Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
22-09-2022 02:17
General
-
Target
f457ecfcee7e34bb70327873f28bd6bc.exe
-
Size
173KB
-
MD5
f457ecfcee7e34bb70327873f28bd6bc
-
SHA1
f02720fd3aac02b96d7035590fa6bb9e0827dd07
-
SHA256
b6273457e24139306f3e7c3206922e4a08f6db2d17bea0490ebcd8057f0b32e9
-
SHA512
4ff4ab9467c7e572271236efcad12d98c4c926949bc8cfbcbda4a3fa9a455bd0d390b9e179fdf4f657aca4e2f87dab8ce22b961e8bb4ec4f091481a11a8209e5
-
SSDEEP
3072:h2WLg/f50R7tH1vTDmgRWKqdav3+fxr2BOmD/Pk9Dn:9Lg/+R79rWKqdavO9k
Malware Config
Extracted
djvu
http://acacaca.org/lancer/get.php
-
extension
.aabn
-
offline_id
MyudhIExJux2oRQXw95TT1oAPu7mvqRMzxr1eet1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-4Xcf4IX21n Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0565Jhyjd
Extracted
raccoon
7394a7fc5da9794209d8b0503ca4abf4
http://45.8.145.203
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
77.73.134.27:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 10 IoCs
-
Detects Smokeloader packer 2 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 8 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 48 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f457ecfcee7e34bb70327873f28bd6bc.exe"C:\Users\Admin\AppData\Local\Temp\f457ecfcee7e34bb70327873f28bd6bc.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\E2B4.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\E2B4.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeC:\Users\Admin\AppData\Local\Temp\E3AF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeC:\Users\Admin\AppData\Local\Temp\E3AF.exe2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\304da3f0-ed3c-4c52-946b-212691fa7074" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exe"C:\Users\Admin\AppData\Local\Temp\E3AF.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exe"C:\Users\Admin\AppData\Local\Temp\E3AF.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exe"C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exe"C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" \/c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exe" & del C:\PrograData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build3.exe"C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\E602.exeC:\Users\Admin\AppData\Local\Temp\E602.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ECF8.exeC:\Users\Admin\AppData\Local\Temp\ECF8.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\7D52.exeC:\Users\Admin\AppData\Local\Temp\7D52.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc9fe246f8,0x7ffc9fe24708,0x7ffc9fe247184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5484 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5684 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff77d9f5460,0x7ff77d9f5470,0x7ff77d9f54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9704023959909262691,5199220448338564484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"5⤵
- Blocklisted process makes network request
-
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"6⤵
- Blocklisted process makes network request
-
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"7⤵
- Blocklisted process makes network request
-
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"4⤵
- Blocklisted process makes network request
-
C:\Windows\Temp\s.exe"C:\Windows\Temp\s.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\808F.exeC:\Users\Admin\AppData\Local\Temp\808F.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyADMA2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD51c626eac6241b02b0082a76f150a3a8a
