eba69e114ca3f10157b0a9131431d540cce9769c7d7c1200384a684b0796d3eb

Analysis

max time kernel
92s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 09:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

saastaja1.exe
Size

880KB
MD5

6945b0eb597cdd7d23e5d010638f5de0
SHA1

9afbbeaa14221ba791d566d453b9d9f202faadc9
SHA256

eba69e114ca3f10157b0a9131431d540cce9769c7d7c1200384a684b0796d3eb
SHA512

e5c6653ad47e3e24589d566f50714f5acd0c6285cc4cfcb8a3eade01a55504777bfe63fd38f18049a2cec3e7967ce2aafd589abd027b7ac2ff1d5224c228ad49
SSDEEP

24576:zAY1zr6fGAtr0xDK5N1F938+KxekDhxynSO:jhmGABUDK5N1LYbDrK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
392	Install.exe
4560	RunSaver.exe
3476	SAASTA~1.SCR

Loads dropped DLL 2 IoCs

pid	Process
1136	REGSVR32.EXE
3476	SAASTA~1.SCR

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\flash\swFlash.ocx	Install.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\saastaja1\Screen Saver\Uninstall.exe	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\Movie.swf	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\Data.dat	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\saastaja1.ico	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\RunSaver.exe	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\Settings.txt	Install.exe
File opened for modification	C:\Program Files (x86)\saastaja1\Screen Saver\UNINSTALL.INI	Install.exe
File created	C:\Program Files (x86)\saastaja1\Screen Saver\Uninstall.exe	Install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\saastaja1.scr	Install.exe
File opened for modification	C:\Windows\FSaver.ini	Install.exe
File opened for modification	C:\Windows\saastaja1.ini	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 7 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop	RunSaver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SAASTA~1.SCR"	RunSaver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\ScreenSaveActive = "1"	RunSaver.exe
Key created	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop	Install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\SCRNSAVE.EXE = "saastaja1.scr"	Install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\ScreenSaveActive = "1"	Install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SAASTA~1.SCR"	Install.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\flash\\swFlash.ocx, 1"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ThreadingModel = "Apartment"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\ = "FlashProp Class"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp\ = "FlashProp Class"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\ = "Shockwave Flash Object"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID\ = "FlashFactory.FlashFactory.1"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashProp.FlashProp.1\CLSID\ = "{1171A62F-05D2-11D1-83FC-00A0C9089C5A}"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object"	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4	REGSVR32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\flash\\swFlash.ocx"	REGSVR32.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	REGSVR32.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\flash\\swFlash.ocx"	REGSVR32.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	SAASTA~1.SCR
3476	SAASTA~1.SCR

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 392	1932	saastaja1.exe	80
PID 1932 wrote to memory of 392	1932	saastaja1.exe	80
PID 1932 wrote to memory of 392	1932	saastaja1.exe	80
PID 392 wrote to memory of 1136	392	Install.exe	82
PID 392 wrote to memory of 1136	392	Install.exe	82
PID 392 wrote to memory of 1136	392	Install.exe	82

C:\Users\Admin\AppData\Local\Temp\saastaja1.exe
"C:\Users\Admin\AppData\Local\Temp\saastaja1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\FWSetup\Install.exe
  C:\Users\Admin\AppData\Local\Temp\\FWSetup\Install.exe SaverInstall
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\REGSVR32.EXE
    REGSVR32.EXE /s "C:\Windows\system32\Macromed\flash\swFlash.ocx"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1136

C:\Program Files (x86)\saastaja1\Screen Saver\RunSaver.exe
"C:\Program Files (x86)\saastaja1\Screen Saver\RunSaver.exe"
1⤵
- Executes dropped EXE
- Modifies Control Panel
PID:4560

C:\Windows\SAASTA~1.SCR
C:\Windows\SAASTA~1.SCR /s
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\saastaja1\Screen Saver\UNINSTALL.INI

Filesize
137B

MD5
295c59dffc6a90c08f6498d579dda4c6

SHA1
f8ccca8a6a6b38ab40133eb7a44f3e91caf47539

SHA256
1da1b344d041a2b70994e151acb565c9813477612e3bd20ee5ea4b5e0563cb78

SHA512
eea5c68db484414e769bd9993d955154b996555e64ac6c693b2a86b515f9f170618df0ac33639d628f07a804e4acfc8dd67e6274b9c33ca1cc502d9cd25363d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\After.txt

Filesize
23B

MD5
35cc2869875efabb0901f6d953bcd60a

SHA1
4c50b07c84a4f592b97836b5134ebacabcf5c83a

SHA256
84a250e566d105b774d03c3253c7d1e31316e03fd0ee85d817b88f2afb5a39f6

SHA512
b79c3eb27d3c68a06020ce49836799fdec8f6e0c073a3aec4cbf639a9c3acb7f32ab03199fcf02fe307794c106e4c13998c2f0931d22084727465c9a678deee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\Data.dat

