Analysis
-
max time kernel
340s -
max time network
338s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-06-2024 17:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.kaspersky.ru/downloads/free-virus-removal-tool
Resource
win11-20240426-en
General
-
Target
https://www.kaspersky.ru/downloads/free-virus-removal-tool
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
49e70d0f.exedescription ioc process File created C:\Windows\System32\Drivers\8789c6ed.sys 49e70d0f.exe File created C:\Windows\System32\Drivers\klupd_8789c6eda_arkmon.sys 49e70d0f.exe -
Sets service image path in registry 2 TTPs 6 IoCs
Processes:
49e70d0f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\8789c6ed\ImagePath = "System32\\Drivers\\8789c6ed.sys" 49e70d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_8789c6eda_arkmon\ImagePath = "System32\\Drivers\\klupd_8789c6eda_arkmon.sys" 49e70d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_8789c6eda_klbg\ImagePath = "System32\\Drivers\\klupd_8789c6eda_klbg.sys" 49e70d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_8789c6eda_klark\ImagePath = "System32\\Drivers\\klupd_8789c6eda_klark.sys" 49e70d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_8789c6eda_mark\ImagePath = "System32\\Drivers\\klupd_8789c6eda_mark.sys" 49e70d0f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_8789c6eda_arkmon_FD710C43\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\FD710C439F89CA6B7D8CAF3EE6F307D0\\klupd_8789c6eda_arkmon.sys" 49e70d0f.exe -
Executes dropped EXE 2 IoCs
Processes:
KVRT.exe49e70d0f.exepid process 4040 KVRT.exe 4936 49e70d0f.exe -
Loads dropped DLL 40 IoCs
Processes:
49e70d0f.exepid process 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
49e70d0f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\994d5369-33b7-4a78-9fc7-d8cd79eac999 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{7ad03a33-0598-4978-a936-424b3ba91949}\\994d5369-33b7-4a78-9fc7-d8cd79eac999.cmd\"" 49e70d0f.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
49e70d0f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\SOFTWARE\KasperskyLab 49e70d0f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
49e70d0f.exedescription ioc process File opened (read-only) \??\F: 49e70d0f.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
49e70d0f.exedescription ioc process File opened for modification \??\PhysicalDrive0 49e70d0f.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
KVRT.exe49e70d0f.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN KVRT.exe File opened (read-only) \??\VBoxMiniRdrDN 49e70d0f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{34FC5F68-752E-4EB3-A221-EAA6BBEC1F16} msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 262207.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\KVRT.exe:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
