raccoon | 8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe
Size

39.9MB
MD5

fd8058fe93fa938472722334f497e920
SHA1

9d56a463fb795a3e87b6063d554aa5538a9b31c6
SHA256

8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058
SHA512

d6179132f6bec008a8e84422aa5575bfa97f6e5c0dc6ae18508087c68e67de66896cc11659807ef54305fc4cac8c15626eb013ae62795143b044d87b94c8721b
SSDEEP

786432:HpP1TvbDChk+IOyS5Lir9d+woWNo9khkO5yajOAEbPA0GVRbJuah60m1G3Zr0rH:JtrnCFySCd2WhhkO5yuBwY0GVxjh60Cf

Score

10^/10

raccoon d4dfe058bb722373a292317097b425f0 discovery persistence stealer

Malware Config

Extracted

Family

raccoon

Botnet

d4dfe058bb722373a292317097b425f0

http://37.49.230.152:80

http://37.49.230.219:80

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 4 IoCs

resource	yara_rule
behavioral2/memory/4920-64-0x0000000000400000-0x00000000021D1000-memory.dmp	family_raccoon_v2
behavioral2/memory/4920-63-0x0000000000400000-0x00000000021D1000-memory.dmp	family_raccoon_v2
behavioral2/memory/4920-81-0x0000000000400000-0x00000000021D1000-memory.dmp	family_raccoon_v2
behavioral2/memory/4920-82-0x0000000000400000-0x00000000021D1000-memory.dmp	family_raccoon_v2

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SpybotAntiBeaconInterceptor\ImagePath = "C:\\Program Files (x86)\\Safer-Networking Ltd\\Spybot Anti-Beacon\\x64\\Spybot3AntiBeaconService.exe --run"	SpybotAntiBeacon-4.1-setup.tmp

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	SpybotAntiBeacon-4.1-setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	SpybotAntiBeacon-4.1-setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Spybot3AntiBeacon.exe

Executes dropped EXE 6 IoCs

pid	Process
4092	SpybotAntiBeacon-4.1-setup.exe
4920	rywbeadtvbwehnp.exe
4824	SpybotAntiBeacon-4.1-setup.exe
2836	SpybotAntiBeacon-4.1-setup.tmp
944	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe

