8a4dc655c2804b9122e7e81ada85c77d9029cbac66ad192aba92001531d0b329

Analysis

max time kernel
147s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KingTranslateSetup.exe
Size

820KB
MD5

ee49cdb5358a2e441f2056cd731ba8e7
SHA1

8241655b45331219e2d450a302869e770ff09977
SHA256

8a4dc655c2804b9122e7e81ada85c77d9029cbac66ad192aba92001531d0b329
SHA512

cf2a4032b7cc569eecf6837e37a02a54c4dc0dc39ce25e7150d63defcef19f08225cd938fc3c602900e4d88dcdf4198ce5d81d9110ec4907078bf55145ca5528
SSDEEP

24576:x0alXh7lPiDR1s0JEIA6OyvB3QLnp6eF6w:xt7Fid1nXAVyvBI56w

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe
4576	KingTranslateSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!KingTranslateOnce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KingTranslateSetup.exe"	KingTranslateSetup.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\KingTranslate\log.log	KingTranslateSetup.exe
File opened for modification	C:\Program Files\SetSave.jfif	svchost.exe
File created	C:\Program Files (x86)\KingTranslate\log.log	KingTranslateSetup.exe
File created	C:\Program Files (x86)\KingTranslate\LogFileMSI.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\KingTranslate\LogFileMSI.txt	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\KingTranslateSetup.exe\IsHostApp	KingTranslateSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\KingTranslateSetup.exe	KingTranslateSetup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5584	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4944	msedge.exe
4944	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe
5832	mspaint.exe
5832	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	KingTranslateSetup.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	5084	msiexec.exe
Token: SeCreateTokenPrivilege	1116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1116	msiexec.exe
Token: SeLockMemoryPrivilege	1116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1116	msiexec.exe
Token: SeMachineAccountPrivilege	1116	msiexec.exe
Token: SeTcbPrivilege	1116	msiexec.exe
Token: SeSecurityPrivilege	1116	msiexec.exe
Token: SeTakeOwnershipPrivilege	1116	msiexec.exe
Token: SeLoadDriverPrivilege	1116	msiexec.exe
Token: SeSystemProfilePrivilege	1116	msiexec.exe
Token: SeSystemtimePrivilege	1116	msiexec.exe
Token: SeProfSingleProcessPrivilege	1116	msiexec.exe
Token: SeIncBasePriorityPrivilege	1116	msiexec.exe
Token: SeCreatePagefilePrivilege	1116	msiexec.exe
Token: SeCreatePermanentPrivilege	1116	msiexec.exe
Token: SeBackupPrivilege	1116	msiexec.exe
Token: SeRestorePrivilege	1116	msiexec.exe
Token: SeShutdownPrivilege	1116	msiexec.exe
Token: SeDebugPrivilege	1116	msiexec.exe
Token: SeAuditPrivilege	1116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1116	msiexec.exe
Token: SeChangeNotifyPrivilege	1116	msiexec.exe
Token: SeRemoteShutdownPrivilege	1116	msiexec.exe
Token: SeUndockPrivilege	1116	msiexec.exe
Token: SeSyncAgentPrivilege	1116	msiexec.exe
Token: SeEnableDelegationPrivilege	1116	msiexec.exe
Token: SeManageVolumePrivilege	1116	msiexec.exe
Token: SeImpersonatePrivilege	1116	msiexec.exe
Token: SeCreateGlobalPrivilege	1116	msiexec.exe
Token: SeDebugPrivilege	4576	KingTranslateSetup.exe
Token: SeRestorePrivilege	5640	7zFM.exe
Token: 35	5640	7zFM.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4576	KingTranslateSetup.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
5640	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3736	OpenWith.exe
5832	mspaint.exe
4188	OpenWith.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1116	4576	KingTranslateSetup.exe	98
PID 4576 wrote to memory of 1116	4576	KingTranslateSetup.exe	98
PID 4576 wrote to memory of 1116	4576	KingTranslateSetup.exe	98
PID 4576 wrote to memory of 4944	4576	KingTranslateSetup.exe	100
PID 4576 wrote to memory of 4944	4576	KingTranslateSetup.exe	100
PID 4944 wrote to memory of 4852	4944	msedge.exe	101
PID 4944 wrote to memory of 4852	4944	msedge.exe	101
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 816	4944	msedge.exe	102
PID 4944 wrote to memory of 4060	4944	msedge.exe	103
PID 4944 wrote to memory of 4060	4944	msedge.exe	103
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104
PID 4944 wrote to memory of 4988	4944	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\KingTranslateSetup.exe
"C:\Users\Admin\AppData\Local\Temp\KingTranslateSetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\SysWOW64\msiexec.exe
  "msiexec" /l "C:\Program Files (x86)\KingTranslate\LogFileMSI.txt" /i "C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsk6052.tmp\pack.msi" /quiet
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.kingtranslate.com/post_install.php?sysid=409&appid=0&ln=en&osver=6.3&pver=1.0.0.625&iver=1.0.0.625&ptype=n&itype=n&ostype=win64&ktype=n
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff064f46f8,0x7fff064f4708,0x7fff064f4718
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1416
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    PID:2824
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
    3⤵
    PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,13762449937672847649,2130284881988046679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
    3⤵
    PID:5512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5404

