Analysis
-
max time kernel
99s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
LockDownBrowser-2-0-7-06.exe
Resource
win10v2004-20240319-en
General
-
Target
LockDownBrowser-2-0-7-06.exe
-
Size
82.9MB
-
MD5
8a6a2b52ee5fa8abb515ca82ce85e25f
-
SHA1
d20911b21d20afd99e01830cfd7dcae61e5ac955
-
SHA256
37a4b947815e4d4e6a0fc46caaa7ef02dc1738beafde4924be1fd427afe1c807
-
SHA512
2cf75ac564d224e6fe7c9e3ea7522e0e49f6ad7718ed551d823ea8d5f297b8e6d6e5f3cf42a882973a6c45706454c4a80af56713abfab4c6ae56ecf3e92dcdbe
-
SSDEEP
1572864:lZ1i8lQsHqguE+9VzRtciLCUFltyuD0+cm/jKFNOOdIpOgazTHaBr+vH6ful:fTr+3Nt0Ag+9jy08IpOL/6d+P6E
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\ru.7232.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\sk.7243.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\sk.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\lt.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\pt-PT.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\lv.719C.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\sl.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\da.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\et.70A1.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\cef_100_percent.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\d3dcompiler_47.dll Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\lib48A5.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\bg.6ED1.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\he.7124.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\pt-7211.tmp Setup.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\0x0410.ini Setup.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information Setup.exe File created C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\0x042B8.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\bg.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\es-419.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\fil7102.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\swiftshader\lib72EC.tmp Setup.exe File created C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\dat4244.tmp Setup.exe File created C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\set4274.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\lic6E6E.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\gu.7114.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\cef_extensions.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\icu47E7.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\lib48C5.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\da.6F91.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\fr.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\pl.pak Setup.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\setup.inx Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\cef.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\th.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\sv.7275.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\ta.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\cef_200_percent.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\libcef.dll Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\snapshot_blob.bin Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\he.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\lt.719B.tmp Setup.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\0x0416.ini Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\LdbRst10.exe Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\d3d47A8.