8920ae73c4220553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
6c1ac2c87fded286934d88609bc46c74

SHA1
e14459e4b78054a94137de398cbc9e36dbbdbd5e

SHA256
60e9d577bf7cfe521424a742d409f7532a7694a8b9372a48eb7d0bbe24fb9e94

SHA512
09e099c679e114037a929420f8c7fc7281e2349d901b4028e66858c3f030e79d8a3a3f56e23347dd5f01e9eb0131f1c5d6687978ef3d72af8fb1039b2bfe34e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
f0bb6c85f9b08a8cac3fa229cc5c8f01

SHA1
c6c5b426560d637392c470b9cf1e0d82f5cfa940

SHA256
a624756171257a6ece125ba23b57c628b53375f2fddfc3bc0351d3481418dcd0

SHA512
a24dc1c6170d30f9bb246255106b76e819e2adaa04f5de9ae12874a91ae85abc1cdbb4631928f345166acb5271ff6e92bc4cf76ed3ea174f2bc1df46fef5d5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583cc6.TMP

Filesize
48B

MD5
0b181a5b8e09ee82bb89d263a204f009

SHA1
8924b64f9f3c05e1ab1a6ec75bd62c3c9587516f

SHA256
8a68dd948e9f07b0b3c5baf36abbfa6a44960b07dd4d15567a02be287211e2ad

SHA512
889bcf972b92424c78a845415abfc7037e053735d1c5af0f8ccad7bb4a17dd6f656859c3459cdac3e90775471cb9e798cd0b3c84b5eee26622d211a0b75df148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
527b97e36b22f8da68d3a6bd34032e57

SHA1
4731c23825a48605cecd659cc4f2e88102e06e3c

SHA256
43fbe9544f7443a274f13078eb1c9152d69939b64dcc0b08f2163331addd04a4

SHA512
348bfdc0e995a6e6f5683744d437248cea4ff9c1215825a2403071fbee205a07129ff4158dc26249f6c10669c88a20dd7a854c86e59eeb9f7e2e54a316b1c886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
766168d1bc8ee3758e41ca563607bcd7

SHA1
8b2f1cef0dcf45ced8b60cdb54f9af00a5943365

SHA256
5fa4b6e2a56980f5a998d962088d425fa33775dd5d23c6cc8e40957e923655d5

SHA512
bcaf260f22107c3a20e1f1e7186384d9d7d486f4a8bfb824d4a52c146133efc8da1a2ff6ffd674228e5389b4f64be17aec55253adfcb1a81c3abea7ee07e81f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
d304d965ad08846993356d94190e0dc6

SHA1
5c09ee7661c7ec9e20174e95b315062ea810fe09

SHA256
d6f4775e2ba84f7ee377dfbdd3e3c51af83414c9c13dff10f2e766bea717bade

SHA512
511472342170e79b7c930a7861ceebf9b5e4b2f1df9bc6f881a4b4020c491d34b41784d26d4ab55c19930619b7e63894ae5edf076ceeb3e0c87f064e19b69f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579337.TMP

Filesize
2KB

MD5
d6cb6e9e788059b60a33b45c6d80960b

SHA1
7f43b1f6c4d2406e601a7aca994dbd526dbad1a8

SHA256
e1742d036456f80d0f429ecc417f84d50110f8ba49437bd0b6643d1943b200f2

SHA512
d4d1ea6190111722e26f266e9a982b50df6840b406473cb091d005426f85688be405c983fae97daa3c367b15cd1e8d0a8cda95236ed33576aa58a199653ad384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ef2e2ffc827c92342b94309049d2454

SHA1
0d6fa2abe8d39e7c37efe2596f4af6ce52ec4c16

SHA256
e987becf7860c64f15a17b8207ca78d1cf97a3576a79866ddf9b445b2031c6a8

SHA512
b705db0790c48c6e37b515ab9a46cbad062ae9dc19b852e7d0278cf84911b013af443992911d234692e21419767087becdeffa18a321286ab6bd1f4200d5b414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fd5f2470138456f91eadb750b40f38e

SHA1
99432f5e312888943773649cbe1e6d58b6e197e6

SHA256
91d81533ecf798e288a6b80f8fc7cf9278b5fb9ce78208505c55d441cab6ccc6

SHA512
6507c21fa229a354ac1a075952c757f0ce58585c1c0a908bbdd8d3aabcbdfcc05b499c43a71d280845f81997a519d6737b75f1d8231e2ef3a370106b54f3b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
daefb2ea4c472e24475dd682b5678929

SHA1
29b100c86ea22ac4419ce8655e1400fa4c370477

SHA256
195482f0a15fa0017cbfbdcfd2d0e4fb7e43eb1774602d76d7d81a251addb2a7

SHA512
d98f4cb57050794578b477ac5d6eac4eed429c71c56ecbebbd1447a50374e5d43c0b47fa727b4c10b271727f44274baca3beeebd339f6176e346e34d5dec2e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
47bfc6f3df18f73a13f70310ab31e908