SHA1b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858
SHA256412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69
SHA5128550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2BC2D09D2C3B9097A22A2E8DDF9B7F10Filesize
503B
MD537a43fd4b91d6a0677fc77730fbd23ff
SHA1f733a6b6feddaf37a1db1d0b93a72cc5324db38d
SHA256dc1ad8c6fbffaee84a5e2fdcb7a02e85204f943eae63c14c73ed8bc360201d6b
SHA5120520405d9234e06899fb90bd9a98b35f3b34e5ace58d52208ab425866ab47a0faba740ab495755f7aaa59ebef64e3f6ace81261391318b96031ac7750ebb03be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD548e98893438d04fa64bb49bbdafbf960
SHA1e28578281fc80cb97275a94aa0e9da0db8285b87
SHA2562ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d
SHA5129eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD548f144cd835b1d834d3a7d1bd2491659
SHA10b1abaf0b6d6f415a0382929f4ef4d2d001e5a04
SHA2561ab12bee9698ad6290a021cb9d2c30ed025ce25e8fc488b3f87ea1b88b82f709
SHA512c8c889bc49e1c5c9a6f42071fe5f7a5508890b9c87dca6dc4ff63c3ef8ee6e32282aca866cf630527d5ceb5570a6c73ac6bd8ca847887260fb9d98e7f6b52d18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD55637eae772f60af1d82facc32d2e95e8
SHA1c65e8483756f6f18c9a7c2aacef406f3d5560ff8
SHA2565b7e57ca7a0ecdfe5ce12ce5e0ecc725143da36b0a3e184e3181a9dffde2f2f0
SHA512997b8e624d69a912396d219b352fbab40b58c4435eb77c57a243b6bf0563ce1612d9b5e9e16848426f1652892322be52d0610e5ff1aad72a2407ff6f023f3cb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2BC2D09D2C3B9097A22A2E8DDF9B7F10Filesize
548B
MD54bec0a3b1aac8a1f2ff275d0b9445723
SHA1ae38d0bbe84f0756e0fc08e84ebf7ebec9ce4774
SHA256cc7f4ac439ba8aa02f27e9dd79910ea04a9046df3b5b699666657ecba76ace4d
SHA5120baa504499b7458f6cc8f5e39c06cf2209463898e212e00731927b9ca24201f207be338867afb0e2f18c174e1ac591a7fe8c2170e1af275bb9cda984c20f6a1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD57e5278ded8a75451f23c6575f4543d7e
SHA12addb19ab434c06086d0b06c0f008bc9681db059
SHA25699e39a4f5cd6facbd52ce4adc2061839b6b9c9ea1eabc3bc18aeb62b068bea4b
SHA512221f31b0085ee46feda3a3fa9d5f0e0e0fb252aaefcf91e6b10c409ea02aa388b62ca306f368951a60f9e716e9c4aecae9a46ea342b1ba3040dfe16a497f0c70
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Local\304da3f0-ed3c-4c52-946b-212691fa7074\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exeFilesize
246KB
MD54e08ecaa075b90f30327bf200d23130b
SHA1f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2
SHA2566c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47
SHA512e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exeFilesize
246KB
MD54e08ecaa075b90f30327bf200d23130b
SHA1f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2
SHA2566c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47
SHA512e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build2.exeFilesize
246KB
MD54e08ecaa075b90f30327bf200d23130b
SHA1f7b67a7abbe3815bd758933f7c4712bd4d4ec4b2
SHA2566c11af0bbd346329224255d38a07fb9db5828881d3520ab4623c7a5fc09ecd47
SHA512e7deeafe000b034cd4d71776cd1285e33d295a830f3459506dd7332e8c1c61b43ec2fdc406c22ba5262aa62a795421492f7e54602bfe08102b8b2a000d150bb7
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\9a6fef6c-af3e-40c2-948a-8b9c28c228ca\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Temp\7D52.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
C:\Users\Admin\AppData\Local\Temp\7D52.exeFilesize
2.6MB
MD50b9978d5b7c98f448f01a37add0d1cab
SHA17faccb84b6e5f026ae2c9a57c85f44ae17ae8cfa