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\hu.7156.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\it.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\ko.718A.tmp Setup.exe File created C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\0x042A7.tmp Setup.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\setup.ini Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\de.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\fa.pak Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\fil.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\nl.71EF.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\sw.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\tr.72B8.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.dll Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\chr47A7.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\es-7051.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\locales\es.pak Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\cef4785.tmp Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\locales\am.6E91.tmp Setup.exe File opened for modification C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe Setup.exe File created C:\Program Files (x86)\Respondus\LockDown Browser\sna6E6F.tmp Setup.exe -
Executes dropped EXE 13 IoCs
pid Process 3640 Setup.exe 3728 Setup.exe 4280 ISBEW64.exe 636 ISBEW64.exe 3252 ISBEW64.exe 2532 ISBEW64.exe 2636 ISBEW64.exe 3308 ISBEW64.exe 4100 ISBEW64.exe 1284 LockDownBrowser.exe 5892 LdbRst10.exe 6040 LockDownBrowser.exe 6140 LdbRst10.exe -
Loads dropped DLL 12 IoCs
pid Process 3728 Setup.exe 3728 Setup.exe 3728 Setup.exe 3728 Setup.exe 3728 Setup.exe 3728 Setup.exe 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003820acb1425541bc0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003820acb10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003820acb1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3820acb1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003820acb100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies registry class 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\URL Protocol Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\DefaultIcon Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Respondus2 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Respondus2\ldbsk = "353814262" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Respondus2\ldbver = "2.0.7.06" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\ = "URL:Respondus LockDown Browser" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Respondus2\ldbvernum = "20706" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\shell\open\command\ = "\"C:\\Program Files (x86)\\Respondus\\LockDown Browser\\LockDownBrowser.exe\" \"%1\"" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\shell Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\shell\open Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\shell\open\command Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rldb Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rldb\DefaultIcon\ = "LockDownBrowser.exe" Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeBackupPrivilege 4532 vssvc.exe Token: SeRestorePrivilege 4532 vssvc.exe Token: SeAuditPrivilege 4532 vssvc.exe Token: SeBackupPrivilege 5104 srtasks.exe Token: SeRestorePrivilege 5104 srtasks.exe Token: SeSecurityPrivilege 5104 srtasks.exe