49e70d0f.exepid process 4936 49e70d0f.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe49e70d0f.exepid process 2028 msedge.exe 2028 msedge.exe 4128 msedge.exe 4128 msedge.exe 2620 msedge.exe 2620 msedge.exe 4004 identity_helper.exe 4004 identity_helper.exe 2304 msedge.exe 2304 msedge.exe 1464 msedge.exe 1464 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4076 msedge.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
49e70d0f.exepid process 4936 49e70d0f.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
49e70d0f.exepid process 680 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe 4936 49e70d0f.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
49e70d0f.exedescription pid process Token: SeDebugPrivilege 4936 49e70d0f.exe Token: SeBackupPrivilege 4936 49e70d0f.exe Token: SeRestorePrivilege 4936 49e70d0f.exe Token: SeLoadDriverPrivilege 4936 49e70d0f.exe Token: SeShutdownPrivilege 4936 49e70d0f.exe Token: SeSystemEnvironmentPrivilege 4936 49e70d0f.exe Token: SeSecurityPrivilege 4936 49e70d0f.exe Token: SeBackupPrivilege 4936 49e70d0f.exe Token: SeRestorePrivilege 4936 49e70d0f.exe Token: SeDebugPrivilege 4936 49e70d0f.exe Token: SeSystemEnvironmentPrivilege 4936 49e70d0f.exe Token: SeSecurityPrivilege 4936 49e70d0f.exe Token: SeCreatePermanentPrivilege 4936 49e70d0f.exe Token: SeShutdownPrivilege 4936 49e70d0f.exe Token: SeLoadDriverPrivilege 4936 49e70d0f.exe Token: SeIncreaseQuotaPrivilege 4936 49e70d0f.exe Token: SeSecurityPrivilege 4936 49e70d0f.exe Token: SeSystemProfilePrivilege 4936 49e70d0f.exe Token: SeDebugPrivilege 4936 49e70d0f.exe Token: SeMachineAccountPrivilege 4936 49e70d0f.exe Token: SeCreateTokenPrivilege 4936 49e70d0f.exe Token: SeAssignPrimaryTokenPrivilege 4936 49e70d0f.exe Token: SeTcbPrivilege 4936 49e70d0f.exe Token: SeAuditPrivilege 4936 49e70d0f.exe Token: SeSystemEnvironmentPrivilege 4936 49e70d0f.exe Token: SeLoadDriverPrivilege 4936 49e70d0f.exe Token: SeLoadDriverPrivilege 4936 49e70d0f.exe Token: SeIncreaseQuotaPrivilege 4936 49e70d0f.exe Token: SeSecurityPrivilege 4936 49e70d0f.exe Token: SeSystemProfilePrivilege 4936 49e70d0f.exe Token: SeDebugPrivilege 4936 49e70d0f.exe Token: SeMachineAccountPrivilege 4936 49e70d0f.exe Token: SeCreateTokenPrivilege 4936 49e70d0f.exe Token: SeAssignPrimaryTokenPrivilege 4936 49e70d0f.exe Token: SeTcbPrivilege 4936 49e70d0f.exe Token: SeAuditPrivilege 4936 49e70d0f.exe Token: SeSystemEnvironmentPrivilege 4936 49e70d0f.exe Token: SeIncreaseQuotaPrivilege 4936 49e70d0f.exe Token: SeSecurityPrivilege 4936 49e70d0f.exe Token: SeSystemProfilePrivilege 4936 49e70d0f.exe Token: SeDebugPrivilege 4936 49e70d0f.exe Token: SeMachineAccountPrivilege 4936 49e70d0f.exe Token: SeCreateTokenPrivilege 4936 49e70d0f.exe Token: SeAssignPrimaryTokenPrivilege 4936 49e70d0f.exe Token: SeTcbPrivilege 4936 49e70d0f.exe Token: SeAuditPrivilege 4936 49e70d0f.exe Token: SeSystemEnvironmentPrivilege 4936 49e70d0f.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe 4128 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