SHA1
281f6a91ca93bca296c4080f4fe2a7300cd8330b

SHA256
57825be04a781dfa25069d34ceacfcd214611cf1eb47a7ef91f6ed0470f7438a

SHA512
01b869f0cf316d321ce3a14e5c5622d44c5aadc2239ca93e79a00301e81b70314ac3f56cafcf72c3d0aa89fd9f425906f97e89d8d6a3eef9ed824fcb51598429

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.url

Filesize
4KB

MD5
f89e823b83f9edc863ae9e35ea0a5949

SHA1
12db7e3d70e47bd97df335c74cd7323dc48a778d

SHA256
7fba1e8849a88298272be247c2b22ef4a50ac1bc4c83a4c02848bc131e622088

SHA512
d3e297af4eeeb3b8201381fddc426c33ab543db80c0da2ef7ee000ad773cf6895d7221ec17b95806377ea74488f8db7354e23d13c43d87599f6b02631e379d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Hook.exe

Filesize
479KB

MD5
c53a0bcf59b6121c9bb7060dbfbdee2c

SHA1
50d589797b53a9a4f4bb94929fbe35cc25e6805a

SHA256
8d45093ced26b9f1dce04ae5e4fc8a8a3b5c31a4e5ba6273ba37a094ce66c223

SHA512
e5fff2a7dfcf31a66af180493c5ae5612f945738265b9619e2e8faed3ab1dc4a0d6b47ece60659f7394574844483801a64a4ee72a3aa9a7b4a97162620e6481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.exe

Filesize
422KB

MD5
d188dd26f477b14e8c869ecec2cfa061

SHA1
c3e029b236ad222b1ef79f04cf5dc4605747a4ef

SHA256
13b622caf20f28e4560c168b4111c88d4d6002526ad91f3e8949a8b5bfb83713

SHA512
5bb1118102200dc5ff201e1c398e0ba1dafe079b9a83f9740017038170d400c36e843c4f1d437cfb7180222c12ef43f4a2365d5847b064316c2b2f7656733255

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TreeSize-x64-Full.exe

Filesize
35.9MB

MD5
95c7c2a862ec6d6ac7d9b63773c57b89

SHA1
e24ae9d3c6483a66fd27a3e4a70c5a82b02d3e8a

SHA256
41027b86a65ef71a4b89e5b82c076df1852e1e239e2df03d114a7bbb28e4c89e

SHA512
84ba27713569e96cc5b3f6fb7ba554c6b44691ba13af052df6532c42f7c83f095893ba62ef2cf699bb3e852b9cdacd942dc0eac8ebb2cb756aeb39d7c0049344

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9A86.tmp

Filesize
5KB

MD5
ec1a452942b87a2893766881f82ffb07

SHA1
d765b39ac64730fa674cb7dd4f397ba6e3d2b049

SHA256
898649fdcf8fcd8d6d72485442c6b1abde7f373030d671a91d4f09334aa28992

SHA512
53ea93a968379552178581d6e53189f5ec9f720837219414662fdb47792fc25c9bd1d7cc1dfcafda18062ce30db5b2aa287cc646511c02ef8836c594fba6049f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe

Filesize
1.5MB

MD5
6178c200fcca008bfe504e8710874a20

SHA1
7aaf71a30b6074e5faad8777bdcaab924b0a27e1

SHA256
bd5eebdd00f4ddc22ddd82c3effb66a6f61b2e692bdbc344e023094ae5a93fde

SHA512
fded4e490d4b58fa6c4415302c0e67228a721cf0532cb8d8a065161fbaf81dec6f0762d4e11b4a91c43524d37e579e246040a84b047aa1de2d65ec35d456ed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I317P.tmp\LicenseManager.exe.config

Filesize
721B

MD5
d03cceafbca07120c7a36f3e243805b8

SHA1
f868045e675d82cdff1fd253b68a020cad3d3fd8

SHA256
abefc8827fc03dde158ead299d4a160f13d79b7d72a936d68aaf95b075b2d789

SHA512
e5ce285d660003b96437060005ef326c8a87d1e08c98551b0330ab3feaec6a1f693736d229887a8dd20434075b73ff722d2f55bfa30d44718f7db606e145da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T0ES4.tmp\TreeSize-x64-Full.tmp

Filesize
3.0MB

MD5
530ced3e78914a1f453efbea7dc69036

SHA1
efe905e798e0267508774fe1352bf89393283e7e

SHA256
d29476f7aebed46d11168b58c4594c1a7bab791d0bd0b95b73d8b8c5ff50c219

SHA512
6bf7b781c8ca632404339ee1e8e832f9b93ad80fb4589d4e005a9ffc10597386226146358c64848b37ac595c3be46cf0a55b8d1dba556dcab9bfecb02848651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jam_1932240698468708889426.config