Token: SeTakeOwnershipPrivilege 5104 srtasks.exe Token: SeBackupPrivilege 5104 srtasks.exe Token: SeRestorePrivilege 5104 srtasks.exe Token: SeSecurityPrivilege 5104 srtasks.exe Token: SeTakeOwnershipPrivilege 5104 srtasks.exe Token: SeBackupPrivilege 1284 LockDownBrowser.exe Token: SeSecurityPrivilege 1284 LockDownBrowser.exe Token: SeDebugPrivilege 1284 LockDownBrowser.exe Token: SeBackupPrivilege 6040 LockDownBrowser.exe Token: SeSecurityPrivilege 6040 LockDownBrowser.exe Token: SeDebugPrivilege 6040 LockDownBrowser.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3728 Setup.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 1284 LockDownBrowser.exe 5892 LdbRst10.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe 6040 LockDownBrowser.exe 6140 LdbRst10.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3392 wrote to memory of 3640 3392 LockDownBrowser-2-0-7-06.exe 99 PID 3392 wrote to memory of 3640 3392 LockDownBrowser-2-0-7-06.exe 99 PID 3392 wrote to memory of 3640 3392 LockDownBrowser-2-0-7-06.exe 99 PID 3640 wrote to memory of 3728 3640 Setup.exe 100 PID 3640 wrote to memory of 3728 3640 Setup.exe 100 PID 3640 wrote to memory of 3728 3640 Setup.exe 100 PID 3728 wrote to memory of 4280 3728 Setup.exe 108 PID 3728 wrote to memory of 4280 3728 Setup.exe 108 PID 3728 wrote to memory of 636 3728 Setup.exe 109 PID 3728 wrote to memory of 636 3728 Setup.exe 109 PID 3728 wrote to memory of 3252 3728 Setup.exe 110 PID 3728 wrote to memory of 3252 3728 Setup.exe 110 PID 3728 wrote to memory of 2532 3728 Setup.exe 111 PID 3728 wrote to memory of 2532 3728 Setup.exe 111 PID 3728 wrote to memory of 2636 3728 Setup.exe 112 PID 3728 wrote to memory of 2636 3728 Setup.exe 112 PID 3728 wrote to memory of 3308 3728 Setup.exe 113 PID 3728 wrote to memory of 3308 3728 Setup.exe 113 PID 3728 wrote to memory of 4100 3728 Setup.exe 123 PID 3728 wrote to memory of 4100 3728 Setup.exe 123 PID 1284 wrote to memory of 5892 1284 LockDownBrowser.exe 129 PID 1284 wrote to memory of 5892 1284 LockDownBrowser.exe 129 PID 1284 wrote to memory of 5892 1284 LockDownBrowser.exe 129 PID 6040 wrote to memory of 6140 6040 LockDownBrowser.exe 131 PID 6040 wrote to memory of 6140 6040 LockDownBrowser.exe 131 PID 6040 wrote to memory of 6140 6040 LockDownBrowser.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LockDownBrowser-2-0-7-06.exe"C:\Users\Admin\AppData\Local\Temp\LockDownBrowser-2-0-7-06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\ldz902A\Setup.exe"C:\Users\Admin\AppData\Local\Temp\ldz902A\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\{EE625B55-6E7B-404E-B22E-DD0FC5FC22DB}\Setup.exeC:\Users\Admin\AppData\Local\Temp\{EE625B55-6E7B-404E-B22E-DD0FC5FC22DB}\Setup.exe -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\ldz902A\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{EE625B55-6E7B-404E-B22E-DD0FC5FC22DB}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\ldz902A\Setup.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E911754A-4770-4A0B-B4E7-747B23FF3BA0}4⤵
- Executes dropped EXE
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC114D0D-6622-443A-8F3F-A723492BB51A}4⤵
- Executes dropped EXE
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5046BE4-A908-4E25-8AE6-52B1131C1EAA}4⤵
- Executes dropped EXE
PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{752E6307-9717-4560-BC3A-878E683F5FC2}4⤵
- Executes dropped EXE
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60B9B2C1-E402-4104-9D97-93758AEA2934}4⤵
