Analysis
-
max time kernel
98s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
03-07-2024 07:31
General
-
Target
https://drive.google.com/file/d/1y--C8OwAfFUwlMPRG93yznAF5_5Oh6y-/view?pli=1
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
77.105.135.107:3445
Extracted
lumma
https://stationacutwo.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 3 TTPs 1 IoCs
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 53 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1y--C8OwAfFUwlMPRG93yznAF5_5Oh6y-/view?pli=12⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe103746f8,0x7ffe10374708,0x7ffe103747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17917698884440153957,12359869126206820573,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:13⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dvt9td218archive6\" -ad -an -ai#7zMap10450:96:7zEvent95622⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\dvt9td218archive6\License_setup.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\dvt9td218archive6\" -an -ai#7zMap13234:112:7zEvent229562⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\dvt9td218archive6\setup.exe"C:\Users\Admin\Downloads\dvt9td218archive6\setup.exe"2⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\0xG5cI5IDKWNKChyvaRAQLyA.exeC:\Users\Admin\Documents\SimpleAdobe\0xG5cI5IDKWNKChyvaRAQLyA.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS5E67.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS6695.tmp\Install.exe.\Install.exe /DIIdidGI "385137" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 07:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6695.tmp\Install.exe\" 2Z /TpwdidwaJ 385137 /S" /V1 /F6⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Documents\SimpleAdobe\W76tm0BP79JabYBOvPiXHSj3.exeC:\Users\Admin\Documents\SimpleAdobe\W76tm0BP79JabYBOvPiXHSj3.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\TOYlYOJQKqb4muXWog6jC3wu.exeC:\Users\Admin\Documents\SimpleAdobe\TOYlYOJQKqb4muXWog6jC3wu.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 2804⤵
- Program crash
-
C:\Users\Admin\Documents\SimpleAdobe\__nigowHJ7J5_PyWdoRvVNHP.exeC:\Users\Admin\Documents\SimpleAdobe\__nigowHJ7J5_PyWdoRvVNHP.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-9FBJO.tmp\__nigowHJ7J5_PyWdoRvVNHP.tmp"C:\Users\Admin\AppData\Local\Temp\is-9FBJO.tmp\__nigowHJ7J5_PyWdoRvVNHP.tmp" /SL5="$E0028,5287326,54272,C:\Users\Admin\Documents\SimpleAdobe\__nigowHJ7J5_PyWdoRvVNHP.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer.exe"C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer.exe" -i5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer.exe"C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer.exe" -s5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\mOZigL0_G48uSFBJ6Dzcu05Z.exeC:\Users\Admin\Documents\SimpleAdobe\mOZigL0_G48uSFBJ6Dzcu05Z.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\SimpleAdobe\JOd9VE9M9LZBxt5_BczgzvOo.exeC:\Users\Admin\Documents\SimpleAdobe\JOd9VE9M9LZBxt5_BczgzvOo.