Loads dropped DLL 8 IoCs

pid	Process
2836	SpybotAntiBeacon-4.1-setup.tmp
944	Spybot3AntiBeacon.exe
944	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-CNQRK.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-7LGRI.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\is-RRO5K.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-DF0R5.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-PU44J.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-J2KRI.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\is-HN8K3.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-19IVR.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-VAV9B.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-KJ8IM.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-UJ6MH.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-D88OU.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\libcrypto-1_1.dll	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-9MD26.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-CMB3D.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-A3TJG.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\fonts\is-AGBRL.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\is-HGO2G.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-CGPG4.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\is-FKBKD.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\unins000.dat	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-QHKEN.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\help\is-0B079.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-A6MN5.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-BKPHL.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-KBSA3.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-EHSAD.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-N7DN9.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-0HG9I.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\is-8C3OV.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\is-KU9T0.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\is-JJLPN.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-GFQBL.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\help\is-4897O.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\img\is-6T2NT.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\Spybot3.AntiBeacon64.dll	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-640IF.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-RIOKQ.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\is-RIP8P.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-AK67A.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-783M9.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\ssleay32.dll	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-EN8BK.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-164US.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\<$LOCALAPPDATA>\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.log	Spybot3AntiBeacon.exe
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-L1M2F.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-796V4.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\fonts\is-JDR9G.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-FOKJV.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x64\is-UP089.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\is-F3SD0.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-O91B0.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-2DTMO.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-QE5D8.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-8V38P.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-00SJI.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-RVGH1.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-T6Q7F.tmp	SpybotAntiBeacon-4.1-setup.tmp
File opened for modification	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\Spybot3.AntiBeacon32.dll	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-M1RM4.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-8JMO0.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-FR0N9.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\is-ADCD1.tmp	SpybotAntiBeacon-4.1-setup.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File created	C:\Windows\PolicyDefinitions\is-5L7A9.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Windows\PolicyDefinitions\is-83IGR.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Windows\PolicyDefinitions\en-US\is-7UMFR.tmp	SpybotAntiBeacon-4.1-setup.tmp
File created	C:\Windows\PolicyDefinitions\en-US\is-NDE25.tmp	SpybotAntiBeacon-4.1-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited\Localization	Spybot3AntiBeacon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited\Localization\C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\ = "en_IE"	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited\Localization	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\.DEFAULT	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited\Localization\	Spybot3AntiBeacon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Safer Networking Limited\Localization\C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\ = "en_IE"	Spybot3AntiBeacon.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software	Spybot3AntiBeacon.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft	Spybot3AntiBeacon.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4920	rywbeadtvbwehnp.exe
4920	rywbeadtvbwehnp.exe
2836	SpybotAntiBeacon-4.1-setup.tmp
2836	SpybotAntiBeacon-4.1-setup.tmp
768	msedge.exe
768	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeChangeNotifyPrivilege	916	Spybot3AntiBeacon.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2836	SpybotAntiBeacon-4.1-setup.tmp
916	Spybot3AntiBeacon.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4920	rywbeadtvbwehnp.exe
4824	SpybotAntiBeacon-4.1-setup.exe
2836	SpybotAntiBeacon-4.1-setup.tmp
944	Spybot3AntiBeacon.exe
916	Spybot3AntiBeacon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4092	860	8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe	92
PID 860 wrote to memory of 4092	860	8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe	92
PID 4092 wrote to memory of 216	4092	SpybotAntiBeacon-4.1-setup.exe	95
PID 4092 wrote to memory of 216	4092	SpybotAntiBeacon-4.1-setup.exe	95
PID 4092 wrote to memory of 4920	4092	SpybotAntiBeacon-4.1-setup.exe	97
PID 4092 wrote to memory of 4920	4092	SpybotAntiBeacon-4.1-setup.exe	97
PID 4092 wrote to memory of 4920	4092	SpybotAntiBeacon-4.1-setup.exe	97
PID 4092 wrote to memory of 1692	4092	SpybotAntiBeacon-4.1-setup.exe	98
PID 4092 wrote to memory of 1692	4092	SpybotAntiBeacon-4.1-setup.exe	98
PID 4092 wrote to memory of 4824	4092	SpybotAntiBeacon-4.1-setup.exe	100
PID 4092 wrote to memory of 4824	4092	SpybotAntiBeacon-4.1-setup.exe	100
PID 4092 wrote to memory of 4824	4092	SpybotAntiBeacon-4.1-setup.exe	100
PID 4824 wrote to memory of 2836	4824	SpybotAntiBeacon-4.1-setup.exe	102
PID 4824 wrote to memory of 2836	4824	SpybotAntiBeacon-4.1-setup.exe	102
PID 4824 wrote to memory of 2836	4824	SpybotAntiBeacon-4.1-setup.exe	102
PID 2836 wrote to memory of 944	2836	SpybotAntiBeacon-4.1-setup.tmp	113
PID 2836 wrote to memory of 944	2836	SpybotAntiBeacon-4.1-setup.tmp	113
PID 2836 wrote to memory of 944	2836	SpybotAntiBeacon-4.1-setup.tmp	113
PID 2836 wrote to memory of 916	2836	SpybotAntiBeacon-4.1-setup.tmp	115
PID 2836 wrote to memory of 916	2836	SpybotAntiBeacon-4.1-setup.tmp	115
PID 2836 wrote to memory of 916	2836	SpybotAntiBeacon-4.1-setup.tmp	115
PID 916 wrote to memory of 3000	916	Spybot3AntiBeacon.exe	116
PID 916 wrote to memory of 3000	916	Spybot3AntiBeacon.exe	116
PID 3000 wrote to memory of 640	3000	msedge.exe	117
PID 3000 wrote to memory of 640	3000	msedge.exe	117
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118
PID 3000 wrote to memory of 4064	3000	msedge.exe	118

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\	Spybot3AntiBeacon.exe

C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe
"C:\Users\Admin\AppData\Local\Temp\8ca229e0d2c917dfb65a6ad3fdc9bb1e842aca544c944206b76c80fe2165e058.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\System32\expand.exe
    "C:\Windows\System32\expand.exe" rywbeadtvbwehnp.jpg rywbeadtvbwehnp.exe
    3⤵
    - Drops file in Windows directory
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe
    "C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Windows\System32\expand.exe
    "C:\Windows\System32\expand.exe" SpybotAntiBeacon-4.1-setup.jpg SpybotAntiBeacon-4.1-setup.exe
    3⤵
    - Drops file in Windows directory
    PID:1692
- - C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe
    "C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\is-MDJRS.tmp\SpybotAntiBeacon-4.1-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MDJRS.tmp\SpybotAntiBeacon-4.1-setup.tmp" /SL5="$70214,19094942,805888,C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe"
      4⤵
      Sets service image path in registry
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe
        
