307d9f5e4b85d1209753a90220cb3cf6e590288af57d81fb6a282c5d1a6d68df

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
22-11-2020 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ledger-live-desktop-2.17.0-win.exe
Size

87.6MB
MD5

2ffa14c74bd1ed291cac0cafa9122090
SHA1

4ff0b198f034e6f49239ec164f6ea6438bc1a8ac
SHA256

307d9f5e4b85d1209753a90220cb3cf6e590288af57d81fb6a282c5d1a6d68df
SHA512

287ff06cb4bd567489ec0e607bc2553411a3d1cd21b7b26100314ab6afc41dc4e1b6e3d1be07f9803a0663ce81a2781bb792a90c4f13bc0f2dacc47168cc8ac1

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

Ledger Live.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exe

pid process

1108 Ledger Live.exe
2196 Ledger Live.exe
3884 Ledger Live.exe
2828 Ledger Live.exe
2260 Ledger Live.exe
4504 Ledger Live.exe

pid	process
1108	Ledger Live.exe
2196	Ledger Live.exe
3884	Ledger Live.exe
2828	Ledger Live.exe
2260	Ledger Live.exe
4504	Ledger Live.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ledger Live.exeLedger Live.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Ledger Live.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	Ledger Live.exe

Loads dropped DLL 29 IoCs

Processes:

ledger-live-desktop-2.17.0-win.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exe

pid	process
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
1108	Ledger Live.exe
2196	Ledger Live.exe
2196	Ledger Live.exe
2196	Ledger Live.exe
2196	Ledger Live.exe
3884	Ledger Live.exe
2828	Ledger Live.exe
1108	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
4504	Ledger Live.exe
4504	Ledger Live.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 17 IoCs

Processes:

resource	yara_rule
C:\Program Files\Ledger Live\Ledger Live.exe	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
C:\Program Files\Ledger Live\resources.pak	js
C:\Program Files\Ledger Live\resources\app.asar	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
\Program Files\Ledger Live\d3dcompiler_47.dll	js
C:\Program Files\Ledger Live\D3DCompiler_47.dll	js
C:\Program Files\Ledger Live\swiftshader\libglesv2.dll	js
\Program Files\Ledger Live\swiftshader\libGLESv2.dll	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\crypto.dll	js
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\crypto.dll	js
C:\Program Files\Ledger Live\Ledger Live.exe	js
C:\Program Files\Ledger Live\vulkan-1.dll	js
\Program Files\Ledger Live\vulkan-1.dll	js

Drops file in Program Files directory 1557 IoCs

Processes:

ledger-live-desktop-2.17.0-win.exe

description	ioc	process
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSCosmosLikeRedelegationEntryCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSInternalTransactionCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\EthereumLikeNetworkParameters.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSBlockchainExplorerEnginesCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSHttpRequestCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\HttpUrlConnection.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\QueryFilter.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSCosmosLikeBlockCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSOperationQueryCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\EthereumLikeExtendedPublicKey.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSBitcoinLikeTransactionBuilderCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSDatabaseColumn.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSEthereumLikeTransactionCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSStellarLikeMemoCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAlgorandAssetAmountListCallback.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAmountCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAddressCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosLikeAccount.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosLikeExtendedPublicKey.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosLikeValidatorListCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\ERC20LikeOperation.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\StellarConfiguration.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAccountCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSStellarLikeMemoCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\BlockchainExplorerEngines.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSTezosLikeTransactionCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSRandomNumberGenerator.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSRippleConfigurationDefaultsCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSRippleLikeTransactionBuilderCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSSecp256k1Cpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSSynchronizerEnginesCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\BitcoinLikeBlock.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\lib\ledger-core.lib	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAlgorandOperationCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSEthereumPublicKeyProvider.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSRippleConfigurationCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\obj\ledger-core-node\ledger-core-node.tlog\link.command.1.tlog	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\DynamicArray.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\RippleLikeExtendedPublicKey.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\StellarConfiguration.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSBitcoinLikeOutputListCallback.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSCosmosLikeExtendedPublicKeyCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSTezosConfigurationDefaultsCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosCurve.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\AddressListCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosGasLimitRequest.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosLikeMultiSendOutput.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\CosmosLikeTransactionCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSCosmosLikeUnbondingEntryCpp.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSRandomNumberGenerator.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app-update.yml	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\Address.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\BitcoinLikeExtendedPublicKey.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\EthereumLikeBlock.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSDatabaseError.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\locales\zh-CN.pak	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\RippleLikeAddress.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAccountCallback.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSAccountCreationInfoCallback.hpp	ledger-live-desktop-2.17.0-win.exe
File opened for modification	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSEthereumLikeAccountCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSTezosLikeOperationCpp.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\include\DatabaseBlob.hpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\src\NJSThreadDispatcher.cpp	ledger-live-desktop-2.17.0-win.exe
File created	C:\Program Files\Ledger Live\vulkan-1.dll	ledger-live-desktop-2.17.0-win.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ledger Live.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ledger Live.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Ledger Live.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ledger Live.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Ledger Live.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Ledger Live.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Ledger Live.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ledger-live-desktop-2.17.0-win.exeLedger Live.exeLedger Live.exeLedger Live.exeLedger Live.exe