SHA256dc2879d1ea852d721808045d04e9c98dca28623ace248eb2efdd84701255cd68
SHA512e24b09ee83b9a4a36ca5594f1c12e9015b7f9eeb103de1a6bbe82ad5d453282fe834d5d5190886df7e8814bccd8dca7ec4009965717b6b57716f0907d8298b7e
-
C:\Users\Admin\AppData\Local\Temp\808F.exeFilesize
1.1MB
MD5137b9eea525bfc1e54784bb2f450b8b9
SHA1e34f7a90d8f1994413184f819d23869e7bb273b1
SHA2561b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26
SHA5123aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c
-
C:\Users\Admin\AppData\Local\Temp\808F.exeFilesize
1.1MB
MD5137b9eea525bfc1e54784bb2f450b8b9
SHA1e34f7a90d8f1994413184f819d23869e7bb273b1
SHA2561b4b2a3aaa2f2c85b12f84e346b947230bbe6ae2af7883f2019549ba6c295d26
SHA5123aeff673467741685ff1819dc5089a7088c12d9d16cc0f72507c1703c4f85639eb28801feeec8bf71a1d500938cb556db724e6f0e4d3876aea7517b6fcdccb8c
-
C:\Users\Admin\AppData\Local\Temp\E2B4.dllFilesize
1.4MB
MD53ee96204441d27dcc2de050ede40c2a3
SHA13b2d387ca9663b7b1abf4531f85545c9df0cb076
SHA2564061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda
SHA512133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39
-
C:\Users\Admin\AppData\Local\Temp\E2B4.dllFilesize
1.4MB
MD53ee96204441d27dcc2de050ede40c2a3
SHA13b2d387ca9663b7b1abf4531f85545c9df0cb076
SHA2564061b94fcb0ddf184beead8d29d4d5b135e4d813b3b6ba237b1ddcc5e62c8cda
SHA512133688d048d6dc96e8df8d792e46c247da24879fb07467fcd5a35b9631083816fc90aa9a4d74a5e63d1d85901e75973d827e41a32b9eb34596a2532a27384e39
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\Temp\E3AF.exeFilesize
665KB
MD576e6696f56054c936deceabdd72b2106
SHA1d976af42d7dab3b8b63bf591b662b83cfa449f7f
SHA2567a407b98c83a3dc82fe9d02fc88bf4c2bd9df05c921d57410f1de8c0d07ae6f2
SHA512bc41bbb6efd9086a045b7a7f348b0063f48c6e7a6bd2eae7d313d3596cb75c2c602109f9f6c6f24abdc658a3fd835dcb4a705f8d62869aa616184c6af33e022c
-
C:\Users\Admin\AppData\Local\Temp\E602.exeFilesize
173KB
MD5afd0ba85921f22baf6771b08c1f0b7b4
SHA19ac3587851f3b187b4de239aabf9831173949469
SHA2568575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4
SHA512c0162eb418bac2dee40bebc32e5b68b500637cadccb9737c49b49bbc1286ab0744de95275a8a7ff9ad92f9bc5715156a69d7de93eb47934d1e7862dc12b66d45
-
C:\Users\Admin\AppData\Local\Temp\E602.exeFilesize
173KB
MD5afd0ba85921f22baf6771b08c1f0b7b4
SHA19ac3587851f3b187b4de239aabf9831173949469
SHA2568575bcbeb8127ac6164d388b5f70b9a2eafead39730deed5bf99d325133b35b4
SHA512c0162eb418bac2dee40bebc32e5b68b500637cadccb9737c49b49bbc1286ab0744de95275a8a7ff9ad92f9bc5715156a69d7de93eb47934d1e7862dc12b66d45
-
C:\Users\Admin\AppData\Local\Temp\ECF8.exeFilesize
6.6MB
MD54c9e48dcb47c4b46eca3a51605c71d2d
SHA1581847ba15f650291ebc111e95ed938476d16090
SHA256baa1661c6a590204e4e87e5ab7c5ed622c988f28d9c4ccf72a5db2883dc8c47e
SHA51299932cb133e382a3416e56690b4ab670f7d279e466abbb50f562705f41d8cf1ef4547357c8e310d7358c4de5c47b201d6e573426f8ef0912e9c03deee5314ec0
-
C:\Users\Admin\AppData\Local\Temp\ECF8.exeFilesize
6.6MB
MD54c9e48dcb47c4b46eca3a51605c71d2d
SHA1581847ba15f650291ebc111e95ed938476d16090
SHA256baa1661c6a590204e4e87e5ab7c5ed622c988f28d9c4ccf72a5db2883dc8c47e
SHA51299932cb133e382a3416e56690b4ab670f7d279e466abbb50f562705f41d8cf1ef4547357c8e310d7358c4de5c47b201d6e573426f8ef0912e9c03deee5314ec0
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
3.2MB
MD5d4bfc3207e75c9abec7f189615ea74b3
SHA13210f5a8f4d4a81a8f928fc1a5510cd7703c5fc6
SHA2561ebbaa7747ec547b511fa90255cc4cb1c6993bbe9a112a650cfbd2c532cf2cfa
SHA51202371b8da448c7de945174cd8a2b609046b2627270682a8e7384e42d9c7b9909d0f5f9c50d170965f92843ce649505b0ce4c833ba4158585b3cea219f5e5ca65
