zloader | 2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497

Resubmissions

01-12-2024 00:29

241201-as8kssvmek 7

01-12-2024 00:19

30-11-2024 15:39

30-11-2024 15:34

07-10-2024 06:29

Analysis

max time kernel
174s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
Size

5.1MB
MD5

6ee7ac1240012848440758195631f74c
SHA1

45a42a492d9d02cc3457a404377c73c69c219e92
SHA256

2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497
SHA512

e5af0638e0a44e076432ea0af9c814b3a7e2a65c4acf185a5e836ee12a317895706bf4d32ae66af829fd6bb8aac0ba3ddbd650d0a1482dcf189d930e666d0525
SSDEEP

98304:fn3Y5tIFveFoHkXrloeemyJF2yg2YsB32cgOSyj0sn1zf1x3KEkKyawM58iawWHk:fn3HJeFMkblFByfg2L32q/ndNx9kRM9P

Score

10^/10

zloader botnet discovery persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	desktopcal.exe

Executes dropped EXE 5 IoCs

pid	Process
4936	desktopcal.exe
5108	desktopcal.exe
3060	desktopcal.exe
540	dkupdate.exe
464	dkdockhost.exe

Loads dropped DLL 64 IoCs

pid	Process
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
4936	desktopcal.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
5108	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopCal = "C:\\Users\\Admin\\AppData\\Roaming\\CalendarTask\\desktopcal.exe"	desktopcal.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktopcal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dkupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\desktopcal.exe = "11001"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dkwebctrl.exe = "11001"	desktopcal.exe

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	desktopcal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	desktopcal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	desktopcal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	desktopcal.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	desktopcal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	desktopcal.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	desktopcal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	desktopcal.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2176	EXCEL.EXE
4788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
3060	desktopcal.exe
3060	desktopcal.exe
3268	msedge.exe
3268	msedge.exe
2236	msedge.exe
2236	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
464	dkdockhost.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
3060	desktopcal.exe
2176	EXCEL.EXE
2176	EXCEL.EXE
4788	EXCEL.EXE
4788	EXCEL.EXE
3060	desktopcal.exe
3060	desktopcal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4936	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	91
PID 2688 wrote to memory of 4936	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	91
PID 2688 wrote to memory of 4936	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	91
PID 2688 wrote to memory of 5108	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	92
PID 2688 wrote to memory of 5108	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	92
PID 2688 wrote to memory of 5108	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	92
PID 2688 wrote to memory of 3060	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	93
PID 2688 wrote to memory of 3060	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	93
PID 2688 wrote to memory of 3060	2688	2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe	93
PID 3060 wrote to memory of 540	3060	desktopcal.exe	94
PID 3060 wrote to memory of 540	3060	desktopcal.exe	94
PID 3060 wrote to memory of 540	3060	desktopcal.exe	94
PID 3060 wrote to memory of 464	3060	desktopcal.exe	96
PID 3060 wrote to memory of 464	3060	desktopcal.exe	96
PID 3060 wrote to memory of 2796	3060	desktopcal.exe	100
PID 3060 wrote to memory of 2796	3060	desktopcal.exe	100
PID 3060 wrote to memory of 3932	3060	desktopcal.exe	119
PID 3060 wrote to memory of 3932	3060	desktopcal.exe	119
PID 3932 wrote to memory of 3068	3932	msedge.exe	120
PID 3932 wrote to memory of 3068	3932	msedge.exe	120
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 3104	3932	msedge.exe	121
PID 3932 wrote to memory of 2236	3932	msedge.exe	122
PID 3932 wrote to memory of 2236	3932	msedge.exe	122
PID 3932 wrote to memory of 380	3932	msedge.exe	123
PID 3932 wrote to memory of 380	3932	msedge.exe	123