Filesize
228B

MD5
a8e317a583ebfb705cb99295054e4c60

SHA1
10d9a713fa51751c043d903042655318762da355

SHA256
2ed9fecbe82dc2093af4b1227d5ec44fcac4234e4c89134f20533e6960de7786

SHA512
2776f359e4e5606154dbad17115ba63a8dade0abd1af58b4347c6beca6a29b4c7b00aec4c72e7564d38cb4657c9720ca665733cb5720578cac855faf96f4f8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\Install.dat

Filesize
807B

MD5
f2616c4b5fb511ee7510ebef8109703e

SHA1
6d97fcc5fc3af002a57233959a7dba8b35d0f0ca

SHA256
36fadbeccff61c5de4ed3f4adc199767643ce15196d93918db3dbb40060488bf

SHA512
b3cfadd493ee485b55274eb532625efebd922a8e85770ce83355908ef86ecd40f772ff1fe5b02b124e3036b4609f97744085a87d8a9cc5e5a5a0efbae6436e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\Install.exe

Filesize
312KB

MD5
13610513a38706906fd43b2fe8097f50

SHA1
7f25d1ab61d5a70fdd7a850b6faa6af5a3ac591c

SHA256
33b116aee6ef34d3c721d1a6fc16f74e4ab6ef44ac8167b51cb46fc9a6140a98

SHA512
b95eefc0a658285938b911b10f037f27c8dfc276524be48c8eea453ac38a36fe4c23da3410796aceb310908c884cd00687badc9c2e22580c52e5d17dcf9b0a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\Install.ico

Filesize
766B

MD5
0a0495346d90aa270a0d082cb0da943e

SHA1
b910a557a71717a50ea49ac2a6d7669cf65f804b

SHA256
8f4a59760071147a691d306642fe96ede3553abfc7ea6a00860421ce6402aaad

SHA512
02fb518614de5557d7f840004d07ce07e81b882c5a8afa67573f00eae15ba9b2c1a24efb31fc8766b83b82ba4d6e5b833840f927fb3c86b294d0be66bb256e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\Movie.swf

Filesize
143KB

MD5
7d7e881035d1bfba9ec78880ffbb2672

SHA1
981963c947e199ec38393ca918e42325a423c98b

SHA256
044776b2f4006427e2b9ae507b25b89547baee843a3840d551eabeb0e851bf82

SHA512
f161cfc4d7732b90fe1c2430eeee97386bc8a099b70b27b99890ace13de187984b5ef983b1d95eb89ccfcd6806368c0997574cfe2f5108a122c0f7e79336e23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\RunSaver.exe

Filesize
156KB

MD5
9b341cd9421c0ba2c20736a285e6a13e

SHA1
0c98c0116ff86d814e5246bd4c3925c2f6e6f23f

SHA256
f564afdcb636b7a200c16d10ca1fa456ad5c1c00f79cbd809038fba5308f31ef

SHA512
dfddd3b4038abf5ac1287cf4baad8ff0e060061c06dec49a974044b8bb71f1f69c55b753b2637fe2ea3476504f4a6da9ec2036dac8d5b48300d6069ab9ea6fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\SWFlash.ocx

Filesize
396KB

MD5
438487c9f2c320bc607c67b3a0764934

SHA1
b2ec6d0f966948a7f82d5fc58ea7766fc8eeef6e

SHA256
3583234dfcc563b07136d4f587a7da115da7ab58f0ada12dc503af1db2014543

SHA512
5f9231b5461735868a63f23e47364d8e920b50309964577fbd4fc8c110d75fc20b0b538c2a03d8e26e99ba95f731ae7715a8dc0e8f113a79d560fe5d4be5f74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FWSetup\saastaja1.scr

Filesize
501KB

MD5
3adccd04db38dcea480a695f144ad58e

SHA1
a36665b3add76e2a94bc471f569bbddaed06abb5

SHA256
f10f793405dbfe56df03e304e253cdfada5075177d168a10be1fc487a1a43a50

SHA512
3f2954d0783fe6c6fa4a988ba1297606a3ee357934d86128ac8b6eb93fefcf9eba9446dbc72777655b9f6083666a0c6bc87f15f7f56fde4b4a87805e07ddc30a

Download Submit
C:\Windows\SAASTA~1.ini

Filesize
102B

MD5
4c66549ca62cda51be1b8e307557fc72

SHA1
828651d6c7479d44e42c66ebd645f98013413733

SHA256
88533787cd2fd991578acbb433e80b092a5a648833df18e06c79f4410054bd8b

SHA512
55c206980aede7dd1085c1763269500e29ac1b83ca5e73050de6a0f514a635679b18eb3e133ec141cc0ad4c768dddd2c4f9de18c62c7fb8317f87fc9205023d4

Download Submit
memory/392-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/392-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/392-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1932-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3476-64-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3476-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4560-58-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4560-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download