        "C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe" /setuptask /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies data under HKEY_USERS
        Suspicious use of SetWindowsHookEx
        
        PID:944
    - - C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe
        
        "C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.safer-networking.org/slingshot.php?source=antibeacon&version=4.1.0.0&module=Spybot3AntiBeacon&dest=buy
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffb40de46f8,0x7ffb40de4708,0x7ffb40de4718
        7⤵
        
        PID:640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,1875710403087074041,6285946609365113871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
        7⤵
        
        PID:4064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,1875710403087074041,6285946609365113871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,1875710403087074041,6285946609365113871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
        7⤵
        
        PID:1780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1875710403087074041,6285946609365113871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        7⤵
        
        PID:556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,1875710403087074041,6285946609365113871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        7⤵
        
        PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe

Filesize
10.3MB

MD5
762d71713f46eba2551878ddbb1e8c1e

SHA1
e7115506d8351db27638a51efabcecd962a4ceec

SHA256
c26dad24ef55de61d9c6539c00837bc515e4eb7a21da5943b170723d8be8ab94

SHA512
357b97dfc16867aedd3f6ec0c31d9adefb2582b2071f83782dd946bd6081533886e826af10a4066e761a4e99ff23ea86042dcb12ddc181da0f6428974204f421

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon.exe

Filesize
5.7MB

MD5
708becaa266caa40b7388e72bb06568d

SHA1
8e93e29f44e5ae17730cc6233b14e366847cc95d

SHA256
8a718c3911ddf9a6a153107421eaee4405d6cbb190a76ec9b42f3150c8560c1c

SHA512
410957cb6097f44a1cf699a962f9b2eac34520ff463bdbd335f648b2c18efcd348ea5e42b06b99706f81711f245a3a998deba64c5f80b75a5c70c13e5ea7ab72

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\Spybot3AntiBeacon64.exe

Filesize
12.7MB

MD5
24b76bf60ad6450528867f7e95be6551

SHA1
23ce976a6d9e933a82959e1bd047575018ed3e23

SHA256
45e14ff7cec4010a739f83d8aa24bb6bf425d5a1938611e30ae1175f3f70ad42

SHA512
14db6c445a3fe62811f1d0a35c09a76e0905340b300e537df14f2f105a3ed83928b60da1b23c493bcbe01011652dbbec63aeab02ac7e0e13e7502b2baa1bcb4c

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\img\appicon.png

Filesize
4KB

MD5
fdd276db8db07d41b41c321429fc5e49

SHA1
df21ed50e348e0db83747d1d53ed492482d3b0ee

SHA256
6efbb9aff33e386c274534abdf31d41d68a9c7499a3613bf58a45a7243b8e411

SHA512
76d7c1ebc465ba82d7d65c5732d19b105eaa692a771265a66a894d5e2f6ddc90d5d4cf46527fe2135f608470dc68bbec051319c17bd58dbbe2b7688a824c51a6

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\locale\fonts.lst

Filesize
27B

MD5
0ff75269e8d1c67fdeec972b116dd1c0

SHA1
ef639f0b7d78e7a4534e2ec7e5a4b4d2a1d86aaf

SHA256
483d8966c872f991242ead793377cbbc3d9422e02e27b32104194ed99ec66e90

SHA512
a42ab74298da2fc2047c4eaea53e363130890abb2ddc824fa95f0e94a7bbda6603516abcaeba3eade761247a779815e66b52bb0e04e1810cd8a357ef42a05e5e

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\Spybot3.AntiBeacon32.dll

Filesize
2.9MB

MD5
dcabaf8dae7bcb20d393efc2fe3595d5

SHA1
36a7a63f20c2d68526f733f4881ca533059b9374

SHA256
3032ee46276eb7979878f03b78bf827214ce316c2093817ce8e8dadc5fa5385f

SHA512
4a8d690b6636817f2f11de90800ba1bb56fb074629bba81e98d142c9b6d21ea96bff838bf19ba64861f331b15552ff51a16c7d3acdd4f67cc45eb8bf98b1dc9d

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\libcrypto-3.dll

Filesize
3.2MB

MD5
48abe0465a6a69d760dd3d59655fff23

SHA1
bc2cb8d5a886ce98ad88b7d38d5a0d5b3ad173a8

SHA256
a26cb02c31b10156a47e7c2223c95b86a34995013439bf9b7710e448207da012

SHA512
fde763e7a6792c277226d3c29a3206ecb0d437e26edf3b7926ee5136a9f22f01cb0fe79492d17b1043da2ba166f949945734d74c566906d60ab949043c84b7a6