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
3.2MB
MD5d4bfc3207e75c9abec7f189615ea74b3
SHA13210f5a8f4d4a81a8f928fc1a5510cd7703c5fc6
SHA2561ebbaa7747ec547b511fa90255cc4cb1c6993bbe9a112a650cfbd2c532cf2cfa
SHA51202371b8da448c7de945174cd8a2b609046b2627270682a8e7384e42d9c7b9909d0f5f9c50d170965f92843ce649505b0ce4c833ba4158585b3cea219f5e5ca65
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
3.2MB
MD5d4bfc3207e75c9abec7f189615ea74b3
SHA13210f5a8f4d4a81a8f928fc1a5510cd7703c5fc6
SHA2561ebbaa7747ec547b511fa90255cc4cb1c6993bbe9a112a650cfbd2c532cf2cfa
SHA51202371b8da448c7de945174cd8a2b609046b2627270682a8e7384e42d9c7b9909d0f5f9c50d170965f92843ce649505b0ce4c833ba4158585b3cea219f5e5ca65
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
391KB
MD5bff94e35072fb0ea2f97a503ef4d70c7
SHA11fa9290e2908dc5dfc435480ecd5ec477287ecc8
SHA25687b69d3036634b9ccaa6166afab115b66e51b3462259c1eb7eb098a6bcc074f9
SHA5128a1b16eecec39ceab38796c42ffa9c8fd4f9794a32212991fb45b54a9ddc5721a3ea099328989d8037b0763b9b5e8cb0aa4fd172d145ed01b4efcd4073d368a6
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
391KB
MD5bff94e35072fb0ea2f97a503ef4d70c7
SHA11fa9290e2908dc5dfc435480ecd5ec477287ecc8
SHA25687b69d3036634b9ccaa6166afab115b66e51b3462259c1eb7eb098a6bcc074f9
SHA5128a1b16eecec39ceab38796c42ffa9c8fd4f9794a32212991fb45b54a9ddc5721a3ea099328989d8037b0763b9b5e8cb0aa4fd172d145ed01b4efcd4073d368a6
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
391KB
MD5bff94e35072fb0ea2f97a503ef4d70c7
SHA11fa9290e2908dc5dfc435480ecd5ec477287ecc8
SHA25687b69d3036634b9ccaa6166afab115b66e51b3462259c1eb7eb098a6bcc074f9
SHA5128a1b16eecec39ceab38796c42ffa9c8fd4f9794a32212991fb45b54a9ddc5721a3ea099328989d8037b0763b9b5e8cb0aa4fd172d145ed01b4efcd4073d368a6
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
391KB
MD5bff94e35072fb0ea2f97a503ef4d70c7
SHA11fa9290e2908dc5dfc435480ecd5ec477287ecc8
SHA25687b69d3036634b9ccaa6166afab115b66e51b3462259c1eb7eb098a6bcc074f9
SHA5128a1b16eecec39ceab38796c42ffa9c8fd4f9794a32212991fb45b54a9ddc5721a3ea099328989d8037b0763b9b5e8cb0aa4fd172d145ed01b4efcd4073d368a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkFilesize
2KB
MD50b7e2bd7a64217c7e60f115015589eb0
SHA11e6b5ad5827528a9526c266569e5c705300bb406
SHA256b7d564a4339aea8a7c87eb4c1614a1938439b7ef19a32e34cff4e75375914e99
SHA512f8159c4af9cb607ea6ee3c5f1cade80b7ebfba4aaeb4f00edd84782c7c3f46b87f25eee04287b2fb470501667a50906a6b3229522ae0ade916c9cbcd9e620ee1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5ecd0b236044c195cdbfc659f09265002
SHA1ddd519ebcf5ee8bf0bd9bd8d77abbe9d2da46af4
SHA2569ce03616e17348e004d44e06e26c96108870e500d0c54f22ea1e866e26d2a848
SHA512fded23e747a5df09c5c497dd5e83846041cf72feb7964f20f1281c4f66e074a7f4b0572886e2cf6dcb7fe50e8eb6344c7571d7c90a0d954039dc79a9ef374d4b
-
C:\Windows\Temp\1.vbsFilesize
105B
MD5b78957dba21a7c463da18967c4951f2b
SHA184d5a0286d9856c46205ae7ab0b257a72f5703ee
SHA25640453adbf7c5e7085694e13881b3a125e6f391f4c8da252254e29fc8e3370131
SHA512d83ca6a1df2a6d3f31ffcc5535bf0d922846c6898ab3ca7547d3f3efb02a3f87f4006a35a3cf7b8af20638efa5058c5bd882d828a0770d3f45a4626f2be3b541
-
C:\Windows\Temp\s.exeFilesize
180KB
MD5a31ed17832b1626334dcc49831cb6189
SHA1283a5c4630b67d11a1f28ea770228a707b6cf9a0
SHA2567ee1a72f29ff8210de678f7d553754d9ba556e49c0f981b79fd956ae9a9cd027
SHA5121c4a3da4f377c90ed6390ae928975c48ed0e2d9bea21f9f79577f17d3bfe70137d6ec56258c349c3e180c934649f16e3e8aa03981af5ef399fd7e66a9625b573
-
C:\Windows\Temp\s.exeFilesize