Filesize
4KB

MD5
82f9976c6c6a030c0f7744df3e2f0343

SHA1
10e8a47cfd1058de162db06895f21d3037b6734c

SHA256
685321f287e81c68312ead10e30d4fdef0c7394d8744068e2b6bfea54297fd9c

SHA512
6c2a69ca41236807d6d81f309a207ff7d27cda34a2aa34439b0a6b07c06d2c24f59a649fc2ce546855ca082b70b6ba040904214c6317c0077a209936f20fc7e6

Download Submit
C:\Users\Admin\AppData\Roaming\JAM Software\TreeSize\GlobalOptions.xml

Filesize
129KB

MD5
a858e48a1d27a8913e4cd90f824b048a

SHA1
8caa18e5e3ed5f707f9d30981169b1907a1b84fa

SHA256
f59607a3b3937ce1762885d998552570abc2f7bc75dade3c1bcfaf80c4ca6729

SHA512
86f70632adc8022ed3fb3853f7160598975c7b6d6bbe32ec60382b8847f39e5e0a1b04b6988b26aaf0b85a50f5d95b9167515bced7d6d7b4165815e95c421f21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
a35dd8031fad59b42756e39954a425c1

SHA1
9137abec8363e3b70ac7d4b7b666ab8f98ae0331

SHA256
52c5ee30a32aceca2a947318d0a8cbd4a1f344708a08284c2026708b5245a6da

SHA512
6ad42e7b234218d3d0a805b41c2ed5d299bfc9cc1f4e56765a06447d82d841a9da86df0f923c8e632a91b0b24932a10d383ef751114a0c561ba28320aff0f803

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
fe61996cbefb6454cc0dd6ed65f4fee7

SHA1
39cb9a117c663db94a87206268ee59a0d30093ed

SHA256
92fcc8c25e773af9cde6c8e23cc292db9024e2b87eee599b041a3b68818fa38b

SHA512
2c0bdfac14b9da259cbee3c3388ec410763559a6e177eda35a8b89a1d12ebf1970b9709c37cb99d30a88b812c9e6cb11294029d1f3917666c4ec886fbb4af1c1

Download Submit
C:\Users\Admin\Downloads\TreeSizePro9.1.5.1885x64.7z

Filesize
36.0MB

MD5
3760a981dec74f9a929ff266e8acee9d

SHA1
951a1eb3ae0c810c14946e632c4d0e3853d7dcbd

SHA256
e77c7762eee2f6ac50f6dfbd4eac5b28421c093625d5cf2b7bbf45ec48b76eb2

SHA512
21c6d125de6ecc85e62ef03381ba8260200d6c32e5f4a60129df433bbffccfd4298872fa35168238674664b965d4d1da325712d56bdc864cfd2703c9a63736d0

Download Submit
C:\Users\Admin\Downloads\TreeSizePro9.1.5.1885x64.exe

Filesize
36.2MB

MD5
f76c899a5660581a9960b1831ed391c5

SHA1
be1360b3c216274c61dec6832de593424d811702

SHA256
efcad47ae25743c3b3126fcb4d12f6751de18b55a6eec0e388ec5ba29675a48e

SHA512
c4cff8ac63a7e003ed362ff92130363e23ab769063f8ee08c58e24b7730f31c43a7a9da7bee3f5568a7085ac6778bf1bbc4d10275dc2bec98bf80118ca735e4a

Download Submit
\??\pipe\LOCAL\crashpad_1396_MBESIHZMOYDHDQHO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1484-716-0x000001D3EBD00000-0x000001D3EBD1E000-memory.dmp