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\libssl-3.dll

Filesize
791KB

MD5
b8693daed0418faa22611a7c24a71ef0

SHA1
2601429c021cb3784b89dffc991989865596c2b3

SHA256
12cb99a3efbe531b7259f5d1d1c7b0253a5c8e004846b71c1b799dd609867ffb

SHA512
cacd4c1c8d7faf20b02837cb032590bae08a16a790804e83b2b79314cf8412aa11bb3b0d9dde365221835d99159dd9f194105566c2fdf3bd5db26f0273eb8681

Download Submit
C:\Program Files (x86)\Safer-Networking Ltd\Spybot Anti-Beacon\x86\sqlite3.dll

Filesize
2.4MB

MD5
47244b9d6d8aabd808c9307bb5bd6b8d

SHA1
9e33bd7aeb290df30ad0453063a9904eefa1d4af

SHA256
59ae0154b0e004b9ace29e22c969594fe9f2e94965bb0368c4c126befd3e27d7

SHA512
c91cce3aee59372d67e498845442e03222848a88d07db46e354987beb40e3ec515c1aa588f8be0b977ea66012aa7c2b56aceffb0ec55c7516cc5cb20dcd1a19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
818f2776438ce752b7f348a26a4519d3

SHA1
a0bf1ec571981bc843d5a0b33da600efae3678ad

SHA256
d1cf3013f2ee90c92a5de5acfd174cb23c4f25296de59532c1db26e29ee65b58

SHA512
34bb816b696a592430f4285d7e793d62cf6beddef61ca0cfabaac73e45eca5fc0954b38e0e31770e3fe07f9af15f9d6275f5c78ab293fe0916cceb64b071e68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3bfe62ac5d74f7b738ac33e4d1647a4

SHA1
d57c09f68d1ff23221a900477e4663f4cfa15992

SHA256
1282b316f3fbaa337264bd4c7ccdf81366c1e660426718052d1ed3e2716dd5c6

SHA512
7ec0ce97da4acd25bdc79651f22ea706698056dafdfb5335f72d6a836a91341963b08d6679cac3ae793c8b5768709cdcbd7c2dbfc97069a781139f6f40d4ab55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70ba4e8a5ffd8506a39073920c8b2c2d

SHA1
09661361908a247758ae1ea162d06101fdafa0d2

SHA256
cd3ef24062524daf4fc9022da6f07138c9460913201404857e43f3dcd64bef08

SHA512
a96f932f4f067a5cbc9a273a9330f88d176f99d31f733f7e94a8679b5794ce243f5ca6444abffa4dc7a51c771d0376d506982926f9a6c458a011822aad505f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

Filesize
306KB

MD5
35d3fbf42a5e7298d9de86f55cbe7469

SHA1
9c6a2146f10f9061d1c55c27a4ba8b7d5729a4e5

SHA256
043c26acdac73cf86e3b1b14905a9c2d078966be92c675534babed3a02af8743

SHA512
550286509c02487fd16b80b064a669f3772d2cc2ef734c71a0192462715bdf05a31f3942d599c7d62a24311b8ddfcf40c13204867a77f5878f2c9193068f8c22

Download Submit
C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

Filesize
2.2MB

MD5
481c76759060fcec8380e6c22e7ccef3

SHA1
da627fa5131bd712e7569fad14ab57fbc0f796b6

SHA256
f7c4baaad7da9ed5c993918b0abc208f0921a26e7c075a174942548430e0b78e

SHA512
698fc8c61cde71deffe05d32655e9d3468bb41799a0876039f5762cda96983701b4a878a452fc07036698aeecafb4e3eebcd7e327e842386be70ba41cc681824

Download Submit
C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

Filesize
2.2MB

MD5
b4a5bac9e1b3dc3435192691998ece4a

SHA1
f2f5248e190eba3c7d5411654a42c24bc6c1a445

SHA256
d132b7423d4435063109fb98b51ace1eeaa1b9e02eea5f1c9eb12fe477578a3b

SHA512
8f1e7324844477059ea7fc9ec2dc096ddcfef44102af1f6c982fa24beaa0ed93ae6bd46682e157d9dfb42fff4e0ec937a79b1a829b09f43e7a209ac8a255745e