C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe
"C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  "C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savelang.cht
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4936
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  "C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5108
- C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
    C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:540
- - C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe
    "C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://service1.xdiarys.com/api/jump/cht/1012
    3⤵
    - Enumerates system info in registry
    PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8841246f8,0x7ff884124708,0x7ff884124718
      4⤵
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://service1.xdiarys.com/api/jump/cht/1011
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8841246f8,0x7ff884124708,0x7ff884124718
      4⤵
      PID:3068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
      4⤵
      PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:3580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\calendar-20241007-06.txt
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
26558248d658c2af71a1b3899dc173fe

SHA1
f2d223b26e231a293cece8d7d821b3d402f30d05

SHA256
1ec18c3910dda2ca6601fbbd0d3ad68258bc48cf886f7d235aa4572d09893c60

SHA512
42cd4135200b10df191429e81a25bd8306429deffa1fac3057a0a570e327ddfaa8b184f07ba664e6895be173f4d081bcdf455a3ac972c4bd6c8062b6a8246c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
b94d575e9f18a27ec38d3da9fb21d599

SHA1
2b4a17964c87fab80a65e197696c290e7861307f

SHA256
a817495e3c97da298e98a2a229b0f251e3a7c0a191c4a71da2ec33431cfa8b50

SHA512
05f93bab079efae9912df69c34e85341d269740062defbb314c8980f9d7f9015713203d3604eecda9bde882ca94d74fff4aa198cf3682f0577a8209d0cc9e88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
81b55313d02c3480b15c0103329a548e

SHA1
3a6160819200af8d9fee39fa91acbc7706a10c3c

SHA256
0bdaf834591bf1947eebbcd94e6db080d50d3920af7a79259db62824387a1bbe

SHA512
1b0fd0f73bfafbbb2f75ddc86e8e3afb6c0edcc75cf1268f68382c79aa76375af67552ee5a7bf459e4a1b975801d8ffdbbc52a30a3eefb51a4f63adce1af6133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
31e55e0c20398000037ab41230ff5360

SHA1
72078a9f97a6aabad2fd87cbc408f1d728f25457

SHA256
9c3d01a7b07e9222582e2d56ff0ca0f3d66e8c586df33e23cae369b04ff104f8

SHA512
9746787af97e4f4ec6f13568c68c670b006db823d9c588500b0318e214de79571193a3a9ad4e1cf34b1d36b4997c437c83a0d3f2f9a404ab4b606359248f9677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0d5406f51109b217f61912df65275fa

SHA1
bc2b889fed108ff9417ad2e4f32cd7e7d78999f6

SHA256
13716670a8caf53f19f3a161b513355eca5e0b8be383f5a4fc67b9a6916f5d29

SHA512
f7a7308d2561a0994592d9dc8414d95fd2196d169fa6cb7aa3fd4c86e11ea6555f2de2f4cc790d89aec3458deb0f93d4f53d864f2fe9421382194717740f9de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
64750484fd90cc319a5affbaa5ea754a

SHA1
6a21f1da3356a0cdb0924feb4bbb1e3e56996a26

SHA256
d024b6f9f11e2e0130c7165bca7b9e93be75f89cda84dd79256a0a7aa598526a

SHA512
18f8dd9ee18324b32e92842b50d5ce7bbdb8660acfe5702d612df529e14fcbd0162c132ee427cfba9b4312dcc7cf0c992eba03d9d0a177f79aa69d25963a6e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dad4dc62cb604edd6c5c90edb8a67a47

SHA1
0418de45f62d35497ae29ac53df5285dcbd20e5e

SHA256
a459f5976bbf39cb1ecc5f10dde3dacd8a4ac05cac989afbf45e3a2aefcd2b77

SHA512
9b3567e79d4d9dbdd4a19906ee9f183d5dff04174eaa663281f6966ec1cbb046364d19ed1dd1ccd91f63e3685d1772c5cb6c6599815b5c03a57945eeb192be53

