Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-bpwx9sce65
Target c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404
SHA256 c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404
Tags
upx spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404

Threat Level: Known bad

The file c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404 was found to be: Known bad.

Malicious Activity Summary

upx spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:19

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:19

Reported

2024-04-08 01:22

Platform

win7-20240221-en

Max time kernel

121s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000d82b6e58855179ecda3582ab32d96bba10c25681248533fd571d3b5928ce47b1000000000e8000000002000020000000e1462a62f07b6d05da8f4859c3860035f40e04e1acd4313cdac1df3a31718c4420000000614f96a0aa2483196db29f6ee3a4e65597a3e66ba1fdb07f563acc6bc6f1c89a40000000c4e7993764ed56568cfcd89431002e8d6d549fc3228da20ebfa8228e52a07816e47f9af86aed9ec109c13bba7ef140fb8919a2a249e6354cfab73e4e6d596deb C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418701078" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23785AB1-F546-11EE-8D50-4A4F109F65B0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000006baa46226d34a4b19f0ae94e327de765f83761295296059eb9fd64750453182f000000000e8000000002000020000000de989e0a4aa00089fda1d9afd5146ca0eaaf7d73fda5abeb5584892e8bf8eda990000000ba23bc929a39da24dc0f401a2582b8715e5577625d076d683d7426be8b024b39f6736bea47363b0070c8b10326b3b69765eb8948657b7acb9b4a9e8200acce6a0f048f3df1112a399a6aa64c7ec128b0c1eb958df9ec195c56de3a98b28ad37e1ed730a121c0686d98573b5639f9a60abbb9c2cfcabd445f5f219c14609cb6324cd6c9dac5dc4c3cbb0dfb64ca6de49840000000eddc1368261c9cefa49177d861b9a64666fcfecb4b25d4b9f4333d36ccf307a51b38658660b170aa8e6dc3fff00335f008d8cb3c5a8c4cdfc03fc05c33ac5cd6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60516dfb5289da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 2336 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe
PID 1208 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1208 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1208 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1208 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1956 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1956 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1956 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1956 wrote to memory of 2008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe

"C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe

.\setup-stub.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mozilla.org udp
GB 13.224.77.115:443 www.mozilla.org tcp
GB 13.224.77.115:443 www.mozilla.org tcp
GB 13.224.77.115:443 www.mozilla.org tcp
GB 13.224.77.115:443 www.mozilla.org tcp
GB 13.224.77.115:443 www.mozilla.org tcp
GB 13.224.77.115:443 www.mozilla.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2336-0-0x0000000000400000-0x0000000000446000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0296ED47\setup-stub.exe

MD5 10645c44cc12751c5ef8c9209ec0490c
SHA1 c30e9a731c47270d49d3c70a5fbc07f8a48eef50
SHA256 d9c7beec1d4c5bada1980e95fc30fdde0fc18915b99a8a31f82342767757f11e
SHA512 bcade43faf2818d92ee354acad2dfb3d0871e6995dae1e665fcfb8d8b33b69bc518f88338e4c8e8f5c62704dd4013cd0168a3a22214422c65a3b76f4e9b2e6e5

\Users\Admin\AppData\Local\Temp\nse5311.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

memory/2336-14-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabABAA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\CabAC98.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarAD1A.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d75024b97a0c9fd20506c1154183d2d5
SHA1 c5146a9bf43ea98f21eabbb5ecc7a2cd6def4f2f
SHA256 7095749b78570abb05b404f1ad6baf368e9ac79a683577a5d6cf3bb720d3814f
SHA512 a8b63f3d3b8e0ab64f4719e16785b425267b536ddacfd7c5fbd43f727d9c771a5e8ad52371643e9e6e0fb7033b17ef03b2457a21ab287caa6f65c702985a2f69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0442f4ba915814d359b39654c92e513c
SHA1 e7e41558e6a671bf790f95bc57c08d1ebe7a57e5
SHA256 d90c32d60f9db40b5a9641faa48a605d5bd576dc1ecd0c09e54c2b505b9827ef
SHA512 b13ae1eb3aed16397d2abe0af13e24aecbf5ce85fb5d759e8203922e6ee600c17884aedc0184815ea9ab812d080614f7497fbdbde53dfb40aef4ed75d84c23c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20d3f98315f412c35a57e69788281afb
SHA1 24fb845ca16ffcf162ab31de26608f13ccbbb2ac
SHA256 9125f38069c68028b68aeafb1631a25dc3f4f3ead84110edfa013dd194f2d523
SHA512 6580715f0bc828b426b40c8125b5eb3cceef64d84b2cee740dfd80d4692e7fa607afccce7afb0b5430436acf3e07deea5c87cd1fe541cf4bd03418553ec985f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5365e9f5df8b4684ba433cc35964671
SHA1 5d070364a8337e9dd3b5a1baa81ee0235d47f9cd
SHA256 4fcb8e17bf04f0cbaaffc9802673c5b8c77f314288e64b06b910339b6587013d
SHA512 a9a197c550520880603e1ad5c92319b8f4a516d110eaa9856f336e19f17a77169f2b0e75936fabb558cc546faf3ea689dfc1568e94881567f020ffa28865b4a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fa032dbda85541d0df49827f887fcd1
SHA1 cdedb50911cd60f6dc181362b2ce80c0e2189ae7
SHA256 5024b709431cdf936ca8fcc6afb63d031e7085ade9475be4d2c1aa160bc1ea88
SHA512 05c0dc1fc9a6eac3ded3fb1003126d925c2778ccda6c3c9d3add73763d0ad922bbd5b2e3479550d2267baec442cc5e2c038d1fc04638cd0a5db4cd310b9ad155