Download Submit
C:\Users\Admin\AppData\Local\SpybotAntiBeacon-4.1-setup.exe

Filesize
1.9MB

MD5
11bdaa8fffcdfb434cd40075d4c6298e

SHA1
86dbf3ac800dcffb65bf93015b3cca670d1a7586

SHA256
bb6df7db10b9cdf782e7223269e8a70c850a94806ad79d253c76f04b75f9da7c

SHA512
d27c54f90d77ec6f03f7820bbe3089237a77a3ad8fe2e4dcf53635d4a77391d1e8807942f22be4bc7e94393167df567c53bea7887ae682afced3671889c22067

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

Filesize
3.9MB

MD5
c03bb96df0d7b50f86f4b876cea3414c

SHA1
bf73a0d3387629b361adca8b76c8fb50bd955a55

SHA256
26b7ccf1697dca05441e1bdb6a350514b3beb4efb7aa97ce8d6ea9ac5e84b8ca

SHA512
f568871f989a5a7997085d144f13c418e235e1a5d90b27c24eb0c2763f26a6bd458f40c830708c9d4d3094bea4e8ca69fa23f69200b75bfe6a3046ce07b608d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

Filesize
4.3MB

MD5
903b8dcb1c0cb661a8a2c2aee9378b99

SHA1
07224fa864b7531194bdede2019d33823bdb3438

SHA256
23fa4c42c253656d3906388644bbfc0f5bcef2b34edf4ec5372563128ddb836f

SHA512
78ff48069f019b78fa4a2ef5bd74f12351084b3993d335d7ee1de097d99d4205d537c16b55c1631f67cd81f558e0de9e5a22b7a60d085304499247719243b201

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpybotAntiBeacon-4.1-setup.exe

Filesize
208KB

MD5
c4686481c41b57110b808098644b7dd6

SHA1
b8ef94e7e33327ea4afc6fe9ed9c9e3522f706ca

SHA256
eba256fa6ff5ef41781e3c8a8a89b4e6a4d2631cbc2e188437e2c229825d0ee6

SHA512
6da84661296d69eb44dbeab1346438e33fd843b8db1b6eaf724cff516bbd2ee2171fb302a772ca259c7e9b6183a1edbc675c1f26f89f42ce79ead19ef77b1d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DGOFU.tmp\WorkSans-Regular.ttf

Filesize
130KB

MD5
2291c47bc482691e572457b01328a926

SHA1
4dd313c3d962d08808202bb23b9d8b4a0d395609

SHA256
a3ef374a1b2613ed6eaeb86408ebb1928bfa1b73a1f18cadcbd8760995a304c2

SHA512
0077d1248d9063a28ae613e0713bf753db20cbb4205ee600e66e249136c0d46b39562d426207052df8f803aae0f111fe6e465812ceb0d962890963e7fce6727b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DGOFU.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MDJRS.tmp\SpybotAntiBeacon-4.1-setup.tmp

Filesize
1.3MB

MD5
ea62c33377758281d3d9f6791acb9af2

SHA1
e5efc8fa7b3b9dd8c0d6340dc5676e032886fe15

SHA256
dbbaf3043c6e33c482d6fc36197f264137b38d05a29ad31b7523b67f470032ca

SHA512
d408c31808d5924ccf88e150cab9451a4e4a86a3c2cb248df925be1e5010bdb707f4aaf9e53f567af569a4caf2166a9bbb43e7ad0f83bed8aa575d46ff988234

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MDJRS.tmp\SpybotAntiBeacon-4.1-setup.tmp

Filesize
1.6MB

MD5
70cdd2ce082cdd29f6314a4ddb172397

SHA1
8d4962cdd674df5c113c42ededeabc62ba622d56

SHA256
38dfec9a3f54bb2e8e7d0148a4c9b570f307570de4ee3ccad9390af080ac0ab9

SHA512
12041640f93dd7df8633b9e601c7e5a7b32d31c9dff8995132d5fdac5a3e5f6966d326cfddf469bb0f5df0df83d8cffed45b1f810ed478afbfd0b52bb593a63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

Filesize
1.9MB

MD5
2694edd9b6a478767924e3a8de2e5b5f

SHA1
85c73801782f6161b6e5581d70be191c6e264896

SHA256
d124191b44e7b1abaccc0c1f79f707df3b07d547cb83e46bb4467a250bff33d6

SHA512
41a9bcd51e1bdddecbb00033dc6cb6c0e57fbbd52986d0fa86119f33a3dc5189127c18200b8dc5c5a7877ce3edf35ec911a89db964f306c230d0bc9fd50775db