180KB
MD5a31ed17832b1626334dcc49831cb6189
SHA1283a5c4630b67d11a1f28ea770228a707b6cf9a0
SHA2567ee1a72f29ff8210de678f7d553754d9ba556e49c0f981b79fd956ae9a9cd027
SHA5121c4a3da4f377c90ed6390ae928975c48ed0e2d9bea21f9f79577f17d3bfe70137d6ec56258c349c3e180c934649f16e3e8aa03981af5ef399fd7e66a9625b573
-
C:\Windows\Temp\s.exeFilesize
180KB
MD5a31ed17832b1626334dcc49831cb6189
SHA1283a5c4630b67d11a1f28ea770228a707b6cf9a0
SHA2567ee1a72f29ff8210de678f7d553754d9ba556e49c0f981b79fd956ae9a9cd027
SHA5121c4a3da4f377c90ed6390ae928975c48ed0e2d9bea21f9f79577f17d3bfe70137d6ec56258c349c3e180c934649f16e3e8aa03981af5ef399fd7e66a9625b573
-
C:\Windows\Temp\s.exeFilesize
180KB
MD5a31ed17832b1626334dcc49831cb6189
SHA1283a5c4630b67d11a1f28ea770228a707b6cf9a0
SHA2567ee1a72f29ff8210de678f7d553754d9ba556e49c0f981b79fd956ae9a9cd027
SHA5121c4a3da4f377c90ed6390ae928975c48ed0e2d9bea21f9f79577f17d3bfe70137d6ec56258c349c3e180c934649f16e3e8aa03981af5ef399fd7e66a9625b573
-
\??\pipe\LOCAL\crashpad_1740_FXGSFLHRNORAAAKXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-157-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/220-173-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/220-151-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/220-149-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/220-148-0x0000000000000000-mapping.dmp
-
memory/220-152-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/308-286-0x0000000000000000-mapping.dmp
-
memory/308-288-0x0000000000140000-0x000000000014D000-memory.dmpFilesize
52KB
-
memory/308-287-0x0000000000150000-0x0000000000157000-memory.dmpFilesize
28KB
-
memory/700-161-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/700-166-0x0000000000470000-0x00000000004E5000-memory.dmpFilesize
468KB
-
memory/700-156-0x0000000000000000-mapping.dmp
-
memory/700-168-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/828-202-0x0000000000000000-mapping.dmp
-
memory/1196-281-0x0000000000000000-mapping.dmp
-
memory/1196-285-0x0000000001100000-0x000000000110B000-memory.dmpFilesize
44KB
-
memory/1196-284-0x0000000001110000-0x0000000001116000-memory.dmpFilesize
24KB
-
memory/1252-275-0x0000000000AD0000-0x0000000000AF7000-memory.dmpFilesize
156KB
-
memory/1252-278-0x0000000000B00000-0x0000000000B22000-memory.dmpFilesize
136KB
-
memory/1252-273-0x0000000000000000-mapping.dmp
-
memory/1276-234-0x0000000000000000-mapping.dmp
-
memory/1440-164-0x0000000000000000-mapping.dmp
-
memory/1440-165-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/1508-274-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/1508-272-0x00000000005B0000-0x00000000005B6000-memory.dmpFilesize
24KB
-
memory/1508-266-0x0000000000000000-mapping.dmp
-
memory/1672-180-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1672-177-0x0000000000000000-mapping.dmp
-
memory/1672-231-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1672-182-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1672-191-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1688-139-0x0000000000000000-mapping.dmp
-
memory/1688-188-0x00000000028F0000-0x0000000002A1C000-memory.dmpFilesize
1.2MB
-
memory/1688-190-0x0000000002C00000-0x0000000002CBC000-memory.dmpFilesize
752KB
-
memory/1688-189-0x0000000002B10000-0x0000000002BF7000-memory.dmpFilesize
924KB
-
memory/1688-192-0x0000000002CC0000-0x0000000002D68000-memory.dmpFilesize
672KB
-
memory/1712-324-0x0000000000000000-mapping.dmp
-
memory/1740-304-0x0000000000000000-mapping.dmp
-
memory/1860-280-0x0000000000C20000-0x0000000000C29000-memory.dmpFilesize