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_background.png

Filesize
5KB

MD5
7f10e2778be436731dd8491d492f5207

SHA1
de7da03d5b3c710382d21c0956d8df5c36326cef

SHA256
a0586fe99c9e0d1e94fbdc4173015dbc28735684813f50aed517af8cf61bffe0

SHA512
4e62d720eb039d2a15811226ed94814e106079facfa37e0ca244e2402b26274d13384f65c1ada643f3708bde61c8ca26fcf0a21d8265b42d9fccb177b027d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_bottom.png

Filesize
708B

MD5
0f07fe3eec21fcdc8bf97bd865c6500b

SHA1
56da55b18d81d57a8d33c8514f0cd81789dd989a

SHA256
6f8cc3644f2095b33cbd5c31c4870d15ef04c9c7be0126e4e66d40e888eb964d

SHA512
701f8aa4bc18acb838d8997e94ee3c0df92af1c5dc7a41795b043119d1c4c6f278612d83ece496c6066192854d1da0477b0037fc7728263fa9b2bd3600b7f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_close.png

Filesize
712B

MD5
e7a889b50ae9afefa73045ba670db165

SHA1
71202f829dfdea761fca99a6c1d7f76c2cd5a412

SHA256
2a9def0150983b2d7176b61146dd57d05a44e0f4452ac0574e309542f3d9782b

SHA512
12110fa84bd2282b4b805ee8c0958fbd73344c110a1ec8349a00155636453bfab3296a3f8fc07391ac72e9f45df47cae29c391e53448afc70bcb3344a4ce3584

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_onkeybutton.png

Filesize
903B

MD5
f49b9fcf13339ed99722f9976ce0f32d

SHA1
c9207f7626b923528c1acaf36390875718e2246d

SHA256
aa24761f9fa2596c6c51fc81adfce41424f1f8f8e7a0047653a62fc8137f3e6f

SHA512
07bee7f88af4ba24f772a401e6982f7bad85eada263ae04962cc205ac88cfb1a6672fd87e83eb3f650d12665d4cb387811a960217a1f3d5fe0f5ade84b78af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_onlangbutton.png

Filesize
1KB

MD5
3a9674dbcf2f39809a5e118a3a512409

SHA1
3c624d1a3cea4dcc2db45ecb6dead387844f8655

SHA256
2be27ce3398d5f58504524f580c948f89712ff1de89a99b54706c0e0c93bff45

SHA512
f436d2cae388a9c82e8baa32a2d6184d656fbf94142e5b66ec4aec68e35b8bad2f3163ef0b228f84adeccf88b6ff49a476de277a6bca32c71d1320da9a68fa84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_background.png

Filesize
2KB

MD5
348f6de2fbc51323084ac4ba3c9d2002

SHA1
0edb2b6876c0301c4d8a68ae290ba78445c0c484

SHA256
c43168daa882b6715028d6fd6d69272def885fa13b94836b730bec3faf6854af

SHA512
8f6754d47034e29fcc8900331c4bd068e5eefbd447e261503bd248b2a2140a6990610a8ecff6e1ce88538cb9031463ca98783de2fa40b6e7eacab3dcca3daf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_bk.png

Filesize
131B

MD5
5017b8b0edc93fbca26cb412262ac6ec

SHA1
5796a012a5a1671cee4e4b0cfb062a837070c42b

SHA256
0a9286dba766de0eabd58e9bfb489782c64db16bfb3f978e94e5990e58ca09c8

SHA512
1435ba51ff93ace1aa84d45160bfba309752be660d6e1fc017f75651a51f5e39939bba6de47ed7eea5b40cb2fa10d1b236716932f8151c8bdc0600ba0167b110

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_go.png

Filesize
129B

MD5
0a535097bf2375674264d93db75b7c87

SHA1
ad5eca6f2ce9331508d69f54e24c6f508d079315

SHA256
2d0a117f54a5df5cbd75620bfa70fcafc098dbbf882f1fda2c6af73fa483c8ad

SHA512
912c79e1440e49e2f551828878191fb6c419cf082570e961f8dc5dc1860318541d9d470e990853e49b31c745a19034b90bf5cb4591730a89582dd5a48f0ba8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_progress_bottom.png