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

MD5 219e716e17ee89231b11e799d9a51a74
SHA1 150d0aa088941860f1e657ec8aeb0668b5a1b80c
SHA256 98f82d5a3dc6f79e18fb974492a7e1b499dcda7f2fc9eb4d5572c769ebac9100
SHA512 9967787bcf5cb9a650c4f9272af66628fe4bef814216ccdafdd7636ffa5150303712f34fcd3653c71bf61759b1eb537f24e5f4f62e9e127e76694ca366b018ab

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\favicon-196x196.59e3822720be[1].png

MD5 59e3822720bedcc45ca5e6e6d3220ea9
SHA1 8daf0eb5833154557561c419b5e44bbc6dcc70ee
SHA256 1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805
SHA512 5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09b8d1d10b2ee3e7acb39e5c8f67829a
SHA1 ad8d9276b551ee3737f25259681ff44d0d7062fe
SHA256 d30d4146dd6d639d999dce49256ef3a4cdd3fe0e1f195936677194f95a9288df
SHA512 984d1d338798682ed791e6c33e6916c3a24ad9b55e42c3193ebd8afdcfd98393ec01e65e6edb83d975b870fa945fa126ce6cab63a735a0b515f9ce3bbb210194

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61c01af2827ea2f54449ed753d077422
SHA1 b21f855a846d35ce91016ead94ee9adcffd0e98f
SHA256 4e5f3627a63b9ddda2be525d4faca65dcb5a4be968cdf969a0b2e73ef328ee36
SHA512 c7c5bad57ea48fdbf63823dad6ac6a241e07d1c82be49e52de5150a7639589a3aee6cfc941f90d64c5083c9b42a253025fc88d183412fd9d9abc2dea1b99d2b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df275723dcd65103180026d18d1d827f
SHA1 9666a5b9c7a3003171b224f6f6ca74e50fd71bfd
SHA256 993dd8e69b2ba04215233d9a14e18ad181b006ebbec676c1b18343d7cac4f97a
SHA512 77d76dc4e71cf84159f77c5b228e9bb3a8532b1c040b4a837d14270183a75e6656324a734ab80b7eb3eb039227888820a17ae576b28b344461fa4df5ee5b5c20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51e168b50ed5be9c09b9c2b4dc8ec416
SHA1 471d62f8b26ccd3373623ca1fa47bff04a25a91c
SHA256 a0ddaf971fa2143f22a8a0a5dd2cc9c174bb58b3bbf51a880229f989c2ebf805
SHA512 55c46bccc1b6b4e879fdd66d78e68740e550c0e905b89468c609d064063e0a9baf208252d6f14d64c3c7493bea2609418222161320d452cd430aa63d9e2d36c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f0fcd4eec6982624dc1062e0ac89e30
SHA1 5ade483978414f9653f0e7092309f5571b65c8bb
SHA256 0483f4e162b9b5f98eb1677f595af56448fbaec644433e20ad13b9491e4c51c7
SHA512 5f55f7b9a07527b1f2c996c4529ebf816f8730e78aba8ebcd581850e72bbd341eb0b0e33283b87c6f6d013d6141ae86bbeafa9d2081d4fa66c513d7b4e0d8b36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d753d047314e31dffe31139523149a6
SHA1 d9f2a4002256da3dc39bfc67433163eb6b897c36
SHA256 b97353763b4b1ffe77a84323b68e2d30b21255cfbf53537e6625d338df4b28ff
SHA512 db668263c598724247047e2aa33a82811486f95da0a5c3914983cc9969d8cdec5c7938221252e3c6fcb7a55d8b0aa7e43fc16a71b832b063161f6ce6bfa1773b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7ad8c6746a53a6250c9cc7f4222ab3d
SHA1 f72da768eb927a9e35abc3b3cad9169c1a316e24
SHA256 c637f1f47f6c6127bb6902e54840334f8091e9476dc5c179fa0d426a1e062ab7
SHA512 4825006ac470e2261533afffb242fcfb7df8f8f67613030c482f7313f65def4d800d29745bee523b5ce9ebb83e14043402bb03bef09b93cb8fcab24a5f5c46e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3d19e4678113ba31e66ecbd3677864f
SHA1 5aa0982ad66a61931f82898829e3b58383d55518
SHA256 ed20867aba1c815c52ecc04bc48c534751efe4d9d9867c35c8acd73636383049
SHA512 73e1f352f4be3baab0a13d66ab57ef1ac01f7ea07f8b64b40581e7509d1194c79694f0d6f3932259b87f27f4f9c6f9838c9440946d1c63f2534ce558495c7f9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63428c4a0cc323649935c03d73d0687d
SHA1 8ca089e948638a016d06280cf99311e0d22b5e4f
SHA256 31cba8212f4e8c1141e8e6454f23f286472c1deaaaff1b8841606bfeaf94ecb1
SHA512 0cd0c7c8a43ebeab5e8415969d3f5d2fbb08726d7c510e755925da3dbfd9ba9a60b62c2e345bd7e0400c870883e4973fdece009bf2b2258b2a561b785a3876d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03c6675a71cd967b22d7ceb53817ba11