KVRT.exe49e70d0f.exepid process 4040 KVRT.exe 4936 49e70d0f.exe 4936 49e70d0f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4128 wrote to memory of 4288 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4288 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 1068 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 2028 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 2028 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe PID 4128 wrote to memory of 4944 4128 msedge.exe msedge.exe -
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.kaspersky.ru/downloads/free-virus-removal-tool1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9e363cb8,0x7ffe9e363cc8,0x7ffe9e363cd82⤵PID:4288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:1068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:12⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:4812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:2960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵PID:1108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:3348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:2824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:4888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:4200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:2652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7252 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3597482355945467014,14304233838829123549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6272 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4004
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1260
-
C:\Users\Admin\Downloads\KVRT.exe"C:\Users\Admin\Downloads\KVRT.exe"1⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of SetWindowsHookEx
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\49e70d0f.exeC:/Users/Admin/AppData/Local/Temp/{1493dd12-d486-4ba5-82c8-80a1195a365c}/\49e70d0f.exe2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD52689909dad3f105937cc03917ce6a8b2
SHA10e3c2f27db9fc53f205bae4268091db2dd30623f
SHA25615fff20108b100ce81e6b3de6a11535b9f0a18d80067a62555cf62e6954c1b6f
SHA5120be32a0ac0ff64f0e7a9a0f362d3af7c701cc3f32ab78ccad12babf1da542723162a95a241688558c553f66ee56c57c6bfc1a96e27fdd8324c26fc23d94405f6
-
Filesize
450B
MD55ddd872b313ff923f4244968c08602ef
SHA13abf3ddd173226e7775265a0a23d0bd2c2d85042
SHA256e03e336876e6e1e41a6e20c135d1a8eccb49967bd8d6f67776491bd1b11f4af5
SHA512919f04c6041e0b344fed1ca13acaea7c4e01ce31166c1a752f9749de801e487adb118685d408788dbcb7b8f77d6aff36ba5a4a8b94aecaa0d7605465b9f85324
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD59a0fa4b2c49e2d5a06c327754b21fcec
SHA17279eca262dd4154bc5c7314137b3bc0c07efbb1
SHA256e79167d26c2465224ec8bc83f1dcfbb74be6c7a823acf469520a50641ea34e78
SHA5121be7cab4dad10312244afccb8cef39d692f512fa2b9188b9a7d87f074ec0045a4852050470dbe651e173261baea76356dc0620e15cdc8b3244543ce0968ea42e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fd0528726a4a3da0723155c5228b4997
SHA1d9ea0907f693265666f6a81b28633b0d9fe678be
SHA256485c5a648b9dce46190f3bb5affb73cd55a15a6fd2a10c3a7024c6aab4bc62bc
SHA51276133d3e4e8025c1eeb88b5cca942c659cb61cfc4ad980176cd42aa5f7de83b1694ced2c4199a5a36764611b0ddf660c79af2702bf5edb35be0114ae06f3c179
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
