dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
Size

15.4MB
MD5

546d52168d730f9e73c5ec2ad736d72e
SHA1

0d05b40db5e023a6d77aaf28c3507bcec2a52fd7
SHA256

dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e
SHA512

5def168dbd627773cff9d079d0a24a49c1a3a81c16de1537af0cd0f9befb83d44eb27280f0a5cf0106f1d564388cfa564e081feeca8930697e0fb339e5294247
SSDEEP

393216:Y0dyfU0fkZpm+9hNN4fSCkKISCAyTkXfLH+LtKmgipYFJ:Y0dwf8pmK/GISSTkjH+LtKXipYz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe

Executes dropped EXE 3 IoCs

pid	Process
5072	rename_expert-setup.exe
3704	rename_expert-setup.tmp
1428	Replace.exe

Loads dropped DLL 2 IoCs

pid	Process
3584	regsvr32.exe
3584	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DebenuPDFLibraryLite1011.dll	rename_expert-setup.tmp
File created	C:\Windows\SysWOW64\is-EOCFR.tmp	rename_expert-setup.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-D30H8.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-TPBAS.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-GPSF8.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\unins000.msg	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\ielib32.dll	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\Languages\lngEn\help-en.chm	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-2D7CR.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-N6O85.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-875C5.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-8V962.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-CF2EN.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-3U1BR.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-R04E2.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-4G5M3.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\Languages\lngDe\help-de.chm	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-HS6CI.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-VNRCN.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-6JQL4.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-GPSL4.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\Rename_Expert.exe	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-RFD8Q.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-R1B3D.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-NUUMB.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-IUGM7.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-MVESL.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-VEJ1E.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-8FSN4.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-V3JO1.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-97QR3.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-HT1OJ.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\mediainfo.dll	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-MGIKU.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-E3SEG.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-3MAU7.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-IBHIP.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\__tmp_rar_sfx_access_check_240629015	Replace.exe
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-H27BQ.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-EUHL6.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-T5I2R.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-RT4BU.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-V1C8M.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\is-2IQKG.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-7SFU7.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-G2GCR.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-FBV5T.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-HO4F7.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\is-D4RVN.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-47EO6.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-ELRIM.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-4BUBR.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-57LIF.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-O3M1L.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-IDCI6.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\ViewProfiles\is-6JVR6.tmp	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\unins000.dat	rename_expert-setup.tmp
File opened for modification	C:\Program Files (x86)\Rename Expert\Rename_Expert.exe	Replace.exe
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-FDFOK.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngDe\Profiles\is-PG6RD.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-DRF8U.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-VDVPP.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\unins000.dat	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\is-7EVB2.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\is-2H6M8.tmp	rename_expert-setup.tmp
File created	C:\Program Files (x86)\Rename Expert\Languages\lngEn\Profiles\is-79V1H.tmp	rename_expert-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\command	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\ = "Open with Rename Expert..."	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.RxProfile\ = "RxProfile.File"	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\DefaultIcon	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open\command\ = "\"C:\\Program Files (x86)\\Rename Expert\\Rename_Expert.exe\" \"%1\""	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ = "IPDFLibrary"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell\open	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ = "DebenuPDFLibraryLite1011.PDFLibrary Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\shell	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Version\ = "10.11"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\ = "DebenuPDFLibraryLite.PDFLibrary Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\Version = "a.b"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\Clsid\ = "{91512F04-84F5-4AA4-829D-DB283C9D1625}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\InprocServer32\ = "C:\\Windows\\SysWow64\\DebenuPDFLibraryLite1011.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite.PDFLibrary\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\DefaultIcon\ = "C:\\Program Files (x86)\\Rename Expert\\Rename_Expert.exe,0"	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\ = "Debenu Quick PDF Library (Lite Edition) 10.11"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\Clsid\ = "{91512F04-84F5-4AA4-829D-DB283C9D1625}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\ = "DebenuPDFLibraryLite1011.PDFLibrary Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\ProgID\ = "DebenuPDFLibraryLite1011.PDFLibrary"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\TypeLib\ = "{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RxProfile.File\ = "Rename Expert profile file"	rename_expert-setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0\win32\ = "C:\\Windows\\SysWow64\\DebenuPDFLibraryLite1011.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ = "IPDFLibrary"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\TypeLib\Version = "a.b"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AE7EA725-812A-4439-A895-E2CE95518DE4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DebenuPDFLibraryLite1011.PDFLibrary	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91512F04-84F5-4AA4-829D-DB283C9D1625}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.RxProfile	rename_expert-setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{011BCB7C-AD3C-4B06-B3C8-B9EDBF1EC362}\a.b\FLAGS	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3704	rename_expert-setup.tmp
3704	rename_expert-setup.tmp
2644	msedge.exe
2644	msedge.exe
1016	msedge.exe
1016	msedge.exe
220	identity_helper.exe
220	identity_helper.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe
5156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3704	rename_expert-setup.tmp
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 5072	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	87
PID 3792 wrote to memory of 5072	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	87
PID 3792 wrote to memory of 5072	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	87
PID 5072 wrote to memory of 3704	5072	rename_expert-setup.exe	90
PID 5072 wrote to memory of 3704	5072	rename_expert-setup.exe	90
PID 5072 wrote to memory of 3704	5072	rename_expert-setup.exe	90
PID 3704 wrote to memory of 3584	3704	rename_expert-setup.tmp	95
PID 3704 wrote to memory of 3584	3704	rename_expert-setup.tmp	95
PID 3704 wrote to memory of 3584	3704	rename_expert-setup.tmp	95
PID 3792 wrote to memory of 1428	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	98
PID 3792 wrote to memory of 1428	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	98
PID 3792 wrote to memory of 1428	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	98
PID 3792 wrote to memory of 3856	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	101
PID 3792 wrote to memory of 3856	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	101
PID 3792 wrote to memory of 3856	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	101
PID 3792 wrote to memory of 1016	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	103
PID 3792 wrote to memory of 1016	3792	dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe	103
PID 1016 wrote to memory of 2560	1016	msedge.exe	104
PID 1016 wrote to memory of 2560	1016	msedge.exe	104
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 3800	1016	msedge.exe	105
PID 1016 wrote to memory of 2644	1016	msedge.exe	106
PID 1016 wrote to memory of 2644	1016	msedge.exe	106
PID 1016 wrote to memory of 4560	1016	msedge.exe	107
PID 1016 wrote to memory of 4560	1016	msedge.exe	107
PID 1016 wrote to memory of 4560	1016	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe
"C:\Users\Admin\AppData\Local\Temp\dc791ca65c079a5c817d717f3935bb57e960294f2199ea7e5f6b75a477df792e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe" /silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\is-G608V.tmp\rename_expert-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G608V.tmp\rename_expert-setup.tmp" /SL5="$601F2,11018677,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe" /silent
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\DebenuPDFLibraryLite1011.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3584
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1428
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Software\Gillmeister Software\Rename Expert" /v "License" /t REG_SZ /d "V2085193182035237192183037234244104043026066117080131116128106145065177170179132022184054073245166163013204080103212070175188049181188118206148153030030244214022095160211001187218032226090114192038072103086237214158254140065018121181228036214101063117124050212168014179098169089135043012253085071149252144161134137094183165074197223361" /f
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cybermania.ws/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb630746f8,0x7ffb63074708,0x7ffb63074718
    3⤵
    PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:3800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
    3⤵
    PID:4560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:1152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:3788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
    3⤵
    PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
    3⤵
    PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
    3⤵
    PID:5260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
    3⤵
    PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,14430378464000045396,1768695637283894940,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6508 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Rename Expert\Rename_Expert.exe

