hxxps://files1[.]majorgeeks[.]com/10afebdbffcd4742c81a3cb0f6ce4092156b4375/drives/Unlocker1[.]9[.]2[.]exe

Analysis

max time kernel
480s
max time network
485s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files1.majorgeeks.com/10afebdbffcd4742c81a3cb0f6ce4092156b4375/drives/Unlocker1.9.2.exe

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker1.9.2.exe

Executes dropped EXE 5 IoCs

pid	Process
5452	Unlocker1.9.2.exe
4044	DeltaTB.exe
6064	Setup.exe
5744	Setup.exe
5684	Unlocker.exe

Loads dropped DLL 9 IoCs

pid	Process
5452	Unlocker1.9.2.exe
5452	Unlocker1.9.2.exe
5452	Unlocker1.9.2.exe
5452	Unlocker1.9.2.exe
5452	Unlocker1.9.2.exe
5200	rundll32.exe
4928	regsvr32.exe
6064	Setup.exe
4168	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Unlocker\Unlocker.url	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\uninst.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\Unlocker.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerDriver5.sys	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerInject32.exe	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\README.TXT	Unlocker1.9.2.exe
File created	C:\Program Files\Unlocker\UnlockerCOM.dll	Unlocker1.9.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0002000000022975-38.dat	nsis_installer_1
behavioral1/files/0x0002000000022975-38.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a53272703670b37335d4b5337435d134b57035d0b3367035d6343676713575347531733d75a06010101a3450ef500212b0b82	Setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 643965.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4196	msedge.exe
4196	msedge.exe
1876	msedge.exe
1876	msedge.exe
3464	identity_helper.exe
3464	identity_helper.exe
5284	msedge.exe
5284	msedge.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
6064	Setup.exe
5732	msedge.exe
5732	msedge.exe
5732	msedge.exe
5732	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
5684	Unlocker.exe
5684	Unlocker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6064	Setup.exe
Token: SeTakeOwnershipPrivilege	6064	Setup.exe
Token: SeDebugPrivilege	5684	Unlocker.exe
Token: SeLoadDriverPrivilege	5684	Unlocker.exe
Token: SeBackupPrivilege	5684	Unlocker.exe
Token: SeTakeOwnershipPrivilege	5684	Unlocker.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5452	Unlocker1.9.2.exe
4044	DeltaTB.exe
6064	Setup.exe
5744	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3172	1876	msedge.exe	83
PID 1876 wrote to memory of 3172	1876	msedge.exe	83
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 2748	1876	msedge.exe	84
PID 1876 wrote to memory of 4196	1876	msedge.exe	85
PID 1876 wrote to memory of 4196	1876	msedge.exe	85
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86
PID 1876 wrote to memory of 3092	1876	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files1.majorgeeks.com/10afebdbffcd4742c81a3cb0f6ce4092156b4375/drives/Unlocker1.9.2.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6ed46f8,0x7ffea6ed4708,0x7ffea6ed4718
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5284
- C:\Users\Admin\Downloads\Unlocker1.9.2.exe
  "C:\Users\Admin\Downloads\Unlocker1.9.2.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5452
- - C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe
    "C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6064
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\8B9A71~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
        5⤵
        Loads dropped DLL
        Checks whether UAC is enabled
        Modifies Internet Explorer settings
        
        PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Latest\Setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5744
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
    3⤵
    - Loads dropped DLL
    PID:4928
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4619973616755453259,15133708145951073607,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1780

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
C:\Program Files\Unlocker\UnlockerCOM.dll

Filesize
19KB

MD5
5fe324d6c1dc481136742ab5fb8f6672

SHA1
02f2d4476006cecd771de3cbe247e432950ae916

SHA256
0a66b19bb38385a8879633dce1272b8acf1b4b264c88e254345ec249335b41b1

SHA512
faa76477503923d1c14a12f00d7d416e5fbb485560ea02ed1e6ef6337f9ad88bc612af241ea61c8f9003253ccf5f66b2c7ce4a508bb2adc761c4f36ac345195d

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
7ff71ab5968bea6604be8fb0f064b58a