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS5F42.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS67DD.tmp\Install.exe.\Install.exe /DdidDNrk "525403" /S5⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 07:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS67DD.tmp\Install.exe\" xv /aJTdidw 525403 /S" /V1 /F6⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Documents\SimpleAdobe\BF6irFAZeCH0eOcJairdn7Jd.exeC:\Users\Admin\Documents\SimpleAdobe\BF6irFAZeCH0eOcJairdn7Jd.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "CIFUBVHI"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CIFUBVHI"4⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\WrJ3hKxsDqhwmb5nEKp_fGDf.exeC:\Users\Admin\Documents\SimpleAdobe\WrJ3hKxsDqhwmb5nEKp_fGDf.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 7802295⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p5⤵
-
C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif780229\Spec.pif 780229\p5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\SimpleAdobe\ivBLLbjMs5AVX9oNG1XjDrwN.exeC:\Users\Admin\Documents\SimpleAdobe\ivBLLbjMs5AVX9oNG1XjDrwN.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\Documents\SimpleAdobe\ClvZjkBPXcWA0rQRZzU2K8ym.exeC:\Users\Admin\Documents\SimpleAdobe\ClvZjkBPXcWA0rQRZzU2K8ym.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\dvt9td218archive6\setup.exe"C:\Users\Admin\Downloads\dvt9td218archive6\setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit2⤵
- Drops startup file
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2028 -ip 20281⤵
-
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exeC:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD5214d26d3677d31abd13b6361693bb9a2
SHA1582d315be7422b201b8ccc0d68f8554c626b3de4
SHA256426970e3e004513740997da81bdcd4ad27c5cd0aa7fecb5c69822ff5af24d5bd
SHA5122db22d155a72416156fdaeabf0d9150fc066d44849824f77967880c0d7bc1db189562419a0717a5f2935cade90c0d646ade248ad255a8d4fa98a446562940f15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD53f9cafd73432ce4127906f5b0f6ce663
SHA13c63f6f57dfe90df6926c89f1060f6614504996a
SHA256b3bd5ad8f1b4b1a42b187eef3fe59039379d0c2ab129cebb0656d50eef0b8d30
SHA512e70bce9be2f224483737156f36eef5c69cc9f54a5051578d7f56e841811d119ed33f375871ea98129cb7069742805645b57d50983af5157c7fef1b6efd1938fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5b9f89b02c621c892214d57232aad75e8
SHA173d25fbdcaaa3efcb70915fb46f7b0dc4b5521ef
SHA256c177e0a0dc86f8660f79d6fa2a538ff0ce2a1a319e455d1cac3d5ce2958f8cf9
SHA5127402b48f2673ebaad38afaf4d65552613c6cee0cfbf310bd1dd9bdaa53eb9ae589d909fc4267137610ede9e2551b15fa2768dfab7d9e0d0259c7131dbdc72272
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5488428712bee96d324771455f5b3cae5
SHA1cbcebb88f77e7f40e746ebddb54d6e5c02d69ceb
SHA25628e72ac8955645582c9035e2ca38894890a23dd5cce0796914f9265c0e82e89f
