da38d1dbc0cc495bce19da55542482cb07eeac5fb25bb5c554ce219e8868275f

Analysis

max time kernel
34s
max time network
47s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
09/07/2024, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe
Size

6.6MB
MD5

63150c4846bfbcf27fa70ccaa8a01943
SHA1

bfe32dcc00b041e0007a883af1588f354bb9f032
SHA256

a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24
SHA512

7c0c8065c83529ffe9cf092a7ffb19f59252015d643bded9cf5459e6e6a4c582962ab6e36b330275a79649fa6e8d3da01cb95352870a52fa159bb278b967cd90
SSDEEP

98304:MPyYn2kIIR7ABl27MwarecfhZzwStzDtAVl3gaSZmg4MPyDv0bSpkmmf6osFQaiS:q7Vty27MJzw6z8X4mgJSyNyos6ac4l

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp

Executes dropped EXE 2 IoCs

pid	Process
4068	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
1568	RevoUnin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-9C0FQ.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-A0BDR.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-597AO.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.msg	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-Q4RU6.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-87QOI.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-P8GDU.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-L74KR.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-KSTNM.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-AK8K2.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-T885T.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OS23C.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-T0SRS.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-NNJ77.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-UKFSR.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1EP74.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-2DMDA.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File opened for modification	C:\Program Files\VS Revo Group\Revo Uninstaller\unins000.dat	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-H6MMB.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-5IVAQ.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-S1K71.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-REH49.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-P1Q99.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-FLV79.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-VNVJS.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-VPP7F.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-H0UD7.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-HDTBA.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-UAT2H.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\is-KH5EF.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-50EQG.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-2L0O9.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-HFQHV.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-5NHHL.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-MIJBF.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-TO7QB.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-33BQM.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-1L6DI.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RRK8L.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-9UC0T.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-RBK5H.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-OGLJB.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-M82P8.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-18N9D.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-R1CBP.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-REDRF.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-6238B.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-SP127.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-GR314.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-SBACV.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-56B8K.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
File created	C:\Program Files\VS Revo Group\Revo Uninstaller\lang\is-82BTV.tmp	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f7615a6d54d2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6487806d54d2da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bda4d96c54d2da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4568	MicrosoftEdgeCP.exe
4568	MicrosoftEdgeCP.exe
4568	MicrosoftEdgeCP.exe
4568	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1976	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4068	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
4576	MicrosoftEdge.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
1568	RevoUnin.exe
4568	MicrosoftEdgeCP.exe
1976	MicrosoftEdgeCP.exe
4568	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4068	4468	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe	70
PID 4468 wrote to memory of 4068	4468	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe	70
PID 4468 wrote to memory of 4068	4468	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe	70
PID 4068 wrote to memory of 1568	4068	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp	72
PID 4068 wrote to memory of 1568	4068	a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp	72
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77
PID 4568 wrote to memory of 2608	4568	MicrosoftEdgeCP.exe	77

C:\Users\Admin\AppData\Local\Temp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe
"C:\Users\Admin\AppData\Local\Temp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Local\Temp\is-C6JMC.tmp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C6JMC.tmp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp" /SL5="$6019E,6355320,266240,C:\Users\Admin\AppData\Local\Temp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe
    "C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VS Revo Group\Revo Uninstaller\RevoUnin.exe

Filesize
14.4MB

MD5
a9ccd5974308c40cbe6946b5e53d2de9

SHA1
3560538b946953c8b0ff7dd63b5bc4e088ba8240

SHA256
2df4dd7200737feab6e9dd77026584ddb328ad580c68205467356ac390a8f775

SHA512
866c2565f6c7fcc969d4c5db84fcb92e43ef4e8885ec129dc528020da8df599977b75b748abc0620b30e01a3f2980ffdc37731dfe4878b778dfdaef7911097ab