Filesize
366B

MD5
a6af35e0db291dc9505e9438f9e97ce9

SHA1
cc321c583c01971c7af5e814a432c7c4f8d7132b

SHA256
e540880ade05d1826d5d6610a348e74b05e181d0330687bbdd039dc0ee4a6faa

SHA512
b5f5f30e8a7f8ae88866845b2266a68083314d5366af9f032cdcde366a70978795135da8c8734db3b20f84edf70bbddd0e88efe6c77db39e505a6a7819ff25a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_skin.txt

Filesize
170KB

MD5
00c6dbb5b70e4054d84b14bf6a4660c2

SHA1
2d2475848e4316c790134aa124aa7156c0ec7b2e

SHA256
4049ea8f4bdfcd260be37254b6ff5573ba05fa96610c43754def662cea8d6b39

SHA512
b57873b895948b80b57d8a0a841e7301b18c0028aa587d86dd8eb5d208ae7bf79d64af25e4019ceb551cf079602edcb7a2a0eef539b3aae54c30a99c628d63dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkc_title.png

Filesize
375B

MD5
c36c136fcc7e375532f35078b3fb80ee

SHA1
0cf9ffb2d7fdea950e69e4b934982ba55bca8822

SHA256
1871548bca7e034c4022ee1041f0ebe1e215adb82a6a9566bcbfd0e57bc6e125

SHA512
3bd72b5f8279cf9a36a8bffe90781a1cab3160a932b82416d136d2de12b6de7c95e332cea2a76c5d1ee035704f483d835ef3b0b8617f84e5dafd36b4afff561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkcuninstall.dll

Filesize
109KB

MD5
826fe2f255324f7ab00cc90d3f0747b6

SHA1
c7056ee14d12423422376fe950753ac599f5a6ca

SHA256
54d3b13339ab132e4d2a61ae5a272deb0aca8d9108ff19a9831f6c73da3fd289

SHA512
e4352cd497c8bc72cdadb6fe02e24a687d7e4989455e208d9bc437f9ef64f370fb8231fb749189e736a7a7146b54ed0c721f548bf000cbd4fb36b3426ae8b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\LangDLL.dll

Filesize
5KB

MD5
410a586735f45164c86bda363ad8446f

SHA1
a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b

SHA256
b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005

SHA512
d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\Processes.dll

Filesize
49KB

MD5
138869ba3c86d7546f8c24e424dcd114

SHA1
db7f3227a7671ac9fb2fd017eca10e390cae2a8c

SHA256
71630aea3eef367f9a88bafb6ad3511a3bc7dcc4995e9eb84b09f8f777b22d65

SHA512
85a94b8fc6e0497a21a4d982e62405725b4d18a0a3c65f5f58b40e93bedd8bea5103f6ac9baff7bd3c93d4f08e0eb24f2c4e0e24dc346c231b87deeb725e1230

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\SimpleFC.dll

Filesize
175KB

MD5
d38543fc9ae37d188a23e06ee11d3504

SHA1
174fe778f66db4a527fddf21b1c23e1bc1ceceeb

SHA256
72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e

SHA512
43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\nsSkinEngine.dll

Filesize
519KB

MD5
eab7fd287509faec84e23cbdc1a709a8

SHA1
b6d659af538f7d57bd679e8c7626d470392c4429

SHA256
9702f538888f45fca67a1e2c2d7aa46fe42010c1aed5b0f34a51f989347ed9f0

SHA512
701f089f55bba49e0a9ba906fafce581693ccc99d445265ec1ea3794a4b5044f1011d90a9214c60dc0ed6be48f4fc4e9882ba07136268f7ebb0156e0b206d15d