- Executes dropped EXE
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{447C8A4D-E0FC-4251-A4D8-14C69FBA6865}4⤵
- Executes dropped EXE
PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exeC:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{89EA7A3B-ACDC-4F15-9676-E988A4351E72}4⤵
- Executes dropped EXE
PID:4100
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3264 --field-trial-handle=3408,i,16599691418790971742,134777455365707676,262144 --variations-seed-version /prefetch:81⤵PID:3472
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe"C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Program Files (x86)\Respondus\LockDown Browser\LdbRst10.exe"C:\Program Files (x86)\Respondus\LockDown Browser\LdbRst10.exe" /wa1284 /f21201:3538142622⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892
-
-
C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe"C:\Program Files (x86)\Respondus\LockDown Browser\LockDownBrowser.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6040 -
C:\Program Files (x86)\Respondus\LockDown Browser\LdbRst10.exe"C:\Program Files (x86)\Respondus\LockDown Browser\LdbRst10.exe" /wa6040 /f21201:3538142622⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\InstallShield Installation Information\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\setup.ini
Filesize2KB
MD5b4c1ccbb04dd81dcd3b9bb50ce7c8c26
SHA1ec59c42207d02c3663063ea6276874b92ecadde4
SHA256d30298c611a7f69c6b691e55565f8d4e7e8cb2519134bc245560855edbd66b64
SHA512e09f6fafa2d4e80ec503f8d2a581267765c2bbb0337056b269b0f3283d29a2014e03e077314140437dd7b7231b1b59f22c3e765d013c3a94b09cd1b098b61cf7
-
Filesize
25KB
MD5ac20509373836978506de9562f946fc1
SHA10991afacd2133750cf6029dd033b36cfe38a97ec
SHA256e12ab3866c7dab7482e1d571d611549d4485a5d7dd808590d7717b028b9db38b
SHA51273643f22fb0db6ca1f495b1b199bb78828463d1b525d7d5881e42a5bbdf858d16828890fe48b597795166387b0300b2c72cd562ca4c978dbaafceb1d19324aec
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
24KB
MD5d7159f79958f9611b3819b36aff90ea8
SHA1f72828a19cbf4f377d3b04b1748be02aa1f24e54
SHA256eaa331f29d1f99573aeb905c3db68e7616447b6060301428521d6a7d3e959b9d
SHA5128fb57738a210a18bccd76c284c3aa0e3383abc363dbcf77b5cd4f16bad4871685711635a9d7471ed12238dcd1574ae90dc781fbc33d5de9a77364b196beecd22
-
Filesize
24KB
MD5690787860d23f973b9c9b251aea27bbd
SHA1f2adead82a3e9015949ad905be510c704c92906e
SHA256f6c863a04c167583511a716e9d33a777fb922b82cb3eacb4f55d9e56b09b9a34
SHA5123a9f2a4658751499c6b4744a7e13cdc6c7c47f8e8b83907e8157cebaffa41c4be75e28e65138eb51d946fc6a312f8b41b7b3b5e852c0c528c0638f1f70466db1
-
Filesize
23KB
MD5c405c76cb3b7a2e0c838a44ea550fbac
SHA1eb16e65ac7e67da6e093f1a847faf97479ad78c5
SHA256a6828eb5ef5b5151109e9282eb4bcd533977a24b774ec6e906e639e2c639e762
SHA51296cbef932ff801048ac2d39634484792d1257bb5fc900605d80f7d9e0dd0bb14b55c094c3a9ed8f85d1214d734c12b5e1af011ba01b7e53b3902116eb279f166
-
Filesize
25KB
MD5c2951d952ce6ba8668f1528ba6c49da9
SHA1c6c7772fb2c0f8ee165d7e610e6de6202cd6a3ef
SHA25670a9cf2420c39154669040c2b52e1b57a7ec8888150a6dd01682bd83a45217aa
SHA512149516c9f1d251acdf0e0bd4baf8fbe40671b89e849f360b51af6ddf03cadc3e10130a1ec5fecd42ffc36972fd60d0f29b07dfda8125cd25e46c0854b0568043
-
Filesize
1.6MB
MD598685e49d2bb4ecc76f783fc7570d2a7
SHA15d997aabd7cbe3830a3d3fffddb8908f93b35ed7
SHA256cee478602cea37e55905a34cb72f9b35c10ceb62e11184a5b9c2c29e87a2dcec
SHA51280950fe515dd48be661f2514ba8fe15103aadc08c35dadc23e6a5658ac400cc846935c8b421a9f2faa7096f7ed92534003dc1a59e330e853312fea4af86c4862