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\KingTranslate\LogFileMSI.txt
1⤵
PID:5532

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Program Files\SetSave.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:2840
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=808DCF8CBE75E03262B775618491E287 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=808DCF8CBE75E03262B775618491E287 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:816
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D142A6DA6654515B7C8FAD99864621D2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=00C71FB36CF6C1162672D62D79169786 --mojo-platform-channel-handle=2128 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4904
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F4F464D6E138D5BBAF3EC96A7493709D --mojo-platform-channel-handle=2060 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5164
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5ECEF3E7C7BA35CACEDD81E7C13DCEE5 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:928

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\SplitSubmit.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5640

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FormatAdd.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\KingTranslate\LogFileMSI.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
d38c7f293a4a6821249ac23c83f89128

SHA1
f9ec2c1d57570aeeaa5da89ea784b893285923cd

SHA256
a0b539f5521e6f0fd4674f7de4f50cc3547e92843e06fe60160dbece61d85dce

SHA512
1e3633792763f719d89aa590005cf8bf49970d4aafca288a2369773f8d64c4f0429c7c9c860bbc504f541d00c2b934ec89ac99f422e493c2c5a663623df03e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1662349908d3227c4ad9d3ff7f8936d6

SHA1
60be5eec39825d89ff2b70b7bb531f6ddf75e475

SHA256
b93046f9be537bf65b4feb2d010da26a4e3bf0e02af0b59dc0f80c71f66e2253

SHA512
0d77b4734a5a1128035ed03cdb29d45f18a4f9adace94b5c124b7ba1e161d4080e95fe576f87e1f71bdd88b23f63b4b094fc6abe0dddc6de14c129c91be65c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b4add151a829d9ec1b7c95750821c67

SHA1
1ace46528648abd6a7fddf5fd862060604955204

SHA256
11ba79882f5faac0adae27cfe32db902bba48e077718098b53334564da6a7d9c

SHA512
4218f5ff4cb9c1b8f4f7a08d27b703603feafe31caaa7464011422ee409ed6b73eedee6ff16681fc2799e8275de327607e29121d1daa499cff3633ff325956d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06fbecbca2f305e47e96a3b7c98dd1ef

SHA1
87a93da547242d43f9e067bf7e14739c3d3d39f7

SHA256
dd0a3cdda30df099b25c474da78518af9f331bacf9b4721983ce7ec32d5a11b2

SHA512
7999faf77c9febcd7add1d43f25914ca37b4b2f3b0469c715f0110956710ba63882167261f5064deca30aaee9754a598395192a22da16ae87d4fe2063fc7a695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd2739c67121a5d8644c55d9784545c7

SHA1
3e933c59c8bfbedf620d4d6343b565e6c6798e35

SHA256
e3db18ee277eb3375481dd3aaba4c37db1e08467e38711839034727aa957488d

SHA512
7e075197dda5b3e1db2ed2029a4a390bc25ae2eb334153f5fe7e3c016d6b8e4f3bb849d197692448f5f7dd3df265f08bbbb23fa0753156cbd0dc1dd97e0efe04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f86634d02f9266752818868e335dd944