3KB
MD52fed5d0d99d4c05825e3cb04d1048ef8
SHA16e598665146f155aa5abce800aa6ce253cc13483
SHA25657e5ce686cb9cb97d95335aec260f020ab9e0bffaea376cea37278f910195d10
SHA512c3d5d0f1ab8da1b59bcbcfbab91688f857b9a5342dcc51ed8d23ffd3b98c0f37746aba84faf550eac66040e7b1c512e82485a2287d14736770ba799c01f5c73b
-
Filesize
5KB
MD519cabdcdbe67dd0d82a609caf07c5f0d
SHA1995d43ebe8c315e6c07f83ca931ebab705494e40
SHA256318f402cd5eda9110fa8f4c7250bb0dbddb576b486612d44dc576e642e6f2cf3
SHA5123c2d63b4b88e2276e74db4ed2fa97b17e6a22c8aa69df40c30b9087d0aac08d5361798f28d7d9f15f1cf7f1b78c5748d39e32a4e459596529507d8cf21ec5d93
-
Filesize
8KB
MD5b6bc0b0eec3145223ef9a2bbcc1241fa
SHA182bdd5225d79d2c5f7a60cc62b3847f1aff7840a
SHA2569d4cdf04e64b1fc15306d168ee1a14378ecd491548d7d563c78b504c2a422c7a
SHA512ebeb97f6de092bb1720a6fd3f3285a1a623c27eb3916dffae740ab2e5df04e13a54cb891c46af501b497f14bc6b37cd92c5afece3b7c9277e959d7f887677a73
-
Filesize
2KB
MD5f4562d8dffb2afa76eb5f375fc7ad1ad
SHA1f912823234ce2413f9150a8c17cdd133fa89fa29
SHA256ae7898a1faf5ad653b8e2998ddc86f400d9acbd95c14197dc1f12b3e6f1075e3
SHA51273cf69eda53b814124587006b5676653f70f12ce983f6c8e2d6f9804935940d344527fd5f33d0c045c809ecb3a1df55836ef25eb90cc1e2f718077abea5213c8
-
Filesize
2KB
MD533515eaf2559b3d01aacd2a5e64c363c
SHA1ded68e66206678dd8e59cfea40aae0cb31cda13d
SHA25681cefae007abda220a93cb765c2dd3dc1b8b2f6acb1a151e87bbe25cdb69fef4
SHA5128eb5230ff562bee50413fbdfbb7abb509144e9da66b4d967a776a975d70531e4310682a7a7ce2c1b58dd40a461e46c89a09efd61fbe4c964d79f6cea4eaa8735
-
Filesize
2KB
MD55e3b7c1a10842272553d6e8bcd5c8694
SHA111ed51b38e0c09f1043d2850919424d51274644f
SHA256824c32a3888be980ada303a69b96cd618fc85425e1157379835cc3aed07fb1a6
SHA5127c5da58f52ade18a8dd1da82b7fcba696e9b0c82007b241d6d1db9f27767f3b8b8d4edeaa7456e5bc0c5f3c32682d8af30638a2aa3c99866dce985b40588c518
-
Filesize
2KB
MD5949309f75632c5296db1862ff7c283d5
SHA13553e749ea105718dfae2e10f2d5cbb05d12f65d
SHA25649184908db44737d1a6f3544a830ea23e9f468abd3e4cf086586b10e734c3f0a
SHA512d744b6e162512d2695c1df9184ee4caae65522084c8d92c27cfe74e012fb1ec402f2e13763c10a5c5d79519c0f85c09cd40486f30adcbd88f20008978d6a01be
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11KB
MD51004e46a491a46f4035bf306cd77dfc4
SHA11112008d3aa85c1659df13615cb52807adc0c861
SHA2568f7fafdb61be324b0f3e33113474621674541c48adf29bb8c3e7a7afbb750a14
SHA5120d2adbae9acecdca95641ba7b5ba177e414272c770b9a45f6cc4019f0a6de5863af1e9acf38fbe9db5fdf59c1182844ecc2015aa680796a919d67e404953d7ee
-
Filesize
11KB
MD5ea9f2dd406be34cafd1b539c69e4a1f4
SHA17b96b4ab2783a8fd8924ccbfedd445fb1e2afd0b
SHA2560563c9165bf944b289f62a20e37a0d6b026a94734cb318befbca2bbb7eb6d2b6
SHA512663c63d06990995c6d003df022c6699fee56f8538ba634e8ce3f04497c334fd7487af4a29dce0351bb5d150993154d5e50e3ecae9ba80fd23bb5a1412e8b7f8d
-
Filesize
11KB
MD5c81b777275bd6d1028e24cda057fb523
SHA101abc609cf69d6b42467363c194e0d5aae33afb2
SHA256db48723d5c565c8383958138a2ffaf13a04c5da34e2a31eadd2c90706b08bf16
SHA5127e12524602133f22e53786fe0dd5f29eaa10c5c2629f6e2810b6e1b74f6e15827116647bb821e256ed328f1e6e86910f76c1dd0ba0174a6b0202b1042514ddd7