SHA512756470b2506b0d3f4698c23c2893466829b3b2e08c39f9485981229cb61ee6b0fe78f3ca133e56d0375211fd862c6d8af523fb0c550ef95a27fe8a2ecf4606c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ecc6904044a69d869723eb909f4b493
SHA13b7f1656743baba8d1f2eb9dc4d5ef98e16ba9d3
SHA256a18036184aaf142f32f4e415d7a82e3388d21d024d3b669f47d45362202ec4a9
SHA512cb51b9be2b22320efd25039123da896a48e124ed06a10bbf53feb62077627bad9402223a45e04835b922b3d300f3c91360cc34f3c11a85db46994a34267736cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c5d0a3137c2679cfa61a19f67f59eab7
SHA1a3343972a9ef5c79c3d65aa2aee314f94093af40
SHA2561cdb65d3d32f877c1cc725d8ee4c86a148523103f6f345f1669763286aff2c6e
SHA512f19109e6c57cf5d868c4f0ce0843fa60e119f4de6ce0abcbd8af653d303837f0690079ef4d3561e262cb03bb583ba64898745b4c9e33e858390a624b72075ea1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD579ed747beb43421526d24e396afaae8d
SHA17034444b9c9be2f5ed26dad0f2a34edc4110fca0
SHA2569d523343d78165502e29a15d8389a4d5bbd97804ed82787b7044188ad3e0b815
SHA512d0a152a9b86acc8e8d08355852704db567ef8fca88032af1e5f153e5d908f75d0155d8c2a77c2ca8b21ec6c94056e6bee1c1626250b46e542b99c4e317e90438
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5fab874569653cc5f66680312541c8d41
SHA1b1edb8103ad4dc241cd44e22df7d09d199f71ea7
SHA2563d58e35c5471a5828c8a64443e62da36a1d37f780f53dddf6aa7e9afe2becc38
SHA512452dccf34bbfb9d4142316eb4886612a55a9e60b1912df942963fc90e64fc717879b73b3103985c809f3f7bb4c93b934ec9a8ce2e29a687ea47b0285923e1344
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD58550d1ab9461b145c532afd7ffb5ddf7
SHA108419f7a68bbd36960a5080a3deb04a0a26b2409
SHA25612a70712c828aeb541f539d242e3521e8d99d6b66875648a91e45344b23f4d70
SHA5121f86008d873202e4afcff4c5e70b69d95a180f29a07f81fe438284ea88cdc9e8ad10f4a1467079abd2d75dad8e14ff42ad2e60683f89356fe392e172f74a080a
-
C:\Users\Admin\AppData\Local\Pion Audio Player\pionaudioplayer.exeFilesize
4.0MB
MD59b31a96f4666542461ea395f5b43439c
SHA180654cd93c1652e65f95bd15bb7fcd0969b25d76
SHA256b6e313e1a207e0b8991e0883eff6234ebebd82a5d192c97ea67d0a0d563e5e48
SHA5126777ddd0faf3fb9d0f0247a9cedf2de735d360c7ccfc7d8268b6de6e336a2bbc81d425df2e0585d59a5a3fac902eae84d0fa0daed772b5ee8da7820b47c7ddeb
-
C:\Users\Admin\AppData\Local\Temp\7zS5E67.tmp\Install.exeFilesize
6.4MB
MD5fd2bbdd5884e1e41751df4b6bb635759
SHA1caf0945968cde645eaa68e128dd75b84703f4fc8
SHA256bf3e60dee68991fe4cf6f22cc38403355b0e5e360b4a21410ed1e858a0b4751e
SHA512fb75f045701a0d875491cdf216cb22d479d19de7818936e99a0f9d4350876f79caca32a1b1fc27133eaef980deb02d346580d352f8b36ba0bae3291e894b6a8d
-
C:\Users\Admin\AppData\Local\Temp\7zS5F42.tmp\Install.exeFilesize
6.4MB
MD5860ee5203b65345154963dd04617b104
SHA1bba88c359af5502bafbc5212a904c97a0dbf6d66
SHA256504a30c45dfa6104f8af4f662894df176c1ad5df953a9182d6a7c6810aaec256
SHA512e2f9fbed5638e36e54684e0120969ffeefd5d8f4f1cb350af60cc983f7708bdcf50ae7c96166ff324c5ce6b06f80e10c05e0a35ded82e468bc2b5d5adc944f75
-
C:\Users\Admin\AppData\Local\Temp\7zS6695.tmp\Install.exeFilesize
6.7MB
MD571bf676ae80afa9f2577d2eae6a133ae
SHA10fedcfbd17c9a11a97ce5c6b984926b5a510f533