Download Submit
C:\Users\Admin\AppData\Roaming\CALEND~1\update\xdiarys-setup-v3.cab

Filesize
5.1MB

MD5
7bcbfa07f003d13fbc4903febddf8d85

SHA1
c9df17230bc7b37a8adc7873c5698c538933cfe1

SHA256
550b788711ce22954579543c52454c162016018540b19e95ac4276f7dee70be5

SHA512
7464641cee58050983aa19ec2495c8f94da30b5b4d99b608bae56f98194e2b0a0b1df82cba958ef686413a65380ec4359188dee6410cb7c31f61a346ed0e474e

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\ATL80.DLL

Filesize
95KB

MD5
3e9a33113d663d8bd5ed38858e669652

SHA1
1292dc7ffc35a1ef2b761672361bcffa7483169e

SHA256
63e1985a37d5993d170373bc28d067c13c1541ca2b63968b82e35eaacd927b49

SHA512
a2dcd0d5db662653d3085d2ab39e8697b25e096fd2093e3f5ca2edb3087356814adb9f99e490dc95293198e05551a3ddbb3fa2918b8ed5f76d84a22268bfbe7a

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\MSVCP80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\MSVCR80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

Filesize
697KB

MD5
ba7c2285afc82949168424d8858376e4

SHA1
1564cdddd14640ec820bc04a64c3a632d0ffb167

SHA256
ab224dbb3b114cca10fc923436cd42808687b4cf7c2863c806c22f49a8628411

SHA512
cbf6e84e2d01f2920d352be8ec202c41753884813e75428bdde434107b7910cda7043f491e28cbffc7bc6409db8ce8310c5a4379f1c6e7f10f864906288c21a2

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkbase.dll

Filesize
801KB

MD5
d20804a5475463e243a8166b98e008d3

SHA1
8e04961fc03159f5e378b8de6c4db170172a35fd

SHA256
69916fe86baf461a8ad756283312bf1135c89747f341c995618b7f363eb49446

SHA512
2a0eb2f1aed74bfd75de3bfe87e716f1bc20a12cb059e61306cc3d330eeaf79caab6592e978eec57a348a42be2e6775e894b4a20bb3b0da3867dc7e275932944

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkcore.dll

Filesize
444KB

MD5
3a5849e599fb7b72a5cd8b2cec35e394

SHA1
5f73010ef0ac585b1fee44c120c3b3f6627f9689

SHA256
8af997f6c3589fb09b3b9c8651bd9631818ff39d064a1a0bfee005538aca7754

SHA512
6e8c343f61006949b75853175bb527c04d360f023eba3c6a369c97dd1bc7703f0afe70ac32447675a9759715c25ac935ba55f26c3bd383f027f25256b6edc5c8

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkctrl.dll

Filesize
1005KB

MD5
f5621e1becdb5cd4dba2dc83054544d3

SHA1
bb5f4313456e0afcec4a516484e1700282f22499

SHA256
ef618545cd37507b72788427f4cab4249725d231a4a873e1ca404e30fb007c17

SHA512
bcb8add217e7c6ccf35bae3afc1edb435c5f4d3b246aacdbe1573005ce92e58d13366dc810916f517d8c8271a6581223a896b854c5d89c1e512b321b5b30d420

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\dkui.dll

Filesize
1012KB

MD5
474aef5811effbd9abc306925a2834b1

SHA1
3522629070ff4d0806c1e2b891ce2ecb54fb3a48

SHA256
2d9281bc4e842cc4e4afacf74c118f8d8c5a2197f3254454b00ba3d7baead001

SHA512
a9f2a960e0c31eae983caecd3f6941ce23515ef5bab42c4b4148158b07a02a8cebd0548721f44e8eb7cd83d3760e3dadc90e02f721ec5dbefc8bea4acc097e8c