36KB
-
memory/1860-279-0x0000000000C30000-0x0000000000C35000-memory.dmpFilesize
20KB
-
memory/1860-277-0x0000000000000000-mapping.dmp
-
memory/2040-316-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/2040-322-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/2040-313-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/2040-310-0x0000000000000000-mapping.dmp
-
memory/2088-138-0x0000000000000000-mapping.dmp
-
memory/2088-147-0x00000000022C0000-0x00000000023DB000-memory.dmpFilesize
1.1MB
-
memory/2088-146-0x0000000002222000-0x00000000022B3000-memory.dmpFilesize
580KB
-
memory/2140-331-0x0000000000000000-mapping.dmp
-
memory/2220-169-0x0000000000000000-mapping.dmp
-
memory/2612-232-0x0000000000000000-mapping.dmp
-
memory/2612-329-0x0000000000000000-mapping.dmp
-
memory/3100-195-0x0000000000000000-mapping.dmp
-
memory/3100-207-0x0000000000778000-0x00000000007A2000-memory.dmpFilesize
168KB
-
memory/3100-209-0x00000000006F0000-0x0000000000737000-memory.dmpFilesize
284KB
-
memory/3184-305-0x0000000000000000-mapping.dmp
-
memory/3460-239-0x0000000000000000-mapping.dmp
-
memory/3520-315-0x0000000000000000-mapping.dmp
-
memory/3660-181-0x00000000022BB000-0x000000000234C000-memory.dmpFilesize
580KB
-
memory/3660-171-0x0000000000000000-mapping.dmp
-
memory/3848-319-0x0000000000000000-mapping.dmp
-
memory/3952-264-0x00000000004D0000-0x00000000004D5000-memory.dmpFilesize
20KB
-
memory/3952-265-0x00000000004C0000-0x00000000004C9000-memory.dmpFilesize
36KB
-
memory/3952-260-0x0000000000000000-mapping.dmp
-
memory/4112-269-0x0000000005230000-0x0000000005858000-memory.dmpFilesize
6.2MB
-
memory/4112-282-0x00000000078C0000-0x0000000007F3A000-memory.dmpFilesize
6.5MB
-
memory/4112-270-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/4112-276-0x0000000006080000-0x000000000609E000-memory.dmpFilesize
120KB
-
memory/4112-271-0x0000000005A40000-0x0000000005AA6000-memory.dmpFilesize
408KB
-
memory/4112-267-0x0000000000000000-mapping.dmp
-
memory/4112-268-0x0000000002AC0000-0x0000000002AF6000-memory.dmpFilesize
216KB
-
memory/4112-283-0x0000000006520000-0x000000000653A000-memory.dmpFilesize
104KB
-
memory/4296-203-0x0000000000000000-mapping.dmp
-
memory/4296-210-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4296-211-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4296-204-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4296-233-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4296-208-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4296-206-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4308-132-0x00000000008A8000-0x00000000008B9000-memory.dmpFilesize
68KB
-
memory/4308-133-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/4308-134-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/4308-135-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/4444-238-0x0000000000000000-mapping.dmp
-
memory/4656-136-0x0000000000000000-mapping.dmp
-
memory/4708-235-0x0000000000000000-mapping.dmp
-
memory/4908-290-0x00000000011F0000-0x00000000011F8000-memory.dmpFilesize
32KB
-
memory/4908-291-0x00000000011E0000-0x00000000011EB000-memory.dmpFilesize
44KB
-
memory/4908-289-0x0000000000000000-mapping.dmp
-
memory/4956-153-0x0000000000000000-mapping.dmp
-
memory/4956-317-0x0000000000000000-mapping.dmp
-
memory/4956-167-0x0000000000400000-0x0000000000E43000-memory.dmpFilesize
10.3MB
-
memory/4956-162-0x0000000000400000-0x0000000000E43000-memory.dmpFilesize
10.3MB
-
memory/4956-198-0x0000000000400000-0x0000000000E43000-memory.dmpFilesize