-
Filesize
182KB
MD5d46bbccb10afab1f4315f6b81ee5ac53
SHA1e63051005b051ea32bf5ccf8fc3bf84bf2739b7a
SHA256a364c12ab27f12052b688516dbd1e49cbe453f5b0b090b7439d419bbfa167695
SHA512fc6b98f6b3d902dc581528eb74ce5f8395d101a2dec506a431b6da3711ee30330a934ec4b01aa0541da95af013951b0da5ae1fbdf8972c7883d2a4beba7b4ee7
-
Filesize
71KB
MD52e2f92c1804449b2129eaab0971afd63
SHA1f9ee4f5bb17fc9ef6d6bc2a921c7f4f01777b498
SHA2567397bb8ceced1601e4f3dd8c67a44102a8c32c6581536e1ceb01f25620b91d45
SHA512635a33abe1f703c4eb43a741afee184d0811c5ed42da79a48fe49edbf6bc960ea08bb4a3d49c3de658a7a5d144f86aedb5f784e94eb40225392976c0c6a84937
-
Filesize
10.0MB
MD5689f5c2c3a4838606a0c0fa8bfff893a
SHA1e04c2d11ec1abb1545a6992c3a35264aac755bf4
SHA25681e76c8650954d25c1860722785d8c419013f0e0e5a7b81e75d50f4ced43c60b
SHA5128a189939bec8ceca54606596a907d94621a2aa7db494a6ac061a2cb67f6baf17b6f22b1d8669ef8bb87195205db65b4a71c2d442455dc2303696b14e86fc4d9a
-
Filesize
297KB
MD5fa2b411a6017825b0ea023c0f08b8a82
SHA1d612649ade8cb9186426919e5cdf8dca8e89e8b9
SHA256116c5df02f09f00bb50aa54b2d9a518f0ec40ffcdce620dca1006b7d50530a07
SHA512e53fe8c99e31fc3f157e8a385748a0d53c3c5114a5a41c075dd15aa30e4fc3b3eae713b7f98ba919bc3be71a8ebde7faa5f6567d28f7dc86d811812a8b36deee
-
Filesize
1.9MB
MD5be4bddc2a6b4b4b1ae49d9ea0a388967
SHA10b963a9b8c04e7a148043ed1ea4fb87305d663eb
SHA2564c40d36f08b3aedea01a43c0c2c48db29b638a1b62023ec7e635340c88399e2b
SHA51280c6d879e6a145bb0b8e3fb920fc08f2b9003ac45edff6ffc6142b413b257ad8ba0fb2bd2d36b6a353a3acf1cb749cf579157a64047a3e7e27b3023ebae103f0
-
Filesize
209KB
MD54996e460c4508aedf0bdb1e23a45e0bb
SHA16725e20d60b9e41dcfa9191d7f5740c7aff912c7
SHA256cdd23dbfdc5eefd2f4c882471d3881b720dd295b8270724e59a0b95593e4a085
SHA512ec20d414823c2657331d9ef5a29b8ad7469ebfa662317b2c8219daecf04e1aa3ae069846c69669c074cc7ff874fd1717aaab07a12aef0f64bd81a4e4dea67f5f
-
Filesize
283KB
MD55b1dae18ae7137b5c4709ce4f6bfde84
SHA1a91d50114e6f68fbfb73ee4b2603ee571d03a8b9
SHA2565eb4c93e6faab060bbdd5a73735f2d60813afb7e35e1903d0ba3fc1aa550dca7
SHA5123382d54e69505cc2e0c65ed3c871e6182b2c5b01c439766f40fee3e69c959e19094e98abe44e9c2d7a2b0d52ccb0fc3f7e21210ee1162aa633b04ff40c7c1cc2
-
Filesize
1.2MB
MD58f7e628f539bcf5861424037226d084a
SHA14041eb9da9f9323d83138e5a091cb4a7eb05ab34
SHA256ffc9f0d335b196637624c37115dc0b08988a714229f3fc0508be3579d82a7f9f
SHA512ec7845d3c09e4909f0e26d271c9010246af08b6ab830c49f1d4a9a50be90ba06450b08aa4c04e5d5499e9ef1bf84d9d5595a6668d3cec5c4a545397175436169
-
Filesize
857KB
MD5baea0943d46391bc14295fd4d16ba053
SHA1fb535a2a2a62b18f42aae8e165e58286a6961eb5
SHA25624b9ba959d3992263e7c9bc366331d23fb98a74b8dc9f7d0b07cc1b99dd932cb
SHA51244e1ef8f7a9a80d79f371e56fb2a2164878e248b47b70f5bdb36fa78812fa40c7161cb36a9b23b433770ad4349e9e68884348f054345423eb0e3bccceeb013a0
-
Filesize
3.5MB
MD5f76b1d2cd95385b21e61874761ddb53a
SHA1e5219dc55dcd6b8643e3920ad21d0640fd714383
SHA2568bf0eeb5081d8397e2f84f69449c8a80d9c0cdcf82bcef7a484309046adcb081
SHA5128e5c6541bbea6730c4f6392439454f516d56ac9ad6d6b55336e52361cc80a35fbed8a90d58020d92fa4ac9fcfeee6c280754a9e99cc32bae901b00306626e69f
-
Filesize
1.7MB
MD5256abeaa2809cc38dacb858beae585a6
SHA11016906479ce194274a915bdda8d14a6bfd5a724
SHA256a6dbbded77fa1fdb4e9dfa0591e9d6494ced941a45f5555428de58cbf93e14bf
SHA5122cfb637381ecfbc0f8011fe4568f43c4c7c2e32f068db748f099bb21e036f26ff0fd3cfcf391c250abdbaa9c8be89acee3746ce3d4c242b74f672ac68bedbc33
-
Filesize
27KB
MD50306c3e17750fa6e5b857c943e4273bb
SHA1c1a4268f6fa5427a282e2c778085c327905e4454