-
Filesize
11KB
MD5eb788f66cbf01e2f0acf3e6a03db017f
SHA1267eff9e061dd44084354757d31c8558a7390c56
SHA256f3f12289b67ab03c44ab054eec6169275f893406c9a0d300ce4e584e97fe784a
SHA512e773346c278386200ebc491b40f7f6a167df2f37c6cbc00b7a684ef0e4a59c7922e6206655ceb9f82667ff99a3f8767c78d6b2f9ae515252a788814eff27c31d
-
Filesize
11KB
MD59410c3f7d64c5613b53de5f5e21c38bb
SHA14f350c69c188d3ed572ed95d2e8b1a1ab2531889
SHA25661ce516bc57f165bf01825024bc4833fb96e280542e1b2ef422b4a437cdfd3de
SHA512f3a982c164d52fd5c056793fb9f783342b0b86587376fac18e1f0434b8881bc854e212eba232913f38682aaafb6e2afde459f81c9c3393165cffc279b9972768
-
Filesize
92B
MD57662a879f5ea52c1089465e46752a514
SHA131697e48276d1b5fac0a13b478487d123efd3f1e
SHA2561f7dfc2753cb87b3c02685b6e85e8ddc608e2bc8a0ba9f2dc7a9d9becb470e76
SHA51295207d66c4d28a3bdeeddd35b367f5f36e3e6324070f010a9b634897a1635ed63d1f1b5f6a2971533c1b7de3578b17864ad430d4d3f5986741b3fc071ce99d0a
-
Filesize
7B
MD585cbb2a3300c5969e28a59d571e18709
SHA11c241ba19926bec8702a19dca831c5311d3d7e26
SHA256cb6cedb24f57007074f89b72d27f0badbfa3517d3cf0eab94de9c757a8ef4d86
SHA5127303ef7afe2cb4eda8a3e3d175fc12462e67cf505c87c8cf40dccd03f9447df1b9169d03de7baf5180f91572c2477f5bb2617a750b7e79be823039e89241fd14
-
Filesize
118B
MD558711fdd032d847473d881cd0c1950f2
SHA157694e3a9efccc2771c839f53d9dbd12aac82fa7
SHA256e381975c4ef147187c577a20cc0df577d9f6a35c9f8fdbd53598a2ace04090d3
SHA512a0345b86fca6e96f94387f5d5faed454f1ee5f9a8f88ae6fda8a35c5ad9e6cbbe3bbcda21df8aa78fddd8295b81a396dabea336a344fbfb7dbb2456cbe5337ae
-
Filesize
69B
MD566cb576f0b97f33bb82f910f2c609820
SHA1934b7c659f257deda4a4b239d507fa33e49ec515
SHA25641d6305f3ddbde3e0cc9225f86c5f24d004a0c39f7553de5404779da6f45c891
SHA51215160d48cdf47cf509c3e7332076119b74fbbf5d9b28671f1d29c5c80a2685bda89078edfe603fde9101f515ab9f7178a96d2b3c71362114adf20b154f8d667d
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\arkmon.kdl.ffa97045d8465e2172bb1d40a8621d1e_0
Filesize448KB
MD5ffa97045d8465e2172bb1d40a8621d1e
SHA12805422d402810eb5c44d3c522e763eac8e944b2
SHA256a23155cddf6a696f403d6299edcbbc77a029a35c7fa65fb0ccdcd4d5bd2c93a0
SHA512dbe1d9afe191c2cbea9d5e0b434f908bb802cefd7937a2054565bb28b6defb43bfb6ad76310535832eae5e3187bd19f6d92c38f21a97bb35e1f29d9d8f35f162
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\avengine.dll.52c5f0ba7444d13378e2102a58232671_0
Filesize946KB
MD552c5f0ba7444d13378e2102a58232671
SHA1f484829da9c5e3a44cc5e0ffcc7d7550f6549dba
SHA256de3b4f0d7a3d26785943a777166ef7f9ffa866ecc6f4170b6970af4e296671e7
SHA512daf7c7dcafb6e1cbfd3d79fd9401f90934a8d5ff8a09b619fcc14c6619cec2cc10e40d808605430386c7b6565140165c4ea0660e5f253a8feec4729c6a2b1bf6
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\kavbase.kdl.7baf07601ea55caf34b35bec5751de63_0
Filesize799KB
MD57baf07601ea55caf34b35bec5751de63
SHA1aec49556ba3d8bb11e04687fa6722360d4753bb2
SHA256b26e39c787e00a46c3813f017ed90ad641c13b5232e9e27e43f99c9bdcb75645
SHA512cc1083d92887f56599bc3b3efba358fba4d35852f62079327347b6698af7e3ffa367b6693c8d8a2adf45517f2037658d265da64413953fa10830b20891aa9c94