pid	process
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3992	ledger-live-desktop-2.17.0-win.exe
3884	Ledger Live.exe
3884	Ledger Live.exe
2828	Ledger Live.exe
2828	Ledger Live.exe
2260	Ledger Live.exe
2260	Ledger Live.exe
4504	Ledger Live.exe
4504	Ledger Live.exe
4504	Ledger Live.exe
4504	Ledger Live.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

ledger-live-desktop-2.17.0-win.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	3992	ledger-live-desktop-2.17.0-win.exe
Token: SeIncreaseQuotaPrivilege	1776	wmic.exe
Token: SeSecurityPrivilege	1776	wmic.exe
Token: SeTakeOwnershipPrivilege	1776	wmic.exe
Token: SeLoadDriverPrivilege	1776	wmic.exe
Token: SeSystemProfilePrivilege	1776	wmic.exe
Token: SeSystemtimePrivilege	1776	wmic.exe
Token: SeProfSingleProcessPrivilege	1776	wmic.exe
Token: SeIncBasePriorityPrivilege	1776	wmic.exe
Token: SeCreatePagefilePrivilege	1776	wmic.exe
Token: SeBackupPrivilege	1776	wmic.exe
Token: SeRestorePrivilege	1776	wmic.exe
Token: SeShutdownPrivilege	1776	wmic.exe
Token: SeDebugPrivilege	1776	wmic.exe
Token: SeSystemEnvironmentPrivilege	1776	wmic.exe
Token: SeRemoteShutdownPrivilege	1776	wmic.exe
Token: SeUndockPrivilege	1776	wmic.exe
Token: SeManageVolumePrivilege	1776	wmic.exe
Token: 33	1776	wmic.exe
Token: 34	1776	wmic.exe
Token: 35	1776	wmic.exe
Token: 36	1776	wmic.exe
Token: SeIncreaseQuotaPrivilege	1776	wmic.exe
Token: SeSecurityPrivilege	1776	wmic.exe
Token: SeTakeOwnershipPrivilege	1776	wmic.exe
Token: SeLoadDriverPrivilege	1776	wmic.exe
Token: SeSystemProfilePrivilege	1776	wmic.exe
Token: SeSystemtimePrivilege	1776	wmic.exe
Token: SeProfSingleProcessPrivilege	1776	wmic.exe
Token: SeIncBasePriorityPrivilege	1776	wmic.exe
Token: SeCreatePagefilePrivilege	1776	wmic.exe
Token: SeBackupPrivilege	1776	wmic.exe
Token: SeRestorePrivilege	1776	wmic.exe
Token: SeShutdownPrivilege	1776	wmic.exe
Token: SeDebugPrivilege	1776	wmic.exe
Token: SeSystemEnvironmentPrivilege	1776	wmic.exe
Token: SeRemoteShutdownPrivilege	1776	wmic.exe
Token: SeUndockPrivilege	1776	wmic.exe
Token: SeManageVolumePrivilege	1776	wmic.exe
Token: 33	1776	wmic.exe
Token: 34	1776	wmic.exe
Token: 35	1776	wmic.exe
Token: 36	1776	wmic.exe
Token: SeIncreaseQuotaPrivilege	1780	wmic.exe
Token: SeSecurityPrivilege	1780	wmic.exe
Token: SeTakeOwnershipPrivilege	1780	wmic.exe
Token: SeLoadDriverPrivilege	1780	wmic.exe
Token: SeSystemProfilePrivilege	1780	wmic.exe
Token: SeSystemtimePrivilege	1780	wmic.exe
Token: SeProfSingleProcessPrivilege	1780	wmic.exe
Token: SeIncBasePriorityPrivilege	1780	wmic.exe
Token: SeCreatePagefilePrivilege	1780	wmic.exe
Token: SeBackupPrivilege	1780	wmic.exe
Token: SeRestorePrivilege	1780	wmic.exe
Token: SeShutdownPrivilege	1780	wmic.exe
Token: SeDebugPrivilege	1780	wmic.exe
Token: SeSystemEnvironmentPrivilege	1780	wmic.exe
Token: SeRemoteShutdownPrivilege	1780	wmic.exe
Token: SeUndockPrivilege	1780	wmic.exe
Token: SeManageVolumePrivilege	1780	wmic.exe
Token: 33	1780	wmic.exe
Token: 34	1780	wmic.exe
Token: 35	1780	wmic.exe
Token: 36	1780	wmic.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