SHA256e5e121f14bf723156c61e871541a5acde727a9417001c670ad0f5a952d0d1955
SHA51273c7fb528c7eed17d265673b47e86bb167db4055965645e0303707414409ff88021cae4bfb58aefc490ace9acf7ed4f77a7baea06e349c8b7f71c80927e23cdd
-
Filesize
10.0MB
MD503205e5952ea7b803839ecfe3bb000d6
SHA174146e76e31fd1e75ae1c34fa8194bc291b34a40
SHA2568364e6c6bf5744357199de0de3f6ba30846ccda70288675b75059e6fd52241f3
SHA512badb8843f9a483329cc4f559f95bd07a8cc1f9383e0e67dddacf74e586541067ca452a7fc28b63dcd28edc434c3be8ddc733dcbad0e06d973dafc99242f0b192
-
Filesize
9B
MD534f735c3599d92b81cdffe9d2fd7b871
SHA16489015caed3d7efb9850b8de1543d45c6df7350
SHA25652a74a697a5058c9021e3f763dcf6ce5bf62e360c13a92565b4b4c88a70f3aca
SHA51211a70b28a66e68881acc67ba0bb02c0e528a19f4c7deacb4cfbb59263e9b712d0856bea98bd7cf15138f17cebc73a5a1282cd2b05adf1cefb9fb340982b1a2f7
-
Filesize
2KB
MD5ec6d19c851acbd08a675c2aa59b1a4b3
SHA1ac31797cd9130872439faeff0138ca933a14b441
SHA2569b0983de9cbf70ef4346453cfbff2549e2058d1c4fb1109342a2fa2aeebf2ff9
SHA512486242e7795594ecd2e753d78752fcea65263511600b8d6782135ee4369a0e6b682e7ba81f128a897b275cc600d015668ff84ff80b6b37dad155975c1c0399a5
-
Filesize
320KB
MD5b4b8e54694c5acefd95a7b4444fa4a23
SHA199738d9a9bf73a41b57b97579ebc90124b0baabd
SHA25613ce25edc4d80a9fdd5153d15a1ccd8ade750c8a0933a7c156c8b318046e9c84
SHA512034dad3fc2836a6edc11a6be7617d4ff40e12e77cfa8f1193ad339e8cee8a87311e82d50457b65faa66bff6c6694fa2d548cd9f12c0cb1b4557c9354b5313763
-
Filesize
5.3MB
MD5eec7e70975c96053d0913ad9c46a8eb9
SHA1a3edd42f8ee54c9162886453034f1b812c03dbf3
SHA256e19fca4c0ac6ffac70ce115c1b128da4865e029883ab91c74d672ca41d48fa0a
SHA5120ed2b9469cb20fd9452fefcf3b2bb8b68d763ed65174762c04efa3e26b38ddc4c2fba257b59f34098cf0ef500dbdead9c8dd4b5f2f8e6b16df8af2b0d16692f3
-
Filesize
115.9MB
MD5e5cee86083a33049f6ec9523d0bc37e2
SHA136831c731acbfb18062608a628a0ab1ed3aef537
SHA2565414e22c13437dec94bd1b4c2c22fd189723d7e9e51ac7cec02caa03e416f8ab
SHA51242fa857c364ce1fe766003105a867d46b9dd37d11f4449f02c169a90ee09710ff7ed49ae88aa948b1f25d47faf562711c7fa48ad23b839671727d4251030a165
-
Filesize
421KB
MD560ef8bc440d05f76578923ed44044178
SHA156cbc99e2938dd56228c6885a1a6efbf610dd56c
SHA256b311457eedef8b2733400d115b82346a28d26502d1ee2d3cfd1302deffdef58d
SHA512babd0a3905cf87d30df902a8070130a980589c8f2bafe3795913933021ea37a54f2f2898c4915b289f25a030569b82eace9883b04a00530cea039870bc41c033
-
Filesize
443KB
MD593209dbb8f1982087fbb73df7256a617
SHA12b1e9d3476fb0b13bdde4187033f7db98a7dc9e3
SHA25616782cee5dc883ec83f7b6a1c1dae488e82c97aa5c8924b083fd18c6dbb1247b
SHA512466d492cf7f95213738737124a8266920c37c78ededa5b3b317a0302c8325f42eb30ea7d61eab13ca547f0ca04fd753c5045270a8c07e14544f254a93af0c345
-
Filesize
477KB
MD5e5f9d6a6d68c211148cc6340c4afcab6
SHA138ab435c262c47f405255241e28d203505b5c3d8
SHA2567b3029a673c98bbdde5d7008842c31438f95482f8c2b460ad61e178c5fff9a81
SHA51296b7151ecf94cfd58eb779a5b793c5814fb1f5e2e74a08862d9c4fe36e987b13640c6d80884f676919e951dc9dc2a7a3c85e188f4b21564a30e5b72da876203c
-
Filesize
625KB
MD524b4f4a7ce60b3b0fd9b86e065278c6c
SHA1c3ba46d9c3236438f2f0d63dd1663e0454480c61
SHA25608199ca031c7f74d9a60c2362af8df26baf384841ea9e1cecdc96b7791563680
SHA5129556d684a3527efab9b593c70b006be6165c4a9bb31956a7f34202910b512eff484560740f6e6809f14079d9d5b222dce22d778f7971a81ffcbf21dff00c5e48
-
Filesize
295KB
MD5b333882d88df597b5baad4b925a0e02a
SHA16d96b47ffddcffc86b679ac9b581bc92e8f63471
SHA2566c18148c974cca322217655a02c3cfc2be8fc4d3da3fb1bed85533abae757b74