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\kavsys.kdl.761f656789cb55eedc099ba3cd372121_0
Filesize935KB
MD5761f656789cb55eedc099ba3cd372121
SHA11498e8b3e8ae171002a0d92f66877adaeb6f19df
SHA2560ad762cc4c8548fb7c8ca6e97a8d1c5078acb2ab3d4622d00fe28bc8cf893095
SHA5129b3004efa350d45eeae4c7e42209e1da6d7800f1a823ed734fc82a6f592adb75659cd712a72db69cda3e2d9c352b9e9e8eaf87d1d309a61bab1cc2b1a6f13d3e
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\mark.kdl.68d9adb364007366de31df216e06bef3_0
Filesize420KB
MD568d9adb364007366de31df216e06bef3
SHA15a1b5face27868c07021b9b4af48be81f12b31c9
SHA2566692e9e3e029ec4f48b752cfb197d4e9b7f0d8faeb0f6ce51a962885cdd99fd0
SHA5120629960df306e2d2ffb6c1d8760456b306e15da9a0a3682e912ff4b816a517428d0871e812682072b1cf388695440acae40ba3f5804b92d825304a1fa18b613a
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\qscan.kdl.ccf5fd3fdf62d187e66af0757868e5d2_0
Filesize1.4MB
MD5ccf5fd3fdf62d187e66af0757868e5d2
SHA1ee9dcb9e130505bfb654627c6064fd7792ddb95f
SHA2561076d20f9d7823b1888fa0564bc1224a9ee66ce6ee4c632d1bfcc4feb458d998
SHA5122aba637da52e249628ea63d6083221ba36d0e211bf7e8bce2d1eca0155cb73bb0c058cfe5a6e0c658bae463debcacf07de08afc3ee91a01f7335c9e55c3cb73d
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\Bases\Cache\sys_critical_obj.dll.802c20a8239d0082e57135d00bb9b003_0
Filesize725KB
MD5802c20a8239d0082e57135d00bb9b003
SHA19721cf68faf500fac464283cfa86e7b3306b509e
SHA256d66ffdecef0c81c7cbdb2408b65084d0ed78e04e69ae862fab7990fc2f834c75
SHA512b1fcde7e942aceaad1bf84655c3633e47d22cc515db2a61ba4d80f8aff2240257095c08af766440cebaa2cadfde3762de313e8e33421b31d9c3eb9e94029db46
-
Filesize
377KB
MD5fd710c439f89ca6b7d8caf3ee6f307d0
SHA15273c87564d9fcbf99b846195ea8bd3102d65a76
SHA256ca317c531bdd3a23d401a242a904e8eb81401c79073eee470b6e1078f3645faa
SHA5123df58ac276362fb7d7999bc8e902f22e9ee1501ee2e4f653e58595d411752e18bf7ee0cbc95766ecb8da34a5ebd3a11fd5bbf5450b1c01fd3ed8ee0e22183b09
-
Filesize
2.6MB
MD537226eb4f1c7a0b79275c1401f83cc6d
SHA171ed962d1e0d212869d92c23d6e20a4e1e7ad430
SHA256be00dba953a6f26990e020bdc4e3f13e5799a3ff60384768ee6c1af37c656a4d
SHA512afea618c795406a49d159e1359e76168dc6b6dee07234666d21ee21bb5011fe9af57a3425e76126f2595e3d180cf2121db5d02258d7aca77b3c4d8621a8aa15d
-
Filesize
2.2MB
MD538717f028f7df6e29996dabe26375956
SHA1328c0ed49e079999ad0cc7c1315375b77531c8c9
SHA2569db65ebeaf888b6cc99c06d0f063e48932feb27f25b5350d9d870e9ce40d1e10
SHA5124c6de66d71527c1c0e8d666e85dde671ca6b2705e5e4584487be265f25c6369f5512c0601d251192c56ad44bec538161bded7fcfcd3a578cddf76d7617af237d
-
Filesize
4.6MB
MD502b21d6184ec835fba23088e7c7368e4
SHA12386e5cd242ad6abfadecc2d8ba416125f0bde56
SHA2565967b2240167500cfbb602408833776fb9be95ee404ad2bbdbdde18c752aaefe
SHA512e8b15e68c61f1a0f78fa4f4821a636e07ab3a87699fc45ace096d080d7bda62534af7acf93b9a32d730b0403b52dc1eac8df9175ae02d5f6f829c7849e340eb9
-
Filesize
4.8MB
MD58fd0c7b86b4988b234614944edb565a7
SHA1120015375d66f6e3f1c889cbada3efc4f8ff7f5b
SHA256449a105683a27ebce39f2a7a0fb413cbe2eb2df8c2c8f51870a40e9eb9708a7a
SHA5123e92401ee9ed0dd51fe95f963378caa73fe07bae0186406b9689519d6b75926b5027339ea52c8643c92c21b621ddc05056a1338f0114a6902c2897406cf371f7