Download Submit
C:\Program Files\VS Revo Group\Revo Uninstaller\lang\english.ini

Filesize
102KB

MD5
5f57e969cb8f3ad0bbd859207a283bd5

SHA1
5a232b0eed2d7437513010c7a0af05cc4de3d90f

SHA256
f2e8f9e5cf4f057e3399ff66485a485cba419881aeeac997049941396bdf63d8

SHA512
c48ec65d7dc7f1ef77bc708cdb6f49106651fb6d715450168f4d5fa8105c24dfb43d7378d8b0ceba567942fd73fc95f7d41fd75c0824e619609981710b504cd0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RKLRQ0TR\favicon[1].ico

Filesize
2KB

MD5
780f9dc38a92057e7290fc69d765d73d

SHA1
ffe4d4bd2ea337c926dc71afbe309daa24352b41

SHA256
91e8f868eef6967dcfca5eeb8e428184a0f4dcd017246c78138e71e158a78db7

SHA512
d03786070ca50868ae449e31e3cec7a488196dc1d5eab344e7dec1d8f081bf7b376c8c42266b7171c6a46cba972321bbb954586fdb7fac978826b5586644ae92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C6JMC.tmp\a05acc9172e98ec6a6a7f923f5c648cc7a7c4e02bbcaaa5a6d9663229e662c24.tmp

Filesize
1.3MB

MD5
7b77e7c3ebd213d95c4d909716f10030

SHA1
1c00eb97b4f154e209162bee83a84a6f1d1ef034

SHA256
a1bab1631135a982dfec6024b1ef8eb1ea2bce519cd832d9151e95e8def916d2

SHA512
fb6f95d42a936911b66861280cdeee77e2125c6b30141eb66daff402453d635a87a7f8ec9435ceb7ad4fddb473d6347a787bedb5649aa3abb234aceeeaaf8dcd

Download Submit
memory/1976-181-0x000001DEBF380000-0x000001DEBF480000-memory.dmp

Filesize
1024KB

Download
memory/2608-483-0x00000236572E0000-0x00000236572E2000-memory.dmp

Filesize
8KB

Download
memory/2608-485-0x0000023657400000-0x0000023657402000-memory.dmp

Filesize
8KB

Download
memory/2608-509-0x0000023657220000-0x0000023657222000-memory.dmp

Filesize
8KB

Download
memory/2608-507-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-508-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-496-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-494-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-481-0x00000236572D0000-0x00000236572D2000-memory.dmp

Filesize
8KB

Download
memory/2608-486-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-484-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/2608-196-0x0000023643500000-0x0000023643600000-memory.dmp

Filesize
1024KB

Download
memory/2608-199-0x0000023653A00000-0x0000023653A02000-memory.dmp

Filesize
8KB

Download
memory/2608-201-0x0000023653A20000-0x0000023653A22000-memory.dmp

Filesize
8KB

Download
memory/2608-203-0x0000023653A40000-0x0000023653A42000-memory.dmp

Filesize
8KB

Download
memory/2608-266-0x00000236551B0000-0x00000236551D0000-memory.dmp

Filesize
128KB

Download
memory/2608-428-0x0000023654B20000-0x0000023654B40000-memory.dmp

Filesize
128KB

Download
memory/2608-459-0x0000023655AA0000-0x0000023655AA2000-memory.dmp

Filesize
8KB

Download
memory/2608-467-0x0000023655AE0000-0x0000023655AE2000-memory.dmp

Filesize
8KB

Download
memory/2608-475-0x0000023655DA0000-0x0000023655DA2000-memory.dmp

Filesize
8KB

Download
memory/2608-477-0x00000236572A0000-0x00000236572A2000-memory.dmp

Filesize
8KB

Download
memory/2608-479-0x00000236572C0000-0x00000236572C2000-memory.dmp

Filesize
8KB

Download
memory/2608-482-0x00000236432F0000-0x0000023643300000-memory.dmp

Filesize
64KB

Download
memory/4068-6-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4068-9-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4068-170-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4068-126-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/4468-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4468-171-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4468-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4468-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4576-166-0x000001F833D80000-0x000001F833D82000-memory.dmp

Filesize
8KB

Download
memory/4576-147-0x000001F836A20000-0x000001F836A30000-memory.dmp

Filesize
64KB

Download
memory/4576-131-0x000001F836920000-0x000001F836930000-memory.dmp

Filesize
64KB

Download