Ledger Live.exe

description	pid	process	target process
PID 1108 wrote to memory of 1776	1108	Ledger Live.exe	wmic.exe
PID 1108 wrote to memory of 1776	1108	Ledger Live.exe	wmic.exe
PID 1108 wrote to memory of 1780	1108	Ledger Live.exe	wmic.exe
PID 1108 wrote to memory of 1780	1108	Ledger Live.exe	wmic.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2196	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 3884	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 3884	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2828	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2828	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2260	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 2260	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 4504	1108	Ledger Live.exe	Ledger Live.exe
PID 1108 wrote to memory of 4504	1108	Ledger Live.exe	Ledger Live.exe

C:\Users\Admin\AppData\Local\Temp\ledger-live-desktop-2.17.0-win.exe
"C:\Users\Admin\AppData\Local\Temp\ledger-live-desktop-2.17.0-win.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\Wbem\wmic.exe
wmic os get locale
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe" --type=gpu-process --field-trial-handle=1560,3329538785540861271,13717587733195595446,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe" --type=utility --field-trial-handle=1560,3329538785540861271,13717587733195595446,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1100 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe" --type=renderer --field-trial-handle=1560,3329538785540861271,13717587733195595446,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\Ledger Live\resources\app.asar" --enable-experimental-web-platform-features --node-integration --no-sandbox --no-zygote --preload="C:\Program Files\Ledger Live\resources\app.asar\.webpack\preloader.bundle.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe" "C:\Program Files\Ledger Live\resources\app.asar\.webpack/main.bundle.js"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files\Ledger Live\Ledger Live.exe
"C:\Program Files\Ledger Live\Ledger Live.exe" --type=gpu-process --field-trial-handle=1560,3329538785540861271,13717587733195595446,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAEAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2464 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Ledger Live\D3DCompiler_47.dll
MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\Ledger Live.exe
MD5
f747bd260b7e52dcaab5ee158385205b

SHA1
bb92450544c0dcd6e7c4087a80636e2348c2cb6b

SHA256
c89922f7de7d315c6bc1806bd4d4d3745fa6a20a2ef6888fe14935f64c487cc8

SHA512
ac787ce7b89a956631155d4dc5eaaf15f47b938d28eab2625cec4f84c595d116f542c8b949e4890b6861f5790f3c7989e28dc8138f5f76746792198e1d337f4c

Download Submit
C:\Program Files\Ledger Live\chrome_100_percent.pak
MD5
7c4728b2d58afdd97c4549c96b9561cc

SHA1
1e0d251eedd67e7021fc764b9188184617465c54

SHA256
419cfcc6dc5f38b2e0c970ebd4fad1ef55054579d5c0db2521d7ae494996aac3

SHA512
82d0931e4d1cf38f88050980f518cdacdc981c382771b1732bfbe69f601074a0e7378e27a7470c7dea4e287cb1617a5c038052908ed85134abcd5b6591b4e7df