SHA2569f803c1fd9944d0050032ecd983de008c13c0e939e66d13c1d138551d290be99
SHA512f8150af3a932ead9e6968569978ddba194b6355d4ac65bfcd7e54302e2f7f4b944c27baf3763297f5edc2d8eddb89bafea2489a79e1a77c695cc65fd967cf545
-
C:\Users\Admin\AppData\Local\Temp\7zS67DD.tmp\Install.exeFilesize
6.7MB
MD584da5fc2f43e551848349f0d0d3faca4
SHA1cf0078c71fb1ef9743451b6a20d9aa0306e697db
SHA2561989cb898e0e397b9acc16c453c94cf3f1873573979d36873182b18b8da86938
SHA5129a605654c70dc27ae52760b2ced4aa3eedda6e98919ef96d9615c754f07e12c1748f6f978ffc916cb693e7788b21dc101a2442e3251f9a598aa223d9ead238bd
-
C:\Users\Admin\AppData\Local\Temp\AssistFilesize
43KB
MD53d5a4446b998817ac3a378b584c185db
SHA18d45506c4e96d1832f6196f520ebaf7c306bfa0d
SHA2561e5e63511babdfb0c84c679197f7f8229f217c5e906ae5f74ad27b3b4712c872
SHA5126f174d0d9efe9ddd3d2d33d43dd199e0ca97b14a0c0bc809627aa6f4066a740a0d26f73b7993183822eaa8f94388bd7197e6c2b9d73051b6947baeb6696b1ea6
-
C:\Users\Admin\AppData\Local\Temp\ExamplesFilesize
69KB
MD5cb2749a3d65fff87fcb0b47adb23fa76
SHA1b0b6a9d11c7ee02d0d8953d450e9696cc601b7dc
SHA2569919ebf3a126ccefccb5236c053dd2a511ea21a58e478f7ea747055c8ef09c6c
SHA5120ccb7889ee9c94d5d38a03321ba2b5f6316f996792e494e68be75bac72c23db5a486c6bd40a21270ddea2db727c54a7566fcab5645e0defce289931f8825d6b2
-
C:\Users\Admin\AppData\Local\Temp\FundamentalFilesize
49KB
MD5230ed0afa33749b3c72b2ffde41dd1e3
SHA19c09200619efecb0a6dfe689edc322a281d83aa8
SHA256abc1fc7f2d61a140868d22644c4309275989ecc5ef491155dcaf9459b438dcc9
SHA51231b32ac30e5055d53d708b91fdb39df071f346d4a4417dc508d26153a5dbac2b4906a0e891d205d7d9809ee24eb3fd733e0c5394bed9b9b4804f8fd4356c2979
-
C:\Users\Admin\AppData\Local\Temp\KnowledgestormFilesize
61KB
MD55882258da7a689077b2f1dcbaaf43bd8
SHA171869c35d792e014beebdbd7d618803da9873074
SHA256b69a3f1178ca18c6a34dbadea494ba9eb5e3956c3d13a504355a84154ea87067
SHA512d96d61cdd4dad758c55081a79720d06e92434a4cff0610577618727a2d9368312acb1c448736b2bd0d1e3c99bf72bb1e9a281bf7bfbe8a96851794b2b43287ad
-
C:\Users\Admin\AppData\Local\Temp\LikeFilesize
24KB
MD5409794898e575cf088a4b1d21233a91f
SHA167f47df2bba5a90b5ecc57c9641fed44c48cff35
SHA256dce624d7c6c7525c6029bd118d98da93d6e94795a23ff3bddb619e5876e5b23c
SHA512e4d87a890aa899c338d8f272cdac9f8c5c22f79007cb8b78a1ee989dfcbf7aaf84fdb88e6afd48d198cbdae6fea3540d8021b92dea58913698da80314ca5e738
-
C:\Users\Admin\AppData\Local\Temp\StylusFilesize
208B
MD5ce77907dd56d674bcd0bbcfb7011bd93
SHA1c8483cacfe2f8e81f8ef1a5068b6a42142c1cf4f
SHA256748d79ad490a68ce10d337bdb791dadef6fec2e34b69b1eea4b976a95d53a0a1
SHA5123c97ad521e092b429f210a4c98cd3de01c063fabc1f0d1d91a2389f4e223b4469be2b4db5d7a2a8c610331864bf684f1d8f1d1b654bf1b656508d91f12c7cf5d
-
C:\Users\Admin\AppData\Local\Temp\UrbanFilesize
19KB
MD50acf541cbe9a635dab7b5bcf6f2bb645
SHA1765e9babeddb81d9c0b88282e6b8a9ada0445de4
SHA256873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd
SHA51271d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxfmdeye.oat.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-29C24.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-9FBJO.tmp\__nigowHJ7J5_PyWdoRvVNHP.tmpFilesize