SHA1
73ec5475134b7db493892141b347ec6efaa7e600

SHA256
a20925605d49b433ef4aa8daa47a140e536955aca2e6b07b70849020a9080ed6

SHA512
092dfd1e9cee7578d6c129dc99673a8fa19152c84396d1c0096d3a91bde71153936accc3f3ee1317d8f6b3770faa482697beb7b3dfe6b581a01bd0b0a26a4752

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searchqu.ini

Filesize
529B

MD5
247588850581e045d6b7b77e85363026

SHA1
82e5b44a8f6c4b18e6b5266ce05e5bb674b027d7

SHA256
2a60fb959a3fcb4320b8645d3f2dcdf07730d673261ce3deb18442ffc35338b0

SHA512
c1a455ee04e8016d35bdf018ff4b5cf7491276d310abc30947351bddf5c6d2d049f03fad41bdc4487d259322df276090fb6af21fb4efe1fd65b9345fb38a358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\Helper.dll

Filesize
1.6MB

MD5
4592616e63c41efe1ede84870c2d7607

SHA1
5344ef3a1b1d705d2a48e682aeef5ed66e48fe19

SHA256
88802264ee13dfe2a62bce1d11cd5b575b0b9839405a5b21fb043c8f50ac686d

SHA512
6810d87cd911a2305f1580e8cf9947bec06b1c75b7b03a341d2feae4e6061cc9965edd5f6a748f2013c63cf5b9d5b247597849b611ce6c9beaae1766373eaa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsisXML.dll

Filesize
11KB

MD5
a2725e4d4d57d9d497e0a384d2884417

SHA1
ee31ce04298964e5239368ca8fd7b3f1cda5d878

SHA256
e8b26d9497bf1f3be386158f7f338fa03c0cad9c893a7e96a0200a438c1733c7

SHA512
8d69e6bdd73a9845ba02917bd7f8e17e9a7a818348899d5ebb6e9055094c9b746550d6807c0412c2537a59b916b377aced3cf3932eb361d923816fd05866de99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsk6052.tmp\nsa6CC7.exe

Filesize
535B

MD5
5acbcb5dc8e1bfd89f39a361300a38f9

SHA1
960e7c1e24968902e42a5970adf316f93059ff6e

SHA256
2cae9fae86e59c31d38e91796930553e241944b01ba94d9710c1f4f9d1478c97

SHA512
99f56a885c164874e61a2c8d3668dacdad302f3c02d8d1f808fa2040fca77a09790a170e60a1268745d9b3fdefcb3a9de5b93758fb10461af44ea845be20de9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq3AF7.tmp\nsk6052.tmp\pack.msi

Filesize
511B

MD5
a5645cab9eef0dd56ecece4f9fa07a93

SHA1
6bb38bc9aecfcb6959649f27c1266c51c5bc8ee9

SHA256
883623dc512490948e9fb019273014bc6c3206c3f4ed807583904cd7b22c5fd3

SHA512
b7f50cdad6ccac73030107889acf8998f27afbde6b288de5b858a802b4aa0de4d5fce94503a65d7ded55d1db1bee23384284a48d37719f1af247bbff702bbf7e

Download Submit
memory/4576-57-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4576-31-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/4576-29-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/5888-280-0x000001EB5E810000-0x000001EB5E811000-memory.dmp

Filesize
4KB

Download
memory/5888-273-0x000001EB55BC0000-0x000001EB55BD0000-memory.dmp

Filesize
64KB

Download
memory/5888-282-0x000001EB5E890000-0x000001EB5E891000-memory.dmp

Filesize
4KB

Download
memory/5888-284-0x000001EB5E890000-0x000001EB5E891000-memory.dmp

Filesize
4KB

Download
memory/5888-285-0x000001EB5E920000-0x000001EB5E921000-memory.dmp

Filesize
4KB

Download
memory/5888-286-0x000001EB5E920000-0x000001EB5E921000-memory.dmp

Filesize
4KB

Download
memory/5888-287-0x000001EB5E930000-0x000001EB5E931000-memory.dmp

Filesize
4KB

Download
memory/5888-288-0x000001EB5E930000-0x000001EB5E931000-memory.dmp

Filesize
4KB

Download
memory/5888-269-0x000001EB55B80000-0x000001EB55B90000-memory.dmp

Filesize
64KB

Download