Download Submit
C:\Program Files\Ledger Live\chrome_200_percent.pak
MD5
6af049ad6fd11ee90ad9db31c4e02082

SHA1
5d2f9a59a74dc584b5dd78aeb6de583e969e3eb7

SHA256
edecf8e1ac353bfdae534e42507e5a59973cb4cab76fbb1ff1a470363e725bc4

SHA512
c7fa6e1a57861e62b9b4d615a988c98d13cde8abc23eaed7c36c2ecb86409da4b65b1f579ca2f307e90eb4d08d14b07f7f41ccb8d8c165d6de67c09c16009715

Download Submit
C:\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
C:\Program Files\Ledger Live\icudtl.dat
MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Program Files\Ledger Live\locales\en-US.pak
MD5
98c8cfc3cb98ab34e06d4323b8bcb043

SHA1
2c0bda072161530b710fa0a1dfc3c23926184afe

SHA256
35adc5aeeebfe440e295b88d2a4089360ada33c353843b1f5438f4118501878b

SHA512
25edeca13b4a29f63bdc4f135eda1b1b8c72f3a58315f57895950bdc15f56b2af1aca42affe397716f5965437ece836f683265a33ec919b8b26056634612ed3c

Download Submit
C:\Program Files\Ledger Live\resources.pak
MD5
d9022282a7fbf3aa354559ab6a9c7926

SHA1
ff1f2b77d80848bc1a51e48c21a033eb57d8776c

SHA256
ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c

SHA512
6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97

Download Submit
C:\Program Files\Ledger Live\resources\app-update.yml
MD5
6aba26b881312f4115c58b567d3153bd

SHA1
8d3e6d4dd7b0010539e0ebe3d51b1774909704a9

SHA256
f12482f786c2944a04391f127c72bf7e1e6c7e2466926c8636af2e4a35394feb

SHA512
af92d24ac83508c816f20fc545ad0f54c7873964fdfea3d9fd41587178a0d8c2ca98a3091a1166b5899c4709847da36a15fdd628793145f1efb1f2d6a3724619

Download Submit
C:\Program Files\Ledger Live\resources\app.asar
MD5
70d3b19b05bfe5c7789f247c2742bd96

SHA1
46219d0ef2edc5ac0e3cdfc6f431fa1eaa176161

SHA256
47ded3029b12bf40909cf3a06d57554ebe7ebfd7406c95ad63af364e7fefcd53

SHA512
dfdba4b30b61a9e0fc2bc852d59864184adcee4a65a4ca9ea1e673d221c3cc8ffe15580517b8c5acffdce400e3c2187f05fd9c8446573ea5f826d2127df49f0c

Download Submit
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\crypto.dll
MD5
323787c1ac33517a14d1606f3c031e17

SHA1
685eb94a22347b79ace0f2ba7fa6e9f6524141db

SHA256
efaf61708b6cfe0861aea8609dc371c75655352a404d3e3c212fa33a35c2191e

SHA512
85f5ac8b308e121a00983561eb6e491b29e6a9d6ffeb79b5cae3b13f64ef992beb802a4964b26d56b82a1ba906a8afe4318ef36752c623353f4fc2e3a8ec5dd5

Download Submit
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\ledger-core-node.node
MD5
7451b751537c2e97da4f7ccde2c46382

SHA1
707bd2612f2a5fb79f57745ac2ea2b73330e6c95

SHA256
376b51461bd30547d5488d85a489935e66e39859ed57591ad336c241071a9d8c

SHA512
2627077dff090a4cd63c2ab1d60f6005e175310c99cc860b4af263df96c066fcad087be5582243a5273fab149ae155f27806e06cf6c9e238a147c011057ca861

Download Submit
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\ledger-core.dll
MD5
9561dab54448c8ec9341a01172c7512a

SHA1
611ce79b7556a0e78d1368f3eb205a1ff0b18017

SHA256
95c4d7d1885b3b9c930db304c0e967b4988a6194690f9ed5d73d2f5900eea804

SHA512
3c2adbe3b67113d121dfe07fcf3240261edd07e65d9a5ab502bfed7726c56518577f8eac7911a106f766fb2af1c8a763a44024f4ddd362832dcf276de50d2201