SHA51218e36d5d173520057ba6442b371d9ca6b15fb77f501c562cb265f6beffd4f9f04898fb564d27ce964b665115c82a9f6ddc1c4e2144b759555c2b302d03d50b86
-
Filesize
303KB
MD5a439347900604188c8811c157382b8c3
SHA1c55b15e277783cf8d3479e04d542a8affa6549be
SHA256e794b77ce3380f28be2aaaec19d4bac8477790c9203f6647fa06b4ff1567c616
SHA512aef704e9a35e45061d316b5294c9d705417a5fc4dc54a0ee6dee793cb3fece0e6bc4fc9b87f4765772f4c46492ecd31e00234fced8594af24b9d9a151b5643e7
-
Filesize
272KB
MD5db6505cd6997cfadb2afeb489f44f606
SHA11ed71b0aab2a19b47f0ae7326b24e02c6f999b8e
SHA2562263b4e9cb284d6ab2a704b1fe2b47cee244a8a8ebc26ecc52966e0794afcff5
SHA512f34d05393c0dc740ed8217551c31cd435e4e2e6560d4e739d65cf80482c47f29d7b3c853e2a4a592f4ec837462655a1b95269f292d0fb2ddd1161cf070b79e0a
-
Filesize
294KB
MD59cc0941341c0b34344c3f4bdf2e99a8b
SHA1a0238f89f2018d3eb833c3c2ae3a738150df8cfa
SHA256c6bb16a27b5ae9ff0a3284f889bec1f9500194c301fa80f16aaa076197616e83
SHA512f93d0f4cc576e269e719fc7bb8d3f9c2e0602ebb7057e30039cf79e250625c20bb8e9f3b8b4dde3bb89dde0bab21e78d0578abb5e7578e96d9d680296000384c
-
Filesize
524KB
MD50c76df09b466fa2a15b8078ff549bad9
SHA15fc6afa8d8cb364fd34148e4e304373bbbd1c871
SHA256a7a1950b9146487a8b9bcec44651e27ba190c71397cd4ce386e40fbec787d041
SHA51243f3d8efe9521a87b9a2cf48063119aa207f6b873ceb25d33c8a1479a36ac02b45b49ba4adeb6da6f55e9dd9f30903414ba8bb6de59015a714943685d69a9b93
-
Filesize
240KB
MD5885434da2990727be5fc25fa9cfdad51
SHA1cdee14ab0432da1b3b47df54cb021c4335bccc9f
SHA256f1fb7334b2d3f41b55d296e92b48d824f522a29cee586339227f721576653f82
SHA5121b488e5decda1424d6cb0aa90edaaac04b4fd3b8533b37162ea627955e0f212252225ca99049c5a9b3f8b3e62c9ed3fc5037b651fa462af40b5236a503406ecd
-
Filesize
242KB
MD558a9125a8b155e4b39eb6c3aa0406e1d
SHA186c6b33e8b454e3e6d861f4dd5818d1a508f1dc0
SHA256f9e993df87cad724a36be1efb4f5a71322c9de4d0885419e5f13ca564115dce7
SHA51229eb93a8511f877f7c23113cff367a3d7854b087582bf943f82237b88756d0873fa37d9df66bdbcfa20b3bb701fcf974013d7c304427e7131cf9ca64a1a2a908
-
Filesize
290KB
MD53f2793d08759ac87e99999825e1af5aa
SHA1b6d132d5e52d75f83b2d9fd4d44796d05ee30807
SHA25699769be847d796cf888fec325bdd5602b7f8506a8878f34f0fccae43c8e438b7
SHA5127a3d8b73a3150677ad9936074220f18f6531a4d633f90d33debc0c4d3a47fdcdfe9091076041f7b2845f5d1aced4d146daf9961bcdd3da3d415db38034c4ba91
-
Filesize
294KB
MD5bf9604d751dbd0ac9f7ca9d89f18ae51
SHA119c8b62930373ee805cbce681b3a45dfcc11f5be
SHA25641e2212f0dce51fbf46a738afb3827751fbd17f4512bdf8975f0e5a6b7fd954f
SHA512f9683b8293f7f701368769401a498dc3988acf8efe8303c60a2700baff4217dd54eb9decd70f53a666da0a9b6a710b1aa88207eb67e064c34c20e012402fb5fb
-
Filesize
262KB
MD5d5a9b62139150458da47cbb3c5b431ce
SHA1a49f92596a444e0baacc9a64d7cfa62231a963f1
SHA256b511bdb3a11176f5f028c731a8bd49db992a2a2b49552fbda73652201ed22e36
SHA512ed6b2a82757a541c3b6c9eed52b9c28bebc80a8f65bb36eb02010b415121148b89fac62fd9d665525cab8f98db7d78f4967ed42d4bd2359ea3f3dbd09c6a97f1
-
Filesize
423KB
MD50752ae5117ca87c82dc95664deae7ef3
SHA1e02a724ecf193d2e80d33c080e732d5b09d6edf2
SHA25642d1ab275dff1525eb1256505e7757546522e22a63c25880f1ea7ae27be91c48
SHA512a11d07a70b08cbd1a575f5327fd23c5962f8c4dc619a428b18dbae6a91597e31708c56a8378debb8bf60eea758c51033f8e69e76f1448fe21a999f4fa56aa9c8
-
Filesize
928KB
MD5d764c7d69c9d67b304de01052cfc4e33
SHA15dc50d74faa3b37fa00e4b0f67def30ecacea14a
SHA256c5f228817c8011a6ad9d1dd8c0cd6b7707460c962e67a29e11dba51ddd4e6ca9
SHA5125d62fede3923435e4b4660d0ead52aa1d2708b6844238095943b3e2cc90c7adfe9a944b34e355f67d1c804f67b887abc30f65ef601e60f34ab300414c41a58a1
-
Filesize
2KB
MD59a45e8c30335a4984a68fdfdc69d7264
