floxif | 2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
Size

8.3MB
MD5

240f2da53a1b503481648e1f9711af70
SHA1

b0066d94308da0e1710a32c85b49e3af9d9638c2
SHA256

2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003
SHA512

30383e99194254cea8d55480f4dadf89c0b0fb3836e7dd0b6f784edcecd5d4a75a3a9e09816a5dd878ab9a8b347c3d329b3bb3484387f72978d2390bea5472f4
SSDEEP

196608:78fUVShpTzJWVeGSW4IKHDuAQ97H4rQ3spho1erEzB5JpqjgH6fr6:gfLnTzJ+xSFI2uTH4rKqEzBugae

Score

10^/10

floxif backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000c000000023b9c-1.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000c000000023b9c-1.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
1252	Setup.exe
1376	IKernel.exe
4452	IKernel.exe
4320	iKernel.exe

Loads dropped DLL 32 IoCs

pid	Process
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
1252	Setup.exe
1376	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4320	iKernel.exe
4452	IKernel.exe
4452	IKernel.exe
1252	Setup.exe
1252	Setup.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
4452	IKernel.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1180	arp.exe
228	arp.exe
4460	arp.exe
1360	arp.exe
1120	arp.exe
3800	arp.exe
1056	arp.exe
452	arp.exe
808	arp.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b9c-1.dat	upx
behavioral2/memory/3180-7-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/3180-6-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/1252-79-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1376-92-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/1376-95-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4452-99-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4320-153-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4320-154-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3180-213-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/3180-214-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/1252-215-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3180-216-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/4452-218-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/3180-239-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/3180-263-0x0000000000510000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/3180-271-0x0000000000510000-0x0000000000543000-memory.dmp	upx

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll.tmp	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorabb1.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuseabff.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\temp.000	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coreaba1.rra	IKernel.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objeabef.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll.dat	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrac5d.rra	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ = "ISetupCopyFiles"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ = "ISetupScriptError"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\FLAGS\ = "0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine\ = "InstallShield Script Engine"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\INSTAL~1\\Engine\\6\\INTEL3~1\\IKernel.exe"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFCFE67-0BB8-43E0-8425-378D0A02ACE4}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.User.1\ = "InstallShield setup user interafce"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\ = "ISetupScriptEngine2"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\FLAGS	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ = "ISetupObjectContext"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupOpTypes"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ = "ISetupGUIObject"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ = "ISetupBasicFeatureStateEvents"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\ = "ISetupBasicFeature"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
Token: SeDebugPrivilege	1252	Setup.exe
Token: SeDebugPrivilege	1376	IKernel.exe
Token: SeDebugPrivilege	4452	IKernel.exe
Token: SeDebugPrivilege	4320	iKernel.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 1180	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	83
PID 3180 wrote to memory of 1180	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	83
PID 3180 wrote to memory of 1180	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	83
PID 3180 wrote to memory of 1056	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	85
PID 3180 wrote to memory of 1056	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	85
PID 3180 wrote to memory of 1056	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	85
PID 3180 wrote to memory of 1360	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	86
PID 3180 wrote to memory of 1360	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	86
PID 3180 wrote to memory of 1360	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	86
PID 3180 wrote to memory of 228	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	87
PID 3180 wrote to memory of 228	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	87
PID 3180 wrote to memory of 228	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	87
PID 3180 wrote to memory of 4460	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	88
PID 3180 wrote to memory of 4460	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	88
PID 3180 wrote to memory of 4460	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	88
PID 3180 wrote to memory of 1120	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	89
PID 3180 wrote to memory of 1120	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	89
PID 3180 wrote to memory of 1120	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	89
PID 3180 wrote to memory of 3800	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	90
PID 3180 wrote to memory of 3800	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	90
PID 3180 wrote to memory of 3800	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	90
PID 3180 wrote to memory of 808	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	92
PID 3180 wrote to memory of 808	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	92
PID 3180 wrote to memory of 808	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	92
PID 3180 wrote to memory of 452	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	93
PID 3180 wrote to memory of 452	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	93
PID 3180 wrote to memory of 452	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	93
PID 3180 wrote to memory of 1252	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	101
PID 3180 wrote to memory of 1252	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	101
PID 3180 wrote to memory of 1252	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	101
PID 1252 wrote to memory of 1376	1252	Setup.exe	102
PID 1252 wrote to memory of 1376	1252	Setup.exe	102
PID 1252 wrote to memory of 1376	1252	Setup.exe	102
PID 4452 wrote to memory of 4320	4452	IKernel.exe	104
PID 4452 wrote to memory of 4320	4452	IKernel.exe	104
PID 4452 wrote to memory of 4320	4452	IKernel.exe	104
PID 3180 wrote to memory of 4184	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	113
PID 3180 wrote to memory of 4184	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	113
PID 3180 wrote to memory of 4184	3180	2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe	113