Filesize
120KB

Download
memory/2684-681-0x00000232DD3E0000-0x00000232DD3F6000-memory.dmp

Filesize
88KB

Download
memory/2684-683-0x00000232DD400000-0x00000232DD410000-memory.dmp

Filesize
64KB

Download
memory/2684-698-0x00000232DDC50000-0x00000232DDC5A000-memory.dmp

Filesize
40KB

Download
memory/2684-696-0x00000232DDA80000-0x00000232DDA88000-memory.dmp

Filesize
32KB

Download
memory/2684-693-0x00000232DDBF0000-0x00000232DDC16000-memory.dmp

Filesize
152KB

Download
memory/2684-694-0x00000232DDA90000-0x00000232DDA98000-memory.dmp

Filesize
32KB

Download
memory/2684-695-0x00000232DDC20000-0x00000232DDC36000-memory.dmp

Filesize
88KB

Download
memory/2684-692-0x00000232DDA70000-0x00000232DDA7A000-memory.dmp

Filesize
40KB

Download
memory/2684-684-0x00000232DDAA0000-0x00000232DDAF0000-memory.dmp

Filesize
320KB

Download
memory/2684-697-0x00000232DDC40000-0x00000232DDC4A000-memory.dmp

Filesize
40KB

Download
memory/2684-682-0x00000232DD7B0000-0x00000232DD842000-memory.dmp

Filesize
584KB

Download
memory/2684-680-0x00000232C4B60000-0x00000232C4B6A000-memory.dmp

Filesize
40KB

Download
memory/2684-673-0x00000232C2DD0000-0x00000232C2F52000-memory.dmp

Filesize
1.5MB

Download
memory/2684-679-0x00000232DD3B0000-0x00000232DD3D4000-memory.dmp

Filesize
144KB

Download
memory/2684-678-0x00000232DD370000-0x00000232DD3A8000-memory.dmp

Filesize
224KB

Download
memory/2684-676-0x00000232DD350000-0x00000232DD36A000-memory.dmp

Filesize
104KB

Download
memory/2684-677-0x00000232C4B50000-0x00000232C4B58000-memory.dmp

Filesize
32KB

Download
memory/2684-675-0x00000232C4B40000-0x00000232C4B4E000-memory.dmp

Filesize
56KB

Download
memory/2684-674-0x00000232DD420000-0x00000232DD56C000-memory.dmp

Filesize
1.3MB

Download
memory/2904-650-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4820-841-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-833-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-863-0x00007FF9AE5B0000-0x00007FF9AE65A000-memory.dmp

Filesize
680KB

Download
memory/4820-870-0x00000228FC4F0000-0x00000228FC502000-memory.dmp

Filesize
72KB

Download
memory/4820-888-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-887-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-886-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-857-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-856-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-855-0x00007FF9CA2C0000-0x00007FF9CA2C1000-memory.dmp

Filesize
4KB

Download
memory/4820-854-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-853-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-852-0x00007FF9CA2B0000-0x00007FF9CA2B1000-memory.dmp

Filesize
4KB

Download
memory/4820-851-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-850-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-849-0x00007FF9CA2A0000-0x00007FF9CA2A1000-memory.dmp

Filesize
4KB

Download
memory/4820-846-0x00007FF9CA290000-0x00007FF9CA291000-memory.dmp

Filesize
4KB

Download
memory/4820-845-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-844-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-843-0x00007FF9CA280000-0x00007FF9CA281000-memory.dmp

Filesize
4KB

Download
memory/4820-848-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-840-0x00007FF9CA270000-0x00007FF9CA271000-memory.dmp

Filesize
4KB

Download
memory/4820-839-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-838-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-837-0x00007FF9CA260000-0x00007FF9CA261000-memory.dmp

Filesize
4KB

Download
memory/4820-835-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-834-0x00007FF9CA250000-0x00007FF9CA251000-memory.dmp

Filesize
4KB

Download
memory/4820-873-0x00000228FE390000-0x00000228FE512000-memory.dmp

Filesize
1.5MB

Download
memory/4820-832-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-831-0x00007FF9CA240000-0x00007FF9CA241000-memory.dmp

Filesize
4KB

Download
memory/4820-836-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-890-0x0000000000200000-0x0000000005CBC000-memory.dmp

Filesize
90.7MB

Download
memory/4820-826-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-827-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-825-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/4820-872-0x00000228FC4E0000-0x00000228FC4E8000-memory.dmp

Filesize
32KB

Download
memory/4820-828-0x00007FF9CA230000-0x00007FF9CA231000-memory.dmp

Filesize
4KB

Download
memory/4820-829-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-830-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-842-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-847-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-867-0x00007FF9AB030000-0x00007FF9ABAF1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-860-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/4820-864-0x00007FF9AE5B0000-0x00007FF9AE65A000-memory.dmp

Filesize
680KB

Download
memory/4820-858-0x00007FF9CA2D0000-0x00007FF9CA2D1000-memory.dmp

Filesize
4KB

Download
memory/4820-859-0x00000228858C0000-0x0000022885A00000-memory.dmp

Filesize
1.2MB

Download
memory/5840-906-0x00000160E41D0000-0x00000160E4310000-memory.dmp

Filesize
1.2MB

Download
memory/5840-908-0x00007FF9CA240000-0x00007FF9CA241000-memory.dmp

Filesize
4KB

Download
memory/5840-909-0x00000160E41D0000-0x00000160E4310000-memory.dmp

Filesize
1.2MB

Download
memory/5840-907-0x00000160E41D0000-0x00000160E4310000-memory.dmp

Filesize
1.2MB

Download
memory/5840-905-0x00007FF9CA230000-0x00007FF9CA231000-memory.dmp

Filesize
4KB

Download
memory/5840-893-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/5840-894-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download
memory/5840-895-0x00007FF9AE660000-0x00007FF9AE6C5000-memory.dmp

Filesize
404KB

Download