SHA14c0067bd3b0bf30451c446b04de91d841fbbb63b
SHA256690868c7f0a907df223fe60e69946bc9bec13b09cd2e474f3d3609e3f7a79fff
SHA5125d85683bdf44054b3eaae6e3edd7448eb651fbe9dd6570a954e0e93bcdac31e254d6740b561e38068fa32d469b36f9baed687d97904cd679e62895e3edcc0814
-
Filesize
226KB
MD5a3040b9981da9dfb94c46407abe3aee6
SHA1794adb0d38e9458891bbd5cafd78554e0d1cd884
SHA25636b2dec6fe121f8053a2887eebc5b7d8bde7f5cdae36a5de95ab10f25d406872
SHA5129e17dd356b961c16c6ff68ae5ca2b74e92356a26ade07880b4d1950550a2f7d869dd632a9666b4d3c170fa68c583c57907ba8697bda021ced5c8687b1c4a71e3
-
Filesize
50KB
MD50ca52edce843eb50ec816b0ecd92af92
SHA13612b412e48b917e4d641b509d41e034e127db05
SHA2560d5d624a61f7ec9fe71e4ef7a76d9566fa8347302944cf60b4daef7bf970b2d9
SHA512e690a7e76a0863a4ccad5b5740802666c639d5c0986313109be317699d3be1393018b43e72dc06a158cbbbf973e9130d21686aa1d1d575386dd48e50d3254d3c
-
Filesize
167KB
MD5eb3a09a29f010b6e47247957c9b2b4e8
SHA1fe7d1661db3f6ca810d88a4b96a737b131af17b6
SHA25684f227279029feba97d90cfa98bbdf289bd89e6b356203dda6e3b55b4ca1733c
SHA5124aeb7f8e691bc64ecb8e78cfd300ed05f368f4813d22b38959d8d02ddc028b12c1cc1375dafc1a363c814eb64872c81a1474d458976a5216950cfdd9b07b7b85
-
Filesize
178KB
MD5fc6b38a02516871ec641e99fb18f448b
SHA158754875d6b068d4c076363531674b5d8164e4dc
SHA2569419696372f4460fdc12d96ecd9f3a9489e9070ccab7cca4b51602c051db31bf
SHA5129a9bb2ad036ba9141fe312ab199ed2eb75bb132f69cb4b1fe98f4daaac8698debf2f72fc4b7969b1386fd849ef857e6861f66b14cf43a86328cfbac3617c6b98
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\DIFxData.ini
Filesize84B
MD51eb6253dee328c2063ca12cf657be560
SHA146e01bcbb287873cf59c57b616189505d2bb1607
SHA2566bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1
SHA5127c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\FontData.ini
Filesize37B
MD58ce28395a49eb4ada962f828eca2f130
SHA1270730e2969b8b03db2a08ba93dfe60cbfb36c5f
SHA256a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932
SHA512bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\_isres_0x0409.dll
Filesize1.8MB
MD5dc1c02e272c281895c0456f358f44378
SHA1cd51129bacc9f463fc0fb09bb38eb89ece916fde
SHA2563782f17b843b4cd3245c8b751d0c23b1b34a24a64a923dbcaefc26e65fe4f69d
SHA5127d1dc68274f164b811acb08334857ab4c3c847daea1724a5ca9d2db7f1f4fff3009b9092fc8c5ccc64e2c8d57babe563d72b3c7f9f64de3c1c02c2e747ec48b5
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\_isuser_0x0409.dll
Filesize12KB
MD50381dc0105bca99d0d04c13629a86fc4
SHA1a61514a6213c3a84aacc7243ff4338552f2afe96
SHA2564a47eebb9d4ab0cb9d37551349747a8240304547bc0bd7387109d2f87a745dca
SHA5123e58fbbb6af00fecd1a4806ad0c51e1afc00fe283cc26f63a4bdd3640a31f87dc6f7cf172800aa9025793c485cea520b30eb9b7d0d3820e36364764832ff4598
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\isrt.dll
Filesize426KB
MD56142481421bd6cc14addf9606137973d
SHA197686f0e3254c3c245256ae280ed36f9457b3ec2
SHA256650d006d2f4f62d740d7d198f7febe201d3f528ee87e089958b5c4e1cd27e748
SHA51221e9bd11b931ba20dff2e30f3301fcb5fc119535a6428c175224e1a35e6c6c14b07f437a416d53787635ce8b8aa042d4dc514beed41b0575591ae79c1592993b
-
C:\Users\Admin\AppData\Local\Temp\{9598FDF7-F493-47A9-92A8-B1E3449C4AD1}\{BBC7F69B-7A94-41E9-8A4B-B55A8D06431F}\license.txt
Filesize17KB
MD53f41f4a0a4003d6fb39124dd385a9152
SHA1f12aa031a8c0c1a58cfa094afff28f025c7c4598
SHA256862e48d9117eea5d72abb9c4d3806d922c60343a21ba2152da3884d146de1366
SHA5122e281147e2ba59062fe4c7241027cd8b49025de4550528c410060ab7d7477cabb0c7560503f90008aa4424034f72c95c8ec41966b4c32a91dd3b336fb8fc4e29