-
Filesize
4.4MB
MD58751f0205fc7a87b46afae8ceda42d90
SHA1d7e41a64c09f580d9e63ff5ffc8ac37d1f7da4c1
SHA2567273600d11889adba9287e6d5a3b684a9d902d1b4db8cedec21562fa00c436cd
SHA51218466c4c4b6dd07445862d8e6a84825b8b0edeaa95dc8fe58741527d5dd20cbfc7672825108acec69bae506b41fb01fc6413401759db3d8265503fea88ed9bba
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798
Filesize368B
MD54b03934418970c06f092afe3d2155bf1
SHA156a0e9666c3ee0071d70b9d2b364666fbb93068c
SHA256c3a63c68ae58f008e5eb52c8e515fe6f5f978e3a8e33ff3c4c4ec43b186486c6
SHA5127846f929ec6d68397c60155202365bbbae28c5faf053c67469b378bd059ac7fd8575ee4973d905e51471cabeadcf3251d229057fdba70eb5df478ab4eafb39f8
-
Filesize
1.2MB
MD54003e34416ebd25e4c115d49dc15e1a7
SHA1faf95ec65cde5bd833ce610bb8523363310ec4ad
SHA256c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f
SHA51288f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84
-
Filesize
409KB
MD5f56387639f201429fb31796b03251a92
SHA123df943598a5e92615c42fc82e66387a73b960ff
SHA256e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c
SHA5127bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e
-
Filesize
368KB
MD5990442d764ff1262c0b7be1e3088b6d3
SHA10b161374074ef2acc101ed23204da00a0acaa86e
SHA2566c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4
SHA512af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qgif.dll
Filesize45KB
MD5213734f42848f6cfb91b5d0f80a352dc
SHA172060bb18421eba12591e923929bc70b200b26fa
SHA256ed3a7867931a8c05d267a62522223ca78bd435d45af6dfde116e7eb72c2fde7c
SHA512913afbd6e950f61d038f81ff7f0f08986469ee11cd7202cc0598d9caa7a4200e9e8e5e23f0c5062e01a6ef908e92a52f35dcf60f1af77a075200e8db466df807
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qicns.dll
Filesize54KB
MD54d1fcfe0e08da0bfd61ad27863f05a8f
SHA151a9c2d12181b66f3f9fd9137a699a715df8d2fd
SHA256b95d07323612b27e04a716a3894e46a723a457e8c0be37ee838573eaee1624ab
SHA5122251f8c7bdfa0ad6cda6d619f6df1cef76e8f317119ec4b495d0d98351e77e5f7c678f49f9c8c6eefadfee175304d00757689ff35f8c77693b2ea3435dac2aa9
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qico.dll
Filesize46KB
MD5f463183ff33be64d8a61fc5d61b16064
SHA15a2d6a62d293e8335d787c1e4681cca7e953b20a
SHA256e4773864ec821c90ff7b2b6a081c4abd7b9fb10829b7e067521b0b18d4e75422
SHA5126576842034440b4329a6cc99e419913316e2bb869e20053238add0adf23eb9e35e32ec758c93dddc8162c64049690db177791c11ed7fbdd2ef4780c6be0dbf2c
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qjpeg.dll
Filesize258KB
MD503e1249b16b47fd240283f44636f6087
SHA1e0a02adeee91ff330891ed93428956f1fb90ef44
SHA256f1b0528f0b43b798b78580363f19bb75e68347755ef84bbf313cbb1c9fa649b2
SHA512287a13ebcddb151cd37ec60b47c6f674730d1886ee53d4a864e62d23aca084d9b3a4e0b8eefc07b8e1aee2e40a6b7327602aa547f1afc63dc4b254abe14749f1
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qtga.dll
Filesize40KB
MD582a65b1ce5a7041da64290b66a6a1c8c
SHA1577e7174b02182ada17328cbac3ac1d3605fc023
SHA2566da0850ed1f6d93e1d99cecc31153e8993b7b20d68308c248c71e9af4c061336