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

Filesize
1.5MB

MD5
d892020a54121231362fa63abb6e12e6

SHA1
c8116cb638584aecccdec8b6aec9e5103918c040

SHA256
7adf9ea25baa148088464b9704b1167daaaa3ef0a2eca24c68b49cada0933567

SHA512
4239a777df92774f68158099cf598d90dfd7ca089224c88c990b9e725b5f8b60a743aa6261961341d78c064e120c440bcc30f7bd1ba6c843f6a908e4e7d3aaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

Filesize
718KB

MD5
b7f2631b53b743f08f86898f42eb2e62

SHA1
78a0e04a0364eb46046785976ba827b82975684b

SHA256
d5ca3800e51048207f243a813f11f0a9d683fa18bb1b89c56b34485af147d68b

SHA512
ea11fef635c4bf18118f5eda4794fc0780adee14df351cb759ab3d9d6d0fd8ed3940980b62836139d2c287f446efd1ec954f8e28c1221c0084d2159ee18945fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.exe

Filesize
1.1MB

MD5
034a99cb9cb095a524e4d7ea1f153c71

SHA1
55f23a64f60f2ef23cdcf783d4ebd2ec94186f8a

SHA256
34ad4c4cc0cc9a1ac0e291973eaa7bb0a9192f3e44ecfcf42a965edb2166619d

SHA512
8b24ac9b6514d2a24855b9317d99151ff8cb80e85597b7caf68903b52b6172d4c71b986f657768d5bf8860f949cafc238e8a8155e78e0c612f0ba968bfdec93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rywbeadtvbwehnp.jpg

Filesize
2.4MB

MD5
1cc903476e37537ab488dfcb07fb926f

SHA1
bb4d0d6c240bbb5eb8c2855eea5ac75f89e4f2ce

SHA256
211756be9a0ff19f11e98ad59abaa6f1b29932cfd25fee6003f07369ed832892

SHA512
f1e6423b3485fd876568e28e6a4c1cbffb078e3589cf977d4666f806bffeba2d2f3e4a2daf5ea5a28ab48370075d12da3fe3b63031a1f599dde8f7cc1d5d0d64

Download Submit
C:\Users\Admin\AppData\Local\spybotantibeacon-4.1-setup.jpg

Filesize
470KB

MD5
856de59711be75182e04cb92fa3026b3

SHA1
05463b8e80e69497774c59a2e09b0b85b009e48e

SHA256
a94ce8352fe1751a33325189570973534a750fcad4368a85ce50881fe44f4882

SHA512
78b1794e4f544184565061bd5d6f8cfaa239b48fdc08f5af7cd0323a0b2977bf2af30bd2b6238165fd0c976448dc4c6fbd12c39102eb380718aaa466a4d9ac87

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
0c9938b1f308e712a3234843ea1433c6

SHA1
07c21c7afb56c4dc7a331afb2b55934848206e34

SHA256
fd3ce2c91c5be6b556506ae3fa624ba249883652275b191d18558619641f88b1

SHA512
e559b8525c6f1fc6bd51cc0bb668873be3555adf35404bcd7764770341f9fe82bc6117535b21a7c46bab1e5e16ea8a697cf617d614134b212fd49ea42fc3cec5

Download Submit
memory/2836-61-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2836-529-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2836-84-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2836-80-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2836-79-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2836-77-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4092-13-0x0000000000AD0000-0x0000000003132000-memory.dmp

Filesize
38.4MB

Download
memory/4092-56-0x00007FFB42350000-0x00007FFB42E11000-memory.dmp

Filesize
10.8MB

Download
memory/4092-14-0x000000001DD60000-0x000000001DD70000-memory.dmp

Filesize
64KB

Download
memory/4092-12-0x00007FFB42350000-0x00007FFB42E11000-memory.dmp

Filesize
10.8MB

Download
memory/4824-76-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-54-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-530-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4920-64-0x0000000000400000-0x00000000021D1000-memory.dmp

Filesize
29.8MB

Download
memory/4920-63-0x0000000000400000-0x00000000021D1000-memory.dmp

Filesize
29.8MB

Download
memory/4920-82-0x0000000000400000-0x00000000021D1000-memory.dmp

Filesize
29.8MB

Download
memory/4920-62-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4920-81-0x0000000000400000-0x00000000021D1000-memory.dmp

Filesize
29.8MB

Download