Download Submit
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\js\index.js
MD5
f97c80dd97eaff98a3cc220c438cea49

SHA1
2917a9af2000128228dafb233dbe8768d2d60015

SHA256
279cfacb9b658ba8e002f5673a45e12bc9f3125f3ae954870aa1b7fe5f4be022

SHA512
273c93b10d2fbc1e0f5f3fde478638eeeaa3cb4d2b468f413ef3b985a17f2b5788f05a9a3cec3ac5afbe89e34a0b227a6fb8d2a3aa2df57d433ebbe1b8fdea23

Download Submit
C:\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\package.json
MD5
87a415ab9ac566b17fc76e642a655dba

SHA1
abb01bbb7fe17d6fbb12188355f592bda1d5edd0

SHA256
8753583f1879bd3ee64cbf6867be7b90f3dcbd5d6e5bde5b0fbeff6b6066eefc

SHA512
dda54f843a7793b7668a31396f653fc6d56ba2f9fbe38b93c2a5f99d3ef2edb6d8d374d92345eae5b603397280a0dc98605007f7cfec15569cc6d328dd7e2753

Download Submit
C:\Program Files\Ledger Live\swiftshader\libegl.dll
MD5
d68ace0c88e1b4e933d8947f7d1caaa0

SHA1
f526193c10720426ba8b1fc54bf0de2138eaffc0

SHA256
158ebdba4bf1003734d9353d310e2ba5e1c271058bd6f9f45aa255175412c5da

SHA512
f427a9d95ca2b38cb7f8a9d5dc9c2016f9d6957bb01319136195b2c59a576d4722a4d0455eb6bc8f8b6d39e99dd6e4e5904491458ee307ed0e5f8e61db8f6659

Download Submit
C:\Program Files\Ledger Live\swiftshader\libglesv2.dll
MD5
e6c88513ead7aecc9e40ca4ba6b336be

SHA1
51d4727e361a397f5a0625dcf86c7d8089e7f9a2

SHA256
612f229de2cb68d7c635eff653fa5ff91047c3a66cb0d5d1358af02b8da6824d

SHA512
6ca4d7b7eb95153648786717772ec2c4f689f012f1d2d778e4e4d3166c0360f3770c634c74902515d1c7c54eb94343c778db361b672cacb719fb66b46b391f02

Download Submit
C:\Program Files\Ledger Live\v8_context_snapshot.bin
MD5
d9b62a61b9242c2d29da71d58421f08c

SHA1
62eb4411599dba13fe617a860096fe21a8141d0f

SHA256
9010758e1b4453957e561dfe6dd1c891400d7a0fb78097e8e67d9a8076644588

SHA512
1d0bd25bd3c5cb55e80592bc2a15ec94c31263fc518533c8f8d6434e9896f11aabeda2a8fa08601829fcb395ea5c69629ce2ded43d1f8106d982e1d21946832a

Download Submit
C:\Program Files\Ledger Live\vulkan-1.dll
MD5
b133bfee5d29a7ef520e80e93d74aeb9

SHA1
dced89e7d1a0920caf9ad923fa5d1fade0bf36e5

SHA256
4be3b32b999b80a92f22ff30ecaf124408e5189dcb6a4d11d41df44a78341e2c

SHA512
82fcd3c1a7a274fb98557c5a0564d529f4e25ea616e90231c656434ae8ae57fe3a8609552e72b1cb9f782382a49c14db5b4863e381c9b2b86c5c392782ade7d4

Download Submit
\Program Files\Ledger Live\d3dcompiler_47.dll
MD5
fea40e5b591127ae3b065389d058a445

SHA1
621fa52fb488271c25c10c646d67e7ce5f42d4f8

SHA256
4b074a3976399dc735484f5d43d04b519b7bdee8ac719d9ab8ed6bd4e6be0345

SHA512
d2412b701d89e2762c72dd99a48283d601dd4311e3731d690cc2ab6cced20994fa67bf3fea4920291fc407cd946e20bdc85836e6786766a1b98a86febaa0e3d9