C:\Users\Admin\AppData\Local\Temp\2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe
"C:\Users\Admin\AppData\Local\Temp\2411119a77aedf855e9ab748ab6833ccfbd9af70657854d21c62463b39444003N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1180
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 67-59-35-c9-b3-3a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1056
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 10-45-3a-c4-6b-bc
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1360
- C:\Windows\SysWOW64\arp.exe
  arp -s 136.243.76.173 15-f9-cc-da-1e-5b
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 b8-da-a1-f6-c5-c9
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 87-cc-48-2f-7b-f1
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 11-25-08-f7-96-70
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 3c-0d-90-63-11-f2
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:808
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 14-0f-9d-73-9e-ab
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- C:\Windows\SysWOW64\arp.exe
  arp -d
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4184

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini

Filesize
27KB

MD5
62d5f9827d867eb3e4ab9e6b338348a1

SHA1
828e72f9c845b1c0865badaef40d63fb36447293

SHA256
5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5

SHA512
b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
600KB

MD5
b3fd01873bd5fd163ab465779271c58f

SHA1
e1ff9981a09ab025d69ac891bfc931a776294d4d

SHA256
985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

SHA512
6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll.tmp

Filesize
156KB

MD5
0894fb160692207b07a781a692009d61

SHA1
db5fb790f87d8eb018baf31acb77ef4a408ad241

SHA256
72045000155498c6765c1037a1d751023c9bfe3582dc06e809d642001a77aecf

SHA512
5ba86f6b82af1e6ce31d65dc1f601d196a85cd5b83fcf04922f7f0121d6aac76e5f8cc355de90a602c0026a5b35160b378cc43a931957789048cdb277184862e

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\IKernel.ex_

Filesize
338KB

MD5
93b63f516482715a784bbec3a0bf5f3a

SHA1
2478feca446576c33e96e708256d4c6c33e3fa68

SHA256
fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

SHA512
2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\Setup.exe

Filesize
162KB

MD5
aecc6a163878ceea3ec1bf8cf9fcff28

SHA1
7c04c09fba6411e896b0d8226b29bfce418b20cf

SHA256
6e16cbb0ff6ec17ce13671a0cdd7d86aaf8884f63e6b3b9250d086ec8f2006a0

SHA512
e9c71b855e7cd88de106d58d70f88b82b3ae4db76606146aa767ed801d8ad471e29a945e9c44de1d3d6fad31302120e70b57af9545c952c3ad12d2ffd0a073e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\Setup.exe.tmp

Filesize
242KB

MD5
5dde4c50a75f9fba27aff2b03842fd09

SHA1
d511af32aa8998b2423f41010a0b07f4add83a5c

SHA256
1e640deb735870d9d634c02f81690ccbe6c098f627afd0be380782929f8c723e

SHA512
8859d996105ced0bd52310cd57bc817e0a20196553070e256f01528fb5f6939bf2a4e88dbf0a668c55d31d8e04a560599f4ad8c64049b5305787d0c290c871e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\data1.cab

Filesize
426KB

MD5
20e8ba9dae06548d08bb73861f7c82a1

SHA1
39d404b97f072a844d6cf23c263d1019ae436d3f

SHA256
37b3c25ad12ed2c5f44fe7d8abcd58c9f24e0d6e6a00343cb50fad93ad4ea00c

SHA512
37e54969c5fc7e2ae647d132a88a818f4b7e2d072972642b7df7329970a75bd78b3b43234083f4fde4fde771534fcfb868ccf2855994540edeceb1fcf3aa1c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\layout.bin

Filesize
435B

MD5
be565c56b9c33dd0e0f0c2f417b3fe6f

SHA1
c701b5c5f1b91ae51c35bfb23dae78ad812d0e2d

SHA256
c8e4ef3b1d5f64088056c46c0935c022753f8f89416b318a1b43cb78f673f299

SHA512
5a488636fdab9386037a604f77dcb0a3a2ce871cf63b287a5f4d4fdc1c9b54177850c34bd28e4243bea358e9e97434d7fe7f0b6782a865679b3d174d2b385f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\setup.bmp

Filesize
454KB

MD5
6c00dff2a6e6811149987b3600bd32a9

SHA1
cb5bf0affc6c0d1f3f027b5174891374f1012585

SHA256
2b7ad50ee8189832abeae5d8eb40a61be66d2ccb14cebed318eb007e742018f1

SHA512
1ba2494cf8229214060af8e047a02328136a04e07cb6f82c6dcd79628f9da3b8cff0d695dcc71761bf89eccdb53eface26955c8ee7efecdd8e7b6f92f537ba3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\setup.ini

Filesize
103B

MD5
2cddb07b98901d644e6f195c838f7154

SHA1
dca2dbf7ba56bb15338547f741b174cd49d01035

SHA256
0c355be9deef9d6bad7c6e7240358d812ee67e4c78e094ad884e22c8001cd84b

SHA512
156d4897c1a7588f03543bbfb31734daf209f6cd757cfb5532772d9d1557fb009b5bc189653fc55d5541ce975e6b8f768e63cb86e949d0592918951814bdf435