Filesize
12.9MB

MD5
15a0b5e58b1e5fcaef637875c594e5e4

SHA1
816fa6e4e979b27ee6beda2105fea48694155b25

SHA256
783dc4afef960850e8c3d2b3cdfac2ff450983b435a683df225c0ecfa5fbc199

SHA512
8e95d436bb2fec4fbd9183ce97a16d9b5b444f8c967bb2c5786f1e59425f804599d69b7e31e6963861284fb527797e3916b4e005234d9bfc1fb47778ec51f43b

Download Submit
C:\Program Files (x86)\Rename Expert\Rename_Expert.exe

Filesize
5.7MB

MD5
9e997acb2e0e2b5173bdb6adae917e11

SHA1
8257d1241cbfa4eaa3f21f3251b148f050158770

SHA256
82abc7c2e3db5dae46eefe78bda2d40f0d6ef02b135a0c37b06cfaab984c2f53

SHA512
873cdeb87a8c3b36e6b3677514b6f6aba45e2e568d4282826d94a6fc41bbad8c7cb74ad8351aa07418b7b1a882124218585293a3fdbe54de47a7f8110c58d15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
41200981099d891699b4a2093af0fb1c

SHA1
71644a314729222c4d9b34aff46150fafb668fae

SHA256
cd32f44d8b1ab57e2906c77c5a99d7a0a28c17a034325b03088a1a72947e4e5d

SHA512
b9beb0dde1498851d7363c4a74b4582e2d33d707cf44391259975171b33e4dee6ef8306731372ffb269b2ae10a5f922fba6a3ce8aa046e43080acf7756dc5a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
52e97f27f67a4248b446c7dc3a7cc3bb