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\ffmpeg.dll
MD5
8753b30c978467aa1c2253e3b7718d3c

SHA1
5adce8f036e0082419b975cfecda00e9ccb11961

SHA256
092d1cbc999ed0d08ccfa7426b257f8083dc5e4e957b985284b54eda3debd0a3

SHA512
1368c85fabd09cc4ad17cc6411e3428013bc7b94087302c0e7ba791d09c5e80677c8a0305c42be601f759f53842cc97055720c4421b6c8cc50a94991749d0c94

Download Submit
\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\crypto.dll
MD5
323787c1ac33517a14d1606f3c031e17

SHA1
685eb94a22347b79ace0f2ba7fa6e9f6524141db

SHA256
efaf61708b6cfe0861aea8609dc371c75655352a404d3e3c212fa33a35c2191e

SHA512
85f5ac8b308e121a00983561eb6e491b29e6a9d6ffeb79b5cae3b13f64ef992beb802a4964b26d56b82a1ba906a8afe4318ef36752c623353f4fc2e3a8ec5dd5

Download Submit
\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\ledger-core-node.node
MD5
7451b751537c2e97da4f7ccde2c46382

SHA1
707bd2612f2a5fb79f57745ac2ea2b73330e6c95

SHA256
376b51461bd30547d5488d85a489935e66e39859ed57591ad336c241071a9d8c

SHA512
2627077dff090a4cd63c2ab1d60f6005e175310c99cc860b4af263df96c066fcad087be5582243a5273fab149ae155f27806e06cf6c9e238a147c011057ca861

Download Submit
\Program Files\Ledger Live\resources\app.asar.unpacked\node_modules\@ledgerhq\ledger-core\build\Release\ledger-core.dll
MD5
9561dab54448c8ec9341a01172c7512a

SHA1
611ce79b7556a0e78d1368f3eb205a1ff0b18017

SHA256
95c4d7d1885b3b9c930db304c0e967b4988a6194690f9ed5d73d2f5900eea804

SHA512
3c2adbe3b67113d121dfe07fcf3240261edd07e65d9a5ab502bfed7726c56518577f8eac7911a106f766fb2af1c8a763a44024f4ddd362832dcf276de50d2201

Download Submit
\Program Files\Ledger Live\swiftshader\libEGL.dll
MD5
d68ace0c88e1b4e933d8947f7d1caaa0

SHA1
f526193c10720426ba8b1fc54bf0de2138eaffc0

SHA256
158ebdba4bf1003734d9353d310e2ba5e1c271058bd6f9f45aa255175412c5da

SHA512
f427a9d95ca2b38cb7f8a9d5dc9c2016f9d6957bb01319136195b2c59a576d4722a4d0455eb6bc8f8b6d39e99dd6e4e5904491458ee307ed0e5f8e61db8f6659

Download Submit
\Program Files\Ledger Live\swiftshader\libGLESv2.dll
MD5
e6c88513ead7aecc9e40ca4ba6b336be

SHA1
51d4727e361a397f5a0625dcf86c7d8089e7f9a2

SHA256
612f229de2cb68d7c635eff653fa5ff91047c3a66cb0d5d1358af02b8da6824d

SHA512
6ca4d7b7eb95153648786717772ec2c4f689f012f1d2d778e4e4d3166c0360f3770c634c74902515d1c7c54eb94343c778db361b672cacb719fb66b46b391f02

Download Submit
\Program Files\Ledger Live\vulkan-1.dll
MD5
b133bfee5d29a7ef520e80e93d74aeb9

SHA1
dced89e7d1a0920caf9ad923fa5d1fade0bf36e5

SHA256
4be3b32b999b80a92f22ff30ecaf124408e5189dcb6a4d11d41df44a78341e2c

SHA512
82fcd3c1a7a274fb98557c5a0564d529f4e25ea616e90231c656434ae8ae57fe3a8609552e72b1cb9f782382a49c14db5b4863e381c9b2b86c5c392782ade7d4

Download Submit
\Users\Admin\AppData\Local\Temp\0ff7514e-d99d-4ed1-bc77-5104ca492f7d.tmp.node
MD5
b8f87e72240af450c8257d7ee9f63079