SHA1
af1dd2a4c210dbc4cb83abf04c06fb3d75c42695

SHA256
3b6b6ca522360d52c6f553ef6214fcd791ef53f733f97bbdc19573655423a4a7

SHA512
ba7f353e68eba631a3ec25c47d0e2e170503bf0c106124101a9819cab7a12bb2acf2510adf6766139ce129e8296f97a7ae049fe8e36f285778b0db477d6b93a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
624202a2755cb4610892ed0d657d8e6b

SHA1
c2bb4b4d56a56cd561eb01209ecc0a96d7b645e2

SHA256
9992492e5bc5256ba1e9604a27ed4212f82aad98919a1349e2bd19776e0663b9

SHA512
d87e6a03a73cb739802643a31c1c8b9c1d735ddc3106f1424e6889d9c9fffd6e2d8b326c99b791c2667f4577bbd2d884f0e6d08e5c14e06ca51094a98aa24706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39c37e3603968bedfea3a8e7f0a2d84f

SHA1
31aef4809264427dab07f18d5e2387f9a2df1bd6

SHA256
7bf421a41f2ebc47a97cc91ed893167312e13c41c4a39438eb9a11e26b10cfa1

SHA512
090d40026245025595867b4700dfaab11a4b6d04d11a90bc7561980a18bd6f5e90be7404d89ca1fa806045ea696dd7baaaa99326fdc73d22b2ddc08fddf25d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63fd42e0da432e5262a10f826e193f1a

SHA1
82245862dc644c1b8f25c975f17864ecaabb91ed

SHA256
64434b8fadbcb64fe8d5526041f6d99362e1956d87f39a14ea90612ba5dad203

SHA512
e73763b111cb720738a0477baa57935cb78e8b60cfaa5b5b5360abd05f147712ed44d7eeb480da20887fd90c2405e9b217bfeed169541e57bd1775066f7ef3b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c67465b109fc3b41d36f4c5e349cd265

SHA1
f4b1aa3673dbb5bc5b7c1a5ff9372b9a12d342c1

SHA256
4292bc070e0d9ee699cf6b072a83263f9de2758da5290f21cc2c5d3e792f634c

SHA512
b3e98203692ba8d6e934d0a16d6bed941b2f2492c62386855fa5a95df78d56b70a0562b2a04f43100cce6d2a20c2585ac0687b3a32b6e8397a3db1e90b4cc46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d4451d6625967daac7a81c0cb2cabc9

SHA1
caeeb9e5a63e29bae799d1e0594649a9f0039762

SHA256
3cc2d8897a20c24f9694455e2fc0fdeba1109ed97a772b79053e310dd7e42477

SHA512
9b720633e4dd6442df9c5089277cb4b66963bedb7e2ce60a5b7274e8693aedf114244820bc64c6373df8e6b7ea043d61902c7bbf9aa07ce56300f3dfd6ec96d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24a585d76562c4d2d73cb1a3d2736c79

SHA1
84e3fd7e6b6c744c5d7ca1e1aab06d608d03bede

SHA256
d8ddb20540fa43bccf0df375980561c41aefe327279da396c8f2f2dccaec259a

SHA512
f9e4151b66e916c1320532b9a4a7b77db7aadd65408dd1d1f29684d458754f371e7c563fe57ea3cb75b1df7c55791136ecc9e3f603ce156fe9d345a4a3864880

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\BExternal.dll

Filesize
129KB

MD5
b212865e7e478a28a97268f960079a8d

SHA1
ded201ae02fb9ea3646489afeda49270c4620d9c

SHA256
d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6

SHA512
d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\HtmlScreens\loading.html

Filesize
644B

MD5
f50fa4673555652289652753183fd1ee

SHA1
f496797f0d34eb866d6328d2fd1492b485f74d0a

SHA256
afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

SHA512
6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\HtmlScreens\navError.html