SHA1 816ef6114481d1b8e25d3578a79600f5e22718bd
SHA256 d2be2858f9c52746837c3a163a86185d7866d256a95848f5fef6d145982b1bbc
SHA512 0f5308ed4e7f95388774191dd4f115465398327f38ea7f051d7110d5aef78426c7429dbc7df115817436d5d173c0b48d4f28af2bdfd1932d6aad93877286c8e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8479893b059ad985d7712f24532d5015
SHA1 8165f5860e340fb0313ff185783c55c8f6428cc0
SHA256 3aaa9015b6eed1c4a512118ecc4d33984e9625bda8e32e3538d60c5a2d3a3ec1
SHA512 9b00c215cae01164de9dae56417f33d0d4492ce48552628714b12d82bf3221a51b70b99ce2f5934c0633a96fefaef160f6aae5ef3e814f6feaccf20ec4711b2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35bd5a1808f0702e36a8d74abaab7ee2
SHA1 dca6d37e79b991ecceff1f472e68ae5411359686
SHA256 ba4e772653953e7327c1e7fa8619c66675b46c24e0a311939c08fa586ddfef2e
SHA512 5e4e3f9b2dd9251501cf5ceed8590e433b25fe6722fa176138d7b3ed0cf4f72d4562d9449192da933ab1069ac586d3d4f526f6d22144a0fab1729bc3989d5eb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 68699ab9aa1d923b5cb99f663443e630
SHA1 06c26d5af95b38af797727316a0f7b919e8184ef
SHA256 3754f7aebbcd36e2da58da5b0c8e7c80f92bf4bea1a3f8e7936edbe469a1406c
SHA512 71a5d4b3bed6c8380f4fda8683f0afc6850a80f49d8f4509f9b1a29503e5044c82ab42c1e4c792d62ca2491f51eeaf6abb9daa9e8c38d516262ba5b6a23ff2f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42827d3fcaa8b579f49ec14a297258b3
SHA1 262d456adc7028a4cd0d3415a6666431fa870589
SHA256 3242af46f837ebc1c00571b13ced3413a7ada84e2e27954d0d3cb2af76fffd05
SHA512 8676b7cb9d3a1ecb9231e1a7cd77264263d2309a992e8a40de19c6530c8cb1e84bbae0743ca1b63d1b8bacec562332bb6c8e2186d07070a7a56dbdc9389409fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8be94879f3d6fe381443790ced50195
SHA1 de9f18e61010dbf6c577ed6744fa470fc7a795f6
SHA256 d9c537fa1e114aa1890529df39c4cfb36d4933efae7aac67eb1187dc696ff9e1
SHA512 39536c5415ec87744055fb6ae14830f127291be78ef74daac80824930ec3870dcd0489a4f659015f4145bad62b9c47413cc2cd508287bbaa0827529f88f7d7b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3efb77bcf0741f1cd770c72a4390ffe
SHA1 59c8c167d6733a53dc8e23f6a51360ab6a8f2b2f
SHA256 26bffbbd00762a9c68e364e79778bc783d31004963232ea7bb32b4cc56b9ceb9
SHA512 148d7291e767db16f56017bf7262168ca24f8680d40f828ad9f0cd669a015a856f94d198faafc23d72d2869e7559df45c2603898d24210c2b9de301b97eb556c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 792ee9e988387646eb38257604bcabb3
SHA1 ad96f8adba45868a99698bef3c142da6a1183f1a
SHA256 66b2fb974c174f09f7f9648759f54f3b2691b4a2c1de2ae323dbee3d99c73879
SHA512 9a38c171586c577d01afc76dfc635b5f0f85e8449b2dc6496cd21c75951261ba359207bf7c7ba0655c1dc29b386af3df78582d5be97585fe34e9127dfc2ccca4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b77f947bbfd003e8b51de17ccd692ae
SHA1 40d62a450a2bb8d2c43d87fc20d16769ce618832
SHA256 69d28b592db6945002d4d0749209f2d790f4e9a07d25d6e918c0bfedb8837b81
SHA512 807fdb957632fd2dc9b881e4a7045f597045f5c6f8847a36b5da457a42912ae22155b6b9fcf2eb25143aa16b980913ce908ab85ff751e7552e535b91264997ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 90b9614a59ab82133c360978baa4f442
SHA1 e53a292ba138ea2762bf7b100e783ef4562cee8c
SHA256 f4cb3b2da947b6e8df3c703a8468d4f0eab1c00e1f3dc0f8e5c403915d465d14
SHA512 f81bc0edc69425b6d6d644ffb214e7ba1337ec17771668ab0600683dedc59666ea651325604851e013902da2742f17e5230b91499d3d9bd0010835b856df91c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70b81f3bba3d4d3463733a29d8f28af0
SHA1 f940864cc95ce0082706bf04454293b71b539896
SHA256 753e41fd9daae039a8acb1ad221bbd32ebe86fd8e07b875013be8511fc758899
SHA512 d980bb32a9a1a0827a313c60cdf00441cb4bdec9d6edd6232d9307e0d82f72465b32ddbb5196b54834614939c3c6be7ece574895ba1df06ab6838ac9c00944e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:19