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\libcurl.dll

Filesize
482KB

MD5
b1f4e12129881373bd2017ba6fd1e50b

SHA1
530006812211677e593d87b12f808a3070a76468

SHA256
f11d86d65ebd3406cd876e96aaea7f1a0b316efb5887baf3625556e247621cfd

SHA512
c5923a17b5444e3a5543359547d4089d0c3d2d4be11e8d48ebace13b204f8c1edcb439507c5f874de26c6907c89a1ab8cae9fe0b83087b8aaf53441bc0a9031a

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\lua51.dll

Filesize
136KB

MD5
590d9c36dfad77891d55165b27b6b048

SHA1
8b28a217188139d208a7a882e18a7b103f2e51df

SHA256
198b37482d8c1be56bf80b0b55d3d33b63e0868fe39908a82e0ff56bf5ad9d6b

SHA512
e45a0c3d6a18927ba095b014335d72e5b2545a74d3c9c8ac8608590687d8a4272b7aa14248cd3cf2a46a81dc7ee21352b6ccca87834c1cd4de70e892954ccc50

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\sqlite3.dll

Filesize
552KB

MD5
fc7db46484442ed0deb46f93f58cf573

SHA1
5195565f5e753fba6a077fa92d608e5dc57abaab

SHA256
4f9a4eeecf20a98a38117d3ef334c8a8270f8bcbeb07bf0d1a86b56fe5a53aea

SHA512
fe9bae58dd480b9bbf9b98902f8901a71fb43c9c1da5ffdd93fd08e4ec1c63894c11de58fdfa69a8122639870ea1c3b9672b584ee646c36b8d241d740a1a2cb2

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\update\updateinfo.xml

Filesize
194B

MD5
28208d865fb29be13da561752df9f0b5

SHA1
7af33c1d8b70f18c84ffcd720bb8e86506511445

SHA256
81c88666b778ab70df3da511274238d916415057c5b3ff4b7769914f881ff5a7

SHA512
56ab196a5340a73d4a673da9864332fb9ffcf59a3efcb479fcdc84d8b5f0ab28bfb18267101c7994f0e95e8e045b757e356f204c89880100600b5d821b072905

Download Submit
C:\Users\Admin\AppData\Roaming\CalendarTask\update\xdiarys-setup-v3.cab.ini

Filesize
21B

MD5
fef07f5b504942b226a09fbdaa959da6

SHA1
42871283083cb8656a56babd402cf9df92992ee8

SHA256
c84bb8cd2d0acd1245f76da33d9c01895187318b9df0f6577d1702ae2aece52f

SHA512
d6039249a13e1adfe9d28c0eb81274d33b838e9a9390dc563a4c0e885c0262a72e83a8b74d503362a1527e97f8f4c4257bb22e585cc0131d264aeda01f8f8501

Download Submit
\??\c:\users\admin\appdata\roaming\calendartask\resource.zip

Filesize
79KB

MD5
ac637a3a9ff6c74375edaa0ac0a20180

SHA1
aabc500757a8afcecf44d7ac0853d3943058d51f

SHA256
2f8fb59ba5fde76041bc4293683a2c21b234289090c78c7af30a85c1463b3538

SHA512
8f99b28925f48c50fa095b24c125964ee8d900db645d72d88506f6026c45e06e9d6e942425ab10dd3e9737a7d973ada6bf2551849d1eb7d679aa07fcc06e75a8

Download Submit
memory/540-396-0x0000000002AC0000-0x0000000002B87000-memory.dmp

Filesize
796KB

Download
memory/540-389-0x0000000002890000-0x00000000028B2000-memory.dmp

Filesize
136KB

Download
memory/540-387-0x0000000002790000-0x000000000288E000-memory.dmp

Filesize
1016KB

Download
memory/540-706-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/2176-738-0x00007FF852510000-0x00007FF852520000-memory.dmp