SHA512bbc0fd32e8bdcac4d7f5fac77d9a4386be671b9d6c18d14ac6807e521a0f5192af91e106e0a3258653afbba625c09f79542f1fd7a1eaf97d9b5b98cbd2bb1084
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qtiff.dll
Filesize342KB
MD5058a1449a4656fe891bc589ea61434b1
SHA18803afd1bb77e4804925610e6a94361a1e26c4d5
SHA256fc271f33b879c7966564d04f698b7fd77d806e61107574d1240502e7c7666f26
SHA51291f43f8062095044ba41fea9fd4df490711f131437ee90a0354a629a7677c9c7fce84b1c1165e07a2b8c4e58beb1d66d953c1034923c986a2288553221761ca9
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qwbmp.dll
Filesize39KB
MD543bc7f0b0b91676368db78d61e83edd3
SHA1628228c8c477f2e6e8d6f2f9dd8cc72b894d5fe6
SHA256fe95bdae47201a7788c2cb18042c7eafa0041fb6ce6b2ea7e7d5ffd656086583
SHA51211e847fe59e28bdbf7448846b88578f5b0a1d6b1d7c11a80271d833ad540991d83cc1b89c2b5bfaf9b5dfa68dae538233575fac3b6f1cd5f09398b400b421872
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\imageformats\qwebp.dll
Filesize412KB
MD5a23c6a3494e296a521a08dd2d676eb3c
SHA1260ccb3b2f454bda853d003e3b71fb0789858873
SHA256e58be278a435f44bf10e13d81fba5349d0f5ea224701c91f992276bcea173856
SHA512a99eea4b72d20e34c37e0c7971f6e467b2421ff99f059c46f76d961093eea27d031edbd907ed2a99bc9ddaea9ec5b0980871b4a018284c3c324e59c00491b11f
-
C:\Users\Admin\AppData\Local\Temp\{1493dd12-d486-4ba5-82c8-80a1195a365c}\plugins\platforms\qwindows.dll
Filesize1.1MB
MD5869b64be13907d16f8108d4e46eb1ae4
SHA1abf528676719f69a4d2f85147dc683d1c9bb606a
SHA25693debc8c092905993932b16f165e0b959639920d0af6156a64b9c947784fbe73
SHA512cbd294354d5f84103b7c2f31cca6ee7f390c7852266478fb790cdd2448b1a563ddc6fcf7e351b4b28c3f5e23a52a442064ed75409f076752d0d94f133c9d7e96
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\Local\Temp\{7ad03a33-0598-4978-a936-424b3ba91949}\994d5369-33b7-4a78-9fc7-d8cd79eac999.cmd
Filesize695B
MD56b3538766a7c15bccc6673262f957740
SHA121b9ecd4e5595c8dd717c126d09aad5f6ce41705
SHA256f6dc6dfaa707c30d471769e770cda52b8fc067363b1cf8393553eda6b0f88db6
SHA51207ebfba71e48aa1411120230168e2a5bfbb1bba0f5f69707644cb0d32f276d092ac6f70577c07105e35f542127c3f93b6235fdefd141123d397282c6b26e0567
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
350KB
MD55ea5aa37289ae16948dc771223f94160
SHA1640392a0d01521cb0e4485d5641f74e64e1f38aa
SHA2564b1fd5753737f72f2b8cb0fb299c6c0e3857df69dc19931351d9784f52f307b3
SHA5122721db2afd55f6abbe54b5865cb41f72216a52cddb6d07721cf0bd1b76fe58b47540467ce9b503ab56e4c614765c18f559b17d73479a4f5a0fae8f6093772455
-
Filesize
179KB
MD5ed6cd641a02baf78ecbe069e0b18b3b0
SHA1cc4d47d1d0fcd3deb841f58923ac309f3be42081
SHA25666e7b89188e292d0abce941fcb2469e515e2a1bdbe07ad9868a34feb5f47005d
SHA512cb945fa49683b92841a7a915c73eb11b00fbceee8715a166d256cab0971dc4b4d8b2c7ad3c96e4efb73a7ea9c43ef6bfc9ff3acaffdc08df40b00048ea903abb
-
Filesize
259KB
MD5124a94969ce6660453ccd66e40ecdbb0
SHA146f7ad59b93bc1b78f76fc973ce728c7951352aa
SHA2565938747dbf6aea335fdf9131fc912452cee781dff8be61750a9b2ef384b5f835
SHA5123b25bc9eead7f09350c81bca4eb1a11c5332b128918802385d15fb35d017bf2a5eef64966c3e6bb74d4450d794327a1a81c0521dda8b742fda17c0bcc50079e0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e