10.3MB
-
memory/5048-199-0x0000000000000000-mapping.dmp
-
memory/5116-159-0x0000000002080000-0x0000000002089000-memory.dmpFilesize
36KB
-
memory/5116-160-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/5116-143-0x0000000000000000-mapping.dmp
-
memory/5116-187-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/5116-158-0x00000000005C9000-0x00000000005DA000-memory.dmpFilesize
68KB
-
memory/5388-338-0x0000000000000000-mapping.dmp
-
memory/5452-339-0x0000000000000000-mapping.dmp
-
memory/5488-340-0x0000000000000000-mapping.dmp
-
memory/5696-345-0x0000000000000000-mapping.dmp
-
memory/5900-347-0x0000000000000000-mapping.dmp
-
memory/5936-349-0x0000000000000000-mapping.dmp
-
memory/6160-353-0x0000000000000000-mapping.dmp
-
memory/6176-355-0x0000000000000000-mapping.dmp
-
memory/6220-357-0x0000000000000000-mapping.dmp
-
memory/6464-359-0x0000000000000000-mapping.dmp
-
memory/6500-360-0x0000000000000000-mapping.dmp
-
memory/6664-363-0x0000000000000000-mapping.dmp
-
memory/6848-364-0x0000000000000000-mapping.dmp
-
memory/6900-366-0x0000000000000000-mapping.dmp
-
memory/6920-367-0x0000000000000000-mapping.dmp
-
memory/7024-369-0x0000000000000000-mapping.dmp
-
memory/7024-371-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7024-372-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7024-373-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7180-382-0x0000000000000000-mapping.dmp
-
memory/7228-384-0x0000000000000000-mapping.dmp
-
memory/7248-385-0x0000000000000000-mapping.dmp
-
memory/7344-387-0x0000000000000000-mapping.dmp
-
memory/7344-390-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7344-391-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7344-392-0x00007FF6BBC50000-0x00007FF6BC50B000-memory.dmpFilesize
8.7MB
-
memory/7460-395-0x0000000000000000-mapping.dmp
-
memory/7508-396-0x0000000000000000-mapping.dmp
-
memory/7532-397-0x0000000000000000-mapping.dmp
-
memory/26956-263-0x00000000081C0000-0x00000000081E2000-memory.dmpFilesize
136KB
-
memory/26956-246-0x00000000001F0000-0x0000000000314000-memory.dmpFilesize
1.1MB
-
memory/26956-242-0x0000000000000000-mapping.dmp
-
memory/42076-248-0x0000000000C90000-0x0000000000C9B000-memory.dmpFilesize
44KB
-
memory/42076-247-0x00000000010E0000-0x00000000010E7000-memory.dmpFilesize
28KB
-
memory/42076-245-0x0000000000000000-mapping.dmp
-
memory/78680-249-0x0000000000000000-mapping.dmp
-
memory/78680-257-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/78680-259-0x0000000000FE0000-0x0000000000FEF000-memory.dmpFilesize
60KB
-
memory/91108-294-0x0000000006020000-0x0000000006096000-memory.dmpFilesize
472KB
-
memory/91108-293-0x0000000005B80000-0x0000000005C12000-memory.dmpFilesize
584KB
-
memory/91108-251-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/91108-295-0x00000000060A0000-0x00000000060F0000-memory.dmpFilesize
320KB
-
memory/91108-292-0x0000000006130000-0x00000000066D4000-memory.dmpFilesize
5.6MB
-
memory/91108-250-0x0000000000000000-mapping.dmp
-
memory/91108-262-0x0000000005090000-0x00000000050CC000-memory.dmpFilesize
240KB
-
memory/91108-261-0x0000000005010000-0x0000000005022000-memory.dmpFilesize
72KB
-
memory/91108-258-0x00000000050E0000-0x00000000051EA000-memory.dmpFilesize
1.0MB
-
memory/91108-297-0x0000000006FB0000-0x00000000074DC000-memory.dmpFilesize
5.2MB
-
memory/91108-296-0x00000000068B0000-0x0000000006A72000-memory.dmpFilesize
1.8MB
-
memory/91108-256-0x0000000005560000-0x0000000005B78000-memory.dmpFilesize
6.1MB