Reported

2024-04-08 01:22

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\nsp4539.tmp C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsp453A.tmp C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsp4539.tmp\ C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsp453B.tmp C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsp453C.tmp C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsp453B.tmp\ C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe

"C:\Users\Admin\AppData\Local\Temp\c6e62f27891318bd89fd04ad922073380567a73c53b8909725ffd18495305404.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe

.\setup-stub.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2480

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 product-details.mozilla.org udp
US 13.33.52.21:443 product-details.mozilla.org tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
GB 52.84.137.125:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 21.52.33.13.in-addr.arpa udp
US 8.8.8.8:53 24.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 44.143.84.52.in-addr.arpa udp
US 8.8.8.8:53 125.137.84.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/5072-0-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0D3E0A47\setup-stub.exe

MD5 10645c44cc12751c5ef8c9209ec0490c
SHA1 c30e9a731c47270d49d3c70a5fbc07f8a48eef50
SHA256 d9c7beec1d4c5bada1980e95fc30fdde0fc18915b99a8a31f82342767757f11e
SHA512 bcade43faf2818d92ee354acad2dfb3d0871e6995dae1e665fcfb8d8b33b69bc518f88338e4c8e8f5c62704dd4013cd0168a3a22214422c65a3b76f4e9b2e6e5

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\CityHash.dll

MD5 2021acc65fa998daa98131e20c4605be
SHA1 2e8407cfe3b1a9d839ea391cfc423e8df8d8a390
SHA256 c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14
SHA512 cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\UserInfo.dll

MD5 610ad03dec634768cd91c7ed79672d67
SHA1 dc8099d476e2b324c09db95059ec5fd3febe1e1e
SHA256 c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df
SHA512 18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\UAC.dll

MD5 d23b256e9c12fe37d984bae5017c5f8c
SHA1 fd698b58a563816b2260bbc50d7f864b33523121
SHA256 ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c
SHA512 13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\InetBgDL.dll

MD5 97c607f5d0add72295f8d0f27b448037
SHA1 dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c
SHA256 dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5
SHA512 ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\WebBrowser.dll

MD5 b53cd4ad8562a11f3f7c7890a09df27a
SHA1 db66b94670d47c7ee436c2a5481110ed4f013a48
SHA256 281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec
SHA512 bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\profile_cleanup.html

MD5 1cb97b5f8c5f2728b26742d1d0669899
SHA1 bb5ab1b8c00810fcb18184a996573c5accdc72c3
SHA256 dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611
SHA512 768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\stub_common.js

MD5 efce3dce0165b3f6551db47e5c0ac8d6
SHA1 1e15f6bb688e3d645092c1aa5ee3136f8de65312
SHA256 dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e
SHA512 cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

C:\Users\Admin\AppData\Local\Temp\nsj4518.tmp\profile_cleanup.js

MD5 d845e8f4c0edb3cab17e6a30090ac5b8
SHA1 654f058570f0868f0acc5f0595147f3385a9c265
SHA256 1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f
SHA512 401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

memory/5072-76-0x0000000000400000-0x0000000000446000-memory.dmp