680KB
MD51c47be7867d5fb90ccf37808d1474f67
SHA10b24f8cba4f8f9e85df1dc144e37c5a36d8ef144
SHA256d192cd666c467b89c52c7de07238e3e1ce7f494b015f7c9c0c3f859ed78a93d9
SHA512574d89abf82c0f8ea5a40e59556c732890d71e8d4e7c677d151da0494dcdd8a95b14eb79dccbb4e92fd9295c233a12b9baf2ff7373639aa53290a2f57c24c1e8
-
C:\Users\Admin\AppData\Local\Temp\tmp8D79.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp8DCA.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\Documents\SimpleAdobe\0xG5cI5IDKWNKChyvaRAQLyA.exeFilesize
7.2MB
MD523f544d203bf33aa116399e3bbf0e93b
SHA112bd225b90915d8f1632b9e8f62c60e9e9656c32
SHA2564d0f1fba10d568cff1bfa75a6aab8a112789aa4c3e46cb11e510ec2912203ff3
SHA512dc29135e6c9378deffd6c890ddaa5d6cb77406a5975abd5786583c1a745537f1cd213d0b2461cb32d0b5e0c58e5e9534bb36fbed6e0a99994d82ae0d91fa92c0
-
C:\Users\Admin\Documents\SimpleAdobe\7QmYu1oI6IsaP_Po7RL7yHQi.exeFilesize
493KB
MD57e4720ea4acb2692c05ddc387f716b40
SHA1c452d95fbd37992ad84db6a07752c3b217ef6b3c
SHA256aa79b2b1a29d67fcf50eaeb45050f782855f53f4486c48c6370824078f42c835
SHA512c37ac1ebfab2c03087db6e3a8ce36dd1a30d8313e681894e7b8644e4f5d8ab6df31b33da6df14c0b2a38ab0742bd575e27a2e552c2fb87b5674a069b2bc52872
-
C:\Users\Admin\Documents\SimpleAdobe\BF6irFAZeCH0eOcJairdn7Jd.exeFilesize
10.1MB
MD53b24971c5fef776db7df10a769f0857a
SHA1ab314ddf208ef3e8d06f2f5e96f0f481075de0f4
SHA2560d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5
SHA512f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28
-
C:\Users\Admin\Documents\SimpleAdobe\ClvZjkBPXcWA0rQRZzU2K8ym.exeFilesize
4.7MB
MD506333e350e25e29677256d9be86e4ee1
SHA1088fa1f912473c3dfb5ab118b0bc39ec016cf15a
SHA256137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8
SHA5121475fd313ef0ca847eb7921b5bfb017f9b7f9274497df42fe3fa1477f40c6da8723ee0c46fa5c3fac6e9572c47712e1f4412c9460385c8f47117c82befdc329d
-
C:\Users\Admin\Documents\SimpleAdobe\JOd9VE9M9LZBxt5_BczgzvOo.exeFilesize
7.2MB
MD53b3b282f2508ea7f38b858955944f500
SHA18b900c53cbd8f15f31dd1c237cf95009f3fadec9
SHA256afcdcc5f558d7f4556e803f9ee1463091512fac1b0e82889faebbc90c46241de
SHA512c0fb59565fbe22d4b2b7c258c4ce1efa4df45277bc3487a9ec87c6a2932e85fec6a5ed5b9e81f6aed2bafcb893b191b14b6ff13b099d4c18aa8f5c0d1478bbfd
-
C:\Users\Admin\Documents\SimpleAdobe\TOYlYOJQKqb4muXWog6jC3wu.exeFilesize
935KB
MD55d505724b7a084217d7db6b2710d8613
SHA1f444284be57973aa0d2fa22cdea4e3a639bdb6c4
SHA256c4024302b2f74461f6aecd5ca2f2889fa8ed48a420cb2176ae782368e2c5c6eb
SHA512bcc79a8856aa5aee6349d602d75c2c1c615a12502d1256b044572b69bb3ac3bb9632a4b61956d41c7186a3d97dcf376968983bd16b417a8dcd89ecc4aeef42d0
-
C:\Users\Admin\Documents\SimpleAdobe\W76tm0BP79JabYBOvPiXHSj3.exeFilesize
2.6MB
MD58843145ba02f78a0f432586ded809af1
SHA142daf41136d6952ba8496b589a82ee88bb235e50
SHA256b8d58c5f2346036b9db065278b62c2d8019d9fef5d5d6ed2b63621082f05eab4
SHA51297eb7b621219ca6ed49e0222547bd30201524813c1b8b37df8cee285150a52f8fa0e49ead11e5b84521e01337f75d168e0f944b145ec8f213ef24d8ed074e27f