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\Disk1\setup.inx

Filesize
137KB

MD5
6ae5cafc291c001bf39873b968c83d20

SHA1
bd5f3ca614356571a38eba4bdf63a2eb63e9d907

SHA256
6c04ccfa8206add9a10672e1dbc4c2b6b97371b30fe41f0e592bd21a44879af2

SHA512
fc25d5cac6e6fd73868a802907d2eb66b12351f9d3b119d94a1bfbc64b83864dd2db54fec15a962591ccaa9de15b6d892a123a7ab9ddabe59369e5ec254551d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftA5F6~tmp\pftw1.pkg

Filesize
8.0MB

MD5
04aff77a5d1891c9bcebcedeab805307

SHA1
873d1e4e14a8d2fa2839fa779bd5885bc8a24524

SHA256
61b74cd289ef16e334b251670f8a1c24587a0404c8f50555cd241b128ea0c1d3

SHA512
8b28cd4376149ae72183763f78ad96cabf5dac0723b253693cff657a71316a05caa4da26462fbc8dcc5c00ffb724309049d989121cfadc13721b45b3f67834e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\plfA4FA.tmp

Filesize
3KB

MD5
dad1c09101343863f8a5ddecfa573c3b

SHA1
75c2a3effe75638f72f1cd858aec9c9f142209bc

SHA256
d612225e5483dfae774475fe0d6bac215c8aaa53607a9c8396ad70f23b23c015

SHA512
3aa28f77b0566efc697e2f40a304988f4b8c85ceca9b79c9f391378adc47f43366a836c362ca074148b45c4857c4c3fd4e792b9f51223de4a3a687fae51f5180

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F5483B3-D9B9-4C8E-BF01-B30CC1707EE0}\_IsRes.dll

Filesize
188KB

MD5
d3b08772f8f8370b2550b9208ee3b5a2

SHA1
04fb58eccabc82043029951aac0be56db52abcc8

SHA256
30040f2f0720237fb4d3733ede7cd0bc9e2eed2789b8aee381f0c2f7594e12c6

SHA512
1619fcd168568405094e930e5c1bdab94a67528d343f6ce0c66b6aeede9338f69253a47ece187e771388158276c3cbf51678ffb276bd930bde4b334333dda71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F5483B3-D9B9-4C8E-BF01-B30CC1707EE0}\isrt.dll

Filesize
316KB

MD5
13b70633df1bf63e19fe4a74a53b8896

SHA1
f542f67cc15002f76f3ab9230297ccca2461c009

SHA256
7f852b5ee852ae2870d63db4d9cac454e08e93104d18bf5c9efc068d85c35147

SHA512
5fe27c41fb5de0ae2373295d0f5b13be7d863161e94d29bbeddb84acab4300a9bc93482c80f874ccaa9fa20b2066d7824c530ac3f4575bb999da3f594ccd4a2b

Download Submit
\??\c:\users\admin\appdata\local\temp\pfta5f6~tmp\disk1\data1.hdr

Filesize
13KB

MD5
fef07d52b1c715112c9588646276750d

SHA1
b1f350e3c7a4368dd1e59d112cda53e3ae625c44

SHA256
3eb42e89dc8c0a1eba2cdc4df3e8081e427386d726607b5e472d62c52cafaa03

SHA512
33671149b4ca486eff206f5bd34eea25506a09220649d8c19386503c252647f12a8b0b7d3ed642605bffa279c9a4e2397a426324a0e579ad5ac9aa047cebf458

Download Submit
memory/1252-215-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1252-79-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1376-95-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1376-92-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3180-214-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-7-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-271-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-263-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-239-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-216-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-6-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/3180-9-0x000000000040C000-0x000000000040F000-memory.dmp

Filesize
12KB

Download
memory/3180-213-0x0000000000510000-0x0000000000543000-memory.dmp

Filesize
204KB

Download
memory/4320-154-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4320-153-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4452-184-0x0000000003710000-0x0000000003723000-memory.dmp

Filesize
76KB

Download
memory/4452-190-0x0000000003730000-0x0000000003768000-memory.dmp

Filesize
224KB

Download
memory/4452-117-0x0000000003700000-0x0000000003713000-memory.dmp

Filesize
76KB

Download
memory/4452-198-0x0000000003770000-0x00000000037C2000-memory.dmp

Filesize
328KB

Download
memory/4452-204-0x0000000003810000-0x000000000383C000-memory.dmp

Filesize
176KB

Download
memory/4452-218-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4452-99-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4452-145-0x0000000003700000-0x0000000003738000-memory.dmp

Filesize
224KB

Download
memory/4452-135-0x0000000003700000-0x000000000372C000-memory.dmp

Filesize
176KB

Download
memory/4452-242-0x0000000003710000-0x0000000003723000-memory.dmp

Filesize
76KB

Download