SHA1
61dc6ad0749b820b2afeb3df8dfb3f0132c403ce

SHA256
92b886c353153c22eea241bbf76d379346c13412011f06aa348d4c0f595c1344

SHA512
6536187d5c08e1f5885db17b2669fe0a5942a35231805f463ada76883e47420d1c9019e323cb17bb0d0898865cb67cdd762bd43289288f69e4bc224c8ab79f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
590e8912e5cf6447d92fc3cf56cfe536

SHA1
203c846985681d37a77e324874acc8acf446e212

SHA256
8722dac368e209019aeeaa8661c7b43006a12b9b2f40c85f11dd0728a1985fc0

SHA512
7c774c50d1ae3b072196f0a4324571cd7d33bcb8aad450a7637f4765fe3920485f2dae9ae00367a7593cd27fee13404c1a2d241868c1ec3982a3102d26d7ce60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
48702b4e83c7acee291cbf748f2121b9

SHA1
82de427a2f7bcdc908cf56ab58273a90b2f43992

SHA256
26c6eeac2405e031e8f1b25123bb3653c1aa8a63b7e339474fc1413bcd1f8776

SHA512
11255eaf02a286d96ae09e386f1e1a7a82a9499719c27b4a524e9173173d78255cfd16b29f16c2d7860298daaaf62545b8f46c951529d2bd9da3940f84b81730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8fd44fe99014f92a3bfdebc9b6e3d12d

SHA1
cafcbfb1f017bf5ae0b7374fd4e7bf592adcd46a

SHA256
3ac0b5a353f58e502b24dcf1b792fbf361d5ce262a4b3f37a77a49d69d63e33d

SHA512
ea611440e29a367d05ac52effdb867dd1338fd94aab41c246314ff8b3f12bf06199a6c5127d67536d07fc71055241ae20fc571cd7566f15828255a08526642f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.url

Filesize
4KB

MD5
f89e823b83f9edc863ae9e35ea0a5949

SHA1
12db7e3d70e47bd97df335c74cd7323dc48a778d

SHA256
7fba1e8849a88298272be247c2b22ef4a50ac1bc4c83a4c02848bc131e622088

SHA512
d3e297af4eeeb3b8201381fddc426c33ab543db80c0da2ef7ee000ad773cf6895d7221ec17b95806377ea74488f8db7354e23d13c43d87599f6b02631e379d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
4.2MB

MD5
4a0a1e73b0b6eec9c409aba80603f775

SHA1
5be1d161a7034a0fb27c1f27d59339ff351b8ba5

SHA256
8be1234036700ba798eb15e3793f54773cda4efd214ff0e112e9fcf3b48167c3

SHA512
c8f0156c3d8ceddc0ac9c276085f24859cba8fb2726385757e15eda55396830b34774bd1baf399fad11097a28ea4cfd7d5a3030ef1c669ff659303ec8b7da4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rename_expert-setup.exe

Filesize
11.4MB

MD5
1696bd45406ec9a1136870f1256168d6

SHA1
b9f6ca0805ee227acf4a84fc5a8d57b61e54378b

SHA256
e97ace90e141de6b58b0a96e33fa6e42d645d5d723bd1fef285e0dfd57d903b2

SHA512
abc2d968a695ae7e67be076763546f2114f771d90483f2cb8132348efbe7069842fc84f5606d2dc87b73cf54a8daff71fc7ba12192159d7a4bec9e2643ceaf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G608V.tmp\rename_expert-setup.tmp

Filesize
2.9MB

MD5
58c9cfcedf42934c891b05ae74dfbbc7

SHA1
64e99cdf1bd062f059a2fd53802997755b4fa7a0

SHA256
f53216920e583280340716e59e7ed0182854fb6866a051832c06dbfeb042d873

SHA512
b247decbbc22b0288711d58766e5c1b6071e4fbdbdb2636b9a73591494a12c1e1caba8055bdc9c7c67b22eb3e324b81c133ccb182921394ee4336b46da9841b1

Download Submit
C:\Windows\SysWOW64\DebenuPDFLibraryLite1011.dll

Filesize
6.1MB

MD5
5b1cb610caf266684e70d6b8c16c176b

SHA1
f3ec7ef670a7f3b0e65a864c95351b65276c15f6

SHA256
ab82ab9772cb5169a55e368adca03897003a7759ce8a5b0d00da74ee96fd1b2c

SHA512
f3f0ff6cfb72846c23469f7216261713fc67b0401dcb848b6db14ae460b404d12a4e8c0b628feb4856300575f9ee63d06b0aa2d4b17bffd8fa7cb39d8bc9915b

Download Submit
memory/3584-179-0x0000000002840000-0x0000000002E6F000-memory.dmp

Filesize
6.2MB

Download
memory/3704-24-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3704-183-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/5072-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5072-20-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5072-184-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download