SHA1
b20f0db6c90c0711ea3f91b4863f57f05f42c33d

SHA256
16a3e09a55482033543dfd442e6942d705ad754de49a9f575c00baee6aefebf7

SHA512
af5eeced2258eea9adedb77fd76f986cd4317fe8437cb4a77f7c07f0ba1c3030380fd458405353fb953027ab1c7c9d72feac8c64855a21eefa5fc937bddb0b0a

Download Submit
\Users\Admin\AppData\Local\Temp\63a0c8bb-2596-459f-8a2a-29c6748ce0ee.tmp.node
MD5
b8f87e72240af450c8257d7ee9f63079

SHA1
b20f0db6c90c0711ea3f91b4863f57f05f42c33d

SHA256
16a3e09a55482033543dfd442e6942d705ad754de49a9f575c00baee6aefebf7

SHA512
af5eeced2258eea9adedb77fd76f986cd4317fe8437cb4a77f7c07f0ba1c3030380fd458405353fb953027ab1c7c9d72feac8c64855a21eefa5fc937bddb0b0a

Download Submit
\Users\Admin\AppData\Local\Temp\66a24f1b-22aa-4549-ba7e-d5385cd244ec.tmp.node
MD5
7c554f3ba2c65eb19e3f0de25e135fb0

SHA1
47437696b5c593f1b1c251c4c220bdaf66bbb6b1

SHA256
a278414fb7c9b06c79ba27c3773e3c635e08e5d4c53bd6a07b9d1f0c669b6b33

SHA512
e66f1c17f4e8232e606e3b0028b650abe0911c30d45806039276c7351bb229627e906e105042b4d03b8976619204711e7988b4b944c8b8c933759d7b1a939f22

Download Submit
\Users\Admin\AppData\Local\Temp\c4cf9b5f-88ba-44f9-8790-16ce44f4a64a.tmp.node
MD5
14c373b1268668ca3d1f46e4d299bf39

SHA1
0427e180b7670b968b805b5739a9997f2f8b5b8f

SHA256
3dc8262f5886b2fe7955fbcfe22480626587ce9f4e127c970a193b0838d3b1ec

SHA512
931563fad227438b06c26ef99004d3c7cac9fad906331921eba95a085f2f8b4cb535bb83c928a3115cd976fafa5102d2880daec4f59966e47a953f56c3031561

Download Submit
\Users\Admin\AppData\Local\Temp\e3e65c2b-bc6a-483a-9b3c-36d55346164f.tmp.node
MD5
e614ce74efc8f49c086dcc3be7ef75e2

SHA1
e3e79cfb285bc9fbec9e53ad1d73d5215414ff47

SHA256
4083cb5033cbc02664f2081a1728d677b6ce6f014d2631c92723269a62d1e601

SHA512
6eef751c9d3af436bfb5d1a5f7a9c8eb3b78e3e80a7363fe580ac560390a72381062588e0ab2f71573b8296f667688ca27f3fc4d276e823dc28ec3d320a11b60

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\StdUtils.dll
MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\System.dll
MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\WinShell.dll
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\nsDialogs.dll
MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\nsProcess.dll
MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsr576D.tmp\nsis7z.dll
MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1108-21-0x0000021200040000-0x0000021200041000-memory.dmp

Filesize
4KB

Download
memory/1776-23-0x0000000000000000-mapping.dmp

Download
memory/1780-24-0x0000000000000000-mapping.dmp

Download
memory/2196-28-0x00007FFC4DFE0000-0x00007FFC4DFE1000-memory.dmp

Filesize
4KB

Download
memory/2196-26-0x0000000000000000-mapping.dmp

Download
memory/2260-46-0x0000000000000000-mapping.dmp

Download
memory/2260-49-0x0000025900040000-0x0000025900041000-memory.dmp

Filesize
4KB

Download
memory/2828-39-0x0000000000000000-mapping.dmp

Download
memory/2828-43-0x000022EB00040000-0x000022EB00041000-memory.dmp

Filesize
4KB

Download
memory/3884-36-0x0000000000000000-mapping.dmp

Download
memory/4504-62-0x0000000000000000-mapping.dmp

Download