-
C:\Users\Admin\Documents\SimpleAdobe\W76tm0BP79JabYBOvPiXHSj3.exeFilesize
2.6MB
MD5520f92170a2cf78ed3152f83973b9b66
SHA1c6f979d3f405d1e9527566a9cc763dc2560ee39c
SHA25663f33fc0da67b18a2a5d75d5509d7aee76f5b2bdc94ab5aead8ac09a91b0da01
SHA51266d4c23cc9d276b947bce13c6089ca9676e30e1db07013b2144d2534728e8ace07ab3456cb66824416ba1f314f998be62a3479dda3143dd21d7778ce303846a7
-
C:\Users\Admin\Documents\SimpleAdobe\WrJ3hKxsDqhwmb5nEKp_fGDf.exeFilesize
1.1MB
MD5470aed70b81cb24f9316bac75ce9c409
SHA16797699947374efbe4e4746f7500a1e2d92ce36a
SHA256afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e
SHA512b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6
-
C:\Users\Admin\Documents\SimpleAdobe\__nigowHJ7J5_PyWdoRvVNHP.exeFilesize
5.3MB
MD5c51a0b6c89c4df20879e4edb9cfe70a0
SHA1c7b190b8927696ede122b79ba5d40c1a6b7d4c86
SHA25696a1b0b916cdc2d97067066697b30b70848666676cf77489d82299981229bc97
SHA512cf39ba14c049fc995869caa8ed1a1c9dc3e43df95575fe6674a488e6b6e99229d1a9e41f3f19535ec33079ccf9b8f20068249b002d220853e7f946e218ab4485
-
C:\Users\Admin\Documents\SimpleAdobe\ivBLLbjMs5AVX9oNG1XjDrwN.exeFilesize
3.7MB
MD5d2c328c49852296794a400c921c82e32
SHA10e86ed2329a4a638b6d172d5e54f3187615a0664
SHA256e3c5121806297e551d348d3869f99a82078c508a463e66e529232d94ef6b0daa
SHA512c0214ffd71c5b16d3efd16c3ea408ede805529f4306253122c27d54ae97719f0ec39fa789f7c7099700e3f388641fbbc1372a2b6df47ecde21e3c549cb099cf9
-
C:\Users\Admin\Documents\SimpleAdobe\ivBLLbjMs5AVX9oNG1XjDrwN.exeFilesize
3.7MB
MD52ab891d9c6b24c5462e32a0bab3d1fec
SHA14dbb387d2fce2b47ff3699468590466505ba7554
SHA2566ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86
SHA5120317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89
-
C:\Users\Admin\Documents\SimpleAdobe\mOZigL0_G48uSFBJ6Dzcu05Z.exeFilesize
4.9MB
MD52502f2fb88c1ea569c0b4287ae0613f3
SHA1aae526d8ce17f59366b57d5d00ab5d14140cd6b5
SHA2566c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513
SHA5127c0e3a6f8322aafa90533bcd2ff5ab2b167ef7c1c8412710c4b3a3b4643cdb0412cf93c561ce1c01a1057643bda336fd3fa64e3a7373d41cc25319d5190ca2d2
-
C:\Users\Admin\Downloads\Unconfirmed 743577.crdownloadFilesize
19.1MB
MD5059b1751193f706f1d5d00a28b41e49f
SHA1c2bc3b2e120fb046f99a23a63b7166134207067e
SHA256c8db5c9576c1c42191f61aa9d4101eb1d64c805dd8c1c0b3e2384d4b7bbb3369
SHA5121e3d920afbaa9dc6462a961e6eaa61fc0fd32ef66eb7a44114821034fd65b972b87ba00b739c0f6c3056fea16604a5203ad26dd230593216c6e1c84a99105e3b
-
C:\Users\Admin\Downloads\dvt9td218archive6\License_setup.txtFilesize
393KB
MD50507b454d8793e3c59ed750dfeead0f4
SHA163c95b5ecb00d0e2fc956bfcbbd11b02800f49f2
SHA256a6123d8923a3b9d825b9585425e4302496b159ce13dd1f4730d249e06024da26
SHA512d97c2c056de3e23bf5850371032a2cc57d04ba29075609e54ed4753c22749ef5f2bca4a496fba172d4db456c9e00a544bb782e339e3294e80908f5a87844b2d2
-
C:\Users\Admin\Downloads\dvt9td218archive6\archive.rarFilesize
19.1MB
MD537e5729cb57584abf79db0f66c1fc377
SHA1e5ca481bc4b6f112c466c23c5b826f1d747c745d