Filesize
926B

MD5
0c464e407c81764ebc09eacbe41f0b3e

SHA1
245afe550a05215e5873d8f5f21c22d12aa46b6a

SHA256
770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

SHA512
71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\IEHelper.dll

Filesize
6KB

MD5
a21de5067618d4f2df261416315ed120

SHA1
7759a3318de2abc3755ebb7f50322c6d586b5286

SHA256
6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca

SHA512
6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Latest\setup.exe

Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\Setup.exe

Filesize
1.8MB

MD5
26f6d1b6756a83de9755a05f7c030d75

SHA1
935f58155f74b051f9123b6022b7d358b52b146f

SHA256
2acab7c986bbf80578c3bd998dd2d853257719ceb74c9d30bb4ea28952403d5b

SHA512
af9603572bddb6244a7ab0484cb3ac9ed7c91b1cea3e3f8c8886478930dbc102925b45ed094eaa2801755644e3bb4a4c0685a423f937f4b02af16feec56e4f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab148.spreg.dat

Filesize
249B

MD5
a4af0a0c254b38f2f9eecbf0e00b08fe

SHA1
ef730bce77699730dda378dc444b997ce7ceea7a

SHA256
810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a

SHA512
b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab187.wl.dat

Filesize
234B

MD5
6358860cd0c336c1f91f86be701d77c4

SHA1
5dd38b818bf0860b4c5144ba670a759d4345e4ec

SHA256
2ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457

SHA512
7df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\bab456.TB_OldWay.dat

Filesize
174B

MD5
7e72d256e34635d351092955d1f8516b

SHA1
7f240f8f4bd61ae59247d84d0ec85f5bc8729f36

SHA256
39eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c

SHA512
621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9A7102-BAB0-7891-973F-64A7F36548F4\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe

Filesize
767KB

MD5
eb2764885565b6c01cb32e5f51f213b3

SHA1
cc41cadbbd6ba6ed0bfdd17798b4c9f94d7955e0

SHA256
d7146999ff94b3ae092f3213ddf0217615f1d38798393b66778d11aae2b68eaf

SHA512
ac88795b2e8260ace9eb57d2a3fdc4aadb18e2cb0afd780459f51d25f83b34f7033425dc712655e423eba4e011fd2776f53463042f2c2d9dd427554c04cc840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\Delta.ini

Filesize
1KB

MD5
48c4f293a2a783fca6176ee3b09ef35b

SHA1
d8e2414e56d9bf28488fc7100362aa638df14978

SHA256
d2e7eba410ac4fbe943d4fc63b552d10ed3dd5fe738db7d03a049a4643f7fe14

SHA512
7a84f1726119c027898167282d4731b894c3ed3f704df719dceadcb464fff73d8113f530d3a8ba6cd527131362890a4915ea5cd58bb184b93ab76f54a105bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\ioSpecial.ini

Filesize
696B

MD5
5f1c419d371448b841ce20e54c5cc223

SHA1
8c68709310c89df37bc8a5b211f60ec2152373e8

SHA256
10225988e1972110b7bc4abca96bdc7338033989efa79a0d9d618f60aa8bd6cc

SHA512
803c038a21020929c3b1d109aaa3e2d594b8c2cd336a86dc0c4f97fa748a10d10f297651410836b9ab40904427ef8be36f97b128c1a67444748035a7b6c16d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDC3.tmp\ioSpecial.ini

Filesize
555B

MD5
192bd29233da85193f618ebc1e84967e

SHA1
4f8d6ed4da374ad4957dcb16c685a17f5afebde4

SHA256
ef4e69c6ac26b28f5cf2569ae96308309f45117ac302e8d2a069eeedfd3e1e27

SHA512
6d8ca98b1b0b4da6ab78751b1101c81e7da2c964e3c28d560728d895db5cde4c564498ef48537914eb3dad1f23acce02121289c5ec882857203da96bbb0e713d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 643965.crdownload

Filesize
1.0MB

MD5
1e02d6aa4a199448719113ae3926afb2

SHA1
f1eff6451ced129c0e5c0a510955f234a01158a0

SHA256
fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397

SHA512
7d0f1416beb8c141ee992fe594111042309690c00741dff8f9f31b4652ed6a96b57532780e3169391440076d7ace63966fab526a076adcdc7f7ab389b4d0ff98

Download Submit
memory/6064-592-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download