Filesize
64KB

Download
memory/2176-744-0x00007FF84FE90000-0x00007FF84FEA0000-memory.dmp

Filesize
64KB

Download
memory/2176-743-0x00007FF84FE90000-0x00007FF84FEA0000-memory.dmp

Filesize
64KB

Download
memory/2176-742-0x00007FF852510000-0x00007FF852520000-memory.dmp

Filesize
64KB

Download
memory/2176-741-0x00007FF852510000-0x00007FF852520000-memory.dmp

Filesize
64KB

Download
memory/2176-740-0x00007FF852510000-0x00007FF852520000-memory.dmp

Filesize
64KB

Download
memory/2176-739-0x00007FF852510000-0x00007FF852520000-memory.dmp

Filesize
64KB

Download
memory/2688-144-0x0000000005B60000-0x0000000005B7B000-memory.dmp

Filesize
108KB

Download
memory/2688-119-0x0000000005B60000-0x0000000005B71000-memory.dmp

Filesize
68KB

Download
memory/2688-39-0x0000000002440000-0x00000000024C7000-memory.dmp

Filesize
540KB

Download
memory/2688-10-0x0000000002420000-0x000000000243B000-memory.dmp

Filesize
108KB

Download
memory/2688-301-0x0000000005CC0000-0x0000000005CF0000-memory.dmp

Filesize
192KB

Download
memory/3060-398-0x0000000003980000-0x0000000003C63000-memory.dmp

Filesize
2.9MB

Download
memory/3060-363-0x00000000004F0000-0x0000000000512000-memory.dmp

Filesize
136KB

Download
memory/3060-370-0x0000000002A40000-0x0000000002B39000-memory.dmp

Filesize
996KB

Download
memory/3060-378-0x00000000026C0000-0x0000000002787000-memory.dmp

Filesize
796KB

Download
memory/3060-425-0x0000000004770000-0x000000000479F000-memory.dmp

Filesize
188KB

Download
memory/3060-361-0x00000000008B0000-0x00000000009AE000-memory.dmp

Filesize
1016KB

Download
memory/3060-713-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/3060-707-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/4936-287-0x0000000000940000-0x0000000000A3E000-memory.dmp

Filesize
1016KB

Download
memory/4936-252-0x0000000000940000-0x0000000000A3E000-memory.dmp

Filesize
1016KB

Download
memory/4936-247-0x0000000002C20000-0x0000000002CE7000-memory.dmp

Filesize
796KB

Download
memory/4936-286-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download
memory/4936-237-0x000000000099A000-0x000000000099B000-memory.dmp

Filesize
4KB

Download
memory/4936-225-0x0000000000940000-0x0000000000A3E000-memory.dmp

Filesize
1016KB

Download
memory/4936-242-0x0000000002A30000-0x0000000002B29000-memory.dmp

Filesize
996KB

Download
memory/4936-230-0x0000000000A40000-0x0000000000A62000-memory.dmp

Filesize
136KB

Download
memory/4936-238-0x0000000000940000-0x0000000000A3E000-memory.dmp

Filesize
1016KB

Download
memory/5108-345-0x0000000002BD0000-0x0000000002C97000-memory.dmp

Filesize
796KB

Download
memory/5108-351-0x00000000007D0000-0x00000000008CE000-memory.dmp

Filesize
1016KB

Download
memory/5108-342-0x00000000029E0000-0x0000000002AD9000-memory.dmp

Filesize
996KB

Download
memory/5108-330-0x00000000008D0000-0x00000000008F2000-memory.dmp

Filesize
136KB

Download
memory/5108-337-0x000000000082A000-0x000000000082B000-memory.dmp

Filesize
4KB

Download
memory/5108-338-0x00000000007D0000-0x00000000008CE000-memory.dmp

Filesize
1016KB

Download
memory/5108-326-0x00000000007D0000-0x00000000008CE000-memory.dmp

Filesize
1016KB

Download
memory/5108-352-0x0000000060900000-0x0000000060979000-memory.dmp

Filesize
484KB

Download