SHA25655575aa6b5f417c3a30b0e95bc194927e5be32647714b57abc02bdb332de0fa3
SHA512427771b8b8ee9326a96356d9cdd83d0977543285966057aabb48f9f651f28c65cc83fb3136c538b9c1a435a7f5b9761adcd4f3623b4d69e1d97a3c71de3ca6eb
-
C:\Users\Admin\Downloads\dvt9td218archive6\update\Uninstall\unins000 — копия (12) — копия.datFilesize
2.7MB
MD5a73d07ab51f706c4c75e1c8c41972b07
SHA15a488969ac4e537d93d42dcd39a022679959e94c
SHA25622139226150a59706bc456190b0aa1b7afa3dce34f35013c19e5b5c4be31e8d2
SHA51217382c22ea8a7269ad2d0cb94f9faa03c5dfcfb9bfca88d5434bc5e1163e4c6d5e48375870d6236f775a1f815527a197d7bf341588251ebfd2569145f1dc4375
-
C:\Users\Admin\Downloads\dvt9td218archive6\update\Uninstall\unins000 — копия (12) — копия.exeFilesize
1.5MB
MD53ab31d714c50ae078f9eaba7b2497191
SHA145c5e807e459d95618c03a6ded9debe1d70013f3
SHA2564f1ad8d1547c95e51defcb129c5dcf2568c9735524ab3face5f0fafc5bcbc0eb
SHA512f89961fb914796b07da8f224317bb794f9cf0cc8b40e635823b0bb8a6713048c5b2de08e1c4e9dd4f81c6f579e3bc3551a9342ba34db9a6de1c0d6755ec140ae
-
\??\pipe\LOCAL\crashpad_4152_XBQANZLTZTFQVRRCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/732-1039-0x0000000009410000-0x0000000009486000-memory.dmpFilesize
472KB
-
memory/732-703-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/732-1040-0x0000000008990000-0x00000000089AE000-memory.dmpFilesize
120KB
-
memory/1000-936-0x0000000002B30000-0x0000000002B66000-memory.dmpFilesize
216KB
-
memory/1000-950-0x0000000005B10000-0x0000000005E64000-memory.dmpFilesize
3.3MB
-
memory/1208-484-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1520-624-0x00000000059A0000-0x0000000005F44000-memory.dmpFilesize
5.6MB
-
memory/1520-651-0x0000000005760000-0x000000000576A000-memory.dmpFilesize
40KB
-
memory/1520-677-0x00000000058B0000-0x00000000058EC000-memory.dmpFilesize
240KB
-
memory/1520-893-0x0000000006F60000-0x0000000006FB0000-memory.dmpFilesize
320KB
-
memory/1520-891-0x0000000006160000-0x00000000061C6000-memory.dmpFilesize
408KB
-
memory/1520-680-0x0000000005900000-0x000000000594C000-memory.dmpFilesize
304KB
-
memory/1520-625-0x00000000055B0000-0x0000000005642000-memory.dmpFilesize
584KB
-
memory/1520-668-0x0000000006570000-0x0000000006B88000-memory.dmpFilesize
6.1MB
-
memory/1520-669-0x0000000005F50000-0x000000000605A000-memory.dmpFilesize
1.0MB
-
memory/1520-670-0x0000000005850000-0x0000000005862000-memory.dmpFilesize
72KB
-
memory/1520-970-0x0000000007480000-0x0000000007642000-memory.dmpFilesize
1.8MB
-
memory/1520-1031-0x0000000007B80000-0x00000000080AC000-memory.dmpFilesize
5.2MB
-
memory/1520-623-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1692-939-0x0000000005860000-0x0000000005882000-memory.dmpFilesize
136KB
-
memory/1692-968-0x0000000006710000-0x000000000672E000-memory.dmpFilesize
120KB
-
memory/1692-938-0x0000000005A20000-0x0000000006048000-memory.dmpFilesize
6.2MB
-
memory/1692-940-0x0000000006150000-0x00000000061B6000-memory.dmpFilesize
408KB
-
memory/2528-693-0x0000000000400000-0x00000000007FC000-memory.dmpFilesize
4.0MB
-
memory/4356-965-0x00000000006D0000-0x0000000000B8E000-memory.dmpFilesize
4.7MB
-
memory/4356-967-0x00000000053D0000-0x00000000053DA000-memory.dmpFilesize
40KB
-
memory/4356-969-0x0000000005560000-0x000000000566A000-memory.dmpFilesize
1.0MB
-
memory/4608-586-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-588-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-540-0x0000000004CC0000-0x0000000004E3C000-memory.dmpFilesize
1.5MB
-
memory/4608-576-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-556-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-550-0x0000000004B50000-0x0000000004B6C000-memory.dmpFilesize
112KB
-
memory/4608-558-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-503-0x0000000004C20000-0x0000000004CBC000-memory.dmpFilesize
624KB
-
memory/4608-584-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-560-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-562-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-564-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-566-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-552-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-570-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-572-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-574-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-582-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-500-0x0000000000090000-0x000000000033E000-memory.dmpFilesize
2.7MB
-
memory/4608-554-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-568-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-578-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-551-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4608-580-0x0000000004B50000-0x0000000004B65000-memory.dmpFilesize
84KB
-
memory/4852-498-0x0000000000100000-0x0000000000A8F000-memory.dmpFilesize
9.6MB
-
memory/5248-455-0x00007FF6137C0000-0x00007FF613FD7000-memory.dmpFilesize
8.1MB
-
memory/5608-258-0x00007FFE1F030000-0x00007FFE1F032000-memory.dmpFilesize
8KB
-
memory/5608-256-0x00007FFE1F580000-0x00007FFE1F582000-memory.dmpFilesize
8KB
-
memory/5608-435-0x00000220B4A30000-0x00000220B4A9B000-memory.dmpFilesize
428KB
-
memory/5608-261-0x00007FFE1D320000-0x00007FFE1D322000-memory.dmpFilesize
8KB
-
memory/5608-257-0x00007FFE1F590000-0x00007FFE1F592000-memory.dmpFilesize
8KB
-
memory/5608-262-0x00007FF6137C0000-0x00007FF613FD7000-memory.dmpFilesize
8.1MB
-
memory/5608-255-0x00007FFE1F570000-0x00007FFE1F572000-memory.dmpFilesize
8KB
-
memory/5608-290-0x00000220B4A30000-0x00000220B4A9B000-memory.dmpFilesize
428KB
-
memory/5608-259-0x00007FFE1F040000-0x00007FFE1F042000-memory.dmpFilesize
8KB
-
memory/5608-260-0x00007FFE1D310000-0x00007FFE1D312000-memory.dmpFilesize
8KB
-
memory/5708-704-0x0000000000E10000-0x00000000014C4000-memory.dmpFilesize
6.7MB
-
memory/5872-707-0x0000000000400000-0x00000000007FC000-memory.dmpFilesize
4.0MB
-
memory/5892-700-0x00000000004A0000-0x0000000000B50000-memory.dmpFilesize
6.7MB