General Info

File name

cash-memo-9.1.1.exe

Full analysis
https://app.any.run/tasks/c916d831-3409-4458-b91c-dd6de2b32939
Verdict
Malicious activity
Analysis date
4/14/2019, 17:47:25
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

f30a52c035cdce67f26b8c6f19450933

SHA1

aa01bbb31c0ca26f76c47a439919e53a472ba8e1

SHA256

7ae675e307f55cdfde833d5b78654e42edabd774b6028c7f30f610ea401faa75

SSDEEP

196608:tpJqiXU1hPNDGaHb/Iu7Je8hC3QV93oTEz6tEOpaVlqEmRWDf/:t21hPRGaHrIuNeOC3s2Y6t5kVlqEmRWr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • cash-memo-9.1.1.exe (PID: 1184)
  • cash-memo.exe (PID: 2740)
Application was dropped or rewritten from another process
  • cash-memo.exe (PID: 2740)
Executable content was dropped or overwritten
  • cash-memo-9.1.1.exe (PID: 1184)
Creates a software uninstall entry
  • cash-memo-9.1.1.exe (PID: 1184)
Creates files in the user directory
  • cash-memo-9.1.1.exe (PID: 1184)
Dropped object may contain Bitcoin addresses
  • cash-memo-9.1.1.exe (PID: 1184)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (52.5%)
.scr
|   Windows screen saver (22%)
.dll
|   Win32 Dynamic Link Library (generic) (11%)
.exe
|   Win32 Executable (generic) (7.5%)
.exe
|   Generic Win/DOS Executable (3.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:12:11 22:50:45+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
24576
InitializedDataSize:
118784
UninitializedDataSize:
1024
EntryPoint:
0x32bf
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
11-Dec-2016 21:50:45
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
11-Dec-2016 21:50:45
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005E59 0x00006000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.42419
.rdata 0x00007000 0x00001246 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.0004
.data 0x00009000 0x0001A818 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.21193
.ndata 0x00024000 0x0000A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x0002E000 0x00007A70 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.98455
Resources
1

2

3

4

5

102

103

104

105

106

110

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start cash-memo-9.1.1.exe no specs cash-memo-9.1.1.exe cash-memo.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
880
CMD
"C:\Users\admin\AppData\Local\Temp\cash-memo-9.1.1.exe"
Path
C:\Users\admin\AppData\Local\Temp\cash-memo-9.1.1.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\cash-memo-9.1.1.exe
c:\systemroot\system32\ntdll.dll

PID
1184
CMD
"C:\Users\admin\AppData\Local\Temp\cash-memo-9.1.1.exe"
Path
C:\Users\admin\AppData\Local\Temp\cash-memo-9.1.1.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\cash-memo-9.1.1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsr7b2f.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\visualdata\cash-memo\local\cash-memo.exe
c:\windows\system32\netutils.dll

PID
2740
CMD
"C:\VisualData\cash-memo\Local\cash-memo.exe"
Path
C:\VisualData\cash-memo\Local\cash-memo.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
VisualData.ru
Description
Движок
Version
1.0.0.0
Modules
Image
c:\visualdata\cash-memo\local\cash-memo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\winmm.dll
c:\windows\system32\oleacc.dll
c:\visualdata\cash-memo\local\mm.dll
c:\visualdata\cash-memo\local\log.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\visualdata\cash-memo\local\padeg.dll
c:\windows\system32\d3d8.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\ksproxy.ax
c:\windows\system32\d3d9.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

Registry activity

Total events
392
Read events
380
Write events
12
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cash-memo.exe
C:\VisualData\cash-memo\visualdata.exe
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
DisplayName
VisualData Òîâàðíûé ÷åê 9.1.1
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
UninstallString
C:\VisualData\cash-memo\uninst.exe
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
DisplayIcon
C:\VisualData\cash-memo\vd-icon.ico
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
DisplayVersion
9.1.1
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
URLInfoAbout
http://www.visualdata.ru
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
HelpLink
http://www.visualdata.ru
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
Publisher
VisualData
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
Contact
òåë/ôàêñ.: 8 (863) 239-92-54
1184
cash-memo-9.1.1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisualData Òîâàðíûé ÷åê-9.1.1
InstallLocation
C:\VisualData\cash-memo
2740
cash-memo.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
Name
cash-memo.exe
2740
cash-memo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
cash-memo.exe

Files activity

Executable files
8
Suspicious files
6
Text files
34
Unknown types
8

Dropped files

PID
Process
Filename
Type
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\uninst.exe
executable
MD5: d885cc2ce2fa01d8f43fde5184341030
SHA256: ca7e1483d98bc1248547f5882765ac2894d486051a7d9c8aea030400334188dd
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\mm.dll
executable
MD5: 7853519763364a97279c4a53a9ec03f3
SHA256: 51bd7a1ac9b2485342b89c56efc24eb92a393b532dd87108eab7fabefee6e87a
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\padeg.dll
executable
MD5: 2c55e4cbd98451d6305a0f6f9b48d81c
SHA256: 960006c3ece0672d5ac631a0446f01c681fc862bba4463dd59de0bbad992acae
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\reportview.exe
executable
MD5: 0e2fdd7988f950bedef042796508383f
SHA256: 5c4d0bbb99084e3bb8c29b75c22a0d20790038acf8b009f738173cd9c5991bda
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vdjobman.dll
executable
MD5: 7eba8ae3bbb962f358e778df5b323139
SHA256: f9841cba0f04ecce8917548c7f528aad712bd7d4e55cd32988486d8f4f22efdd
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\cash-memo.exe
executable
MD5: 3a6ec71f31e8fa1110a12b5de3c338e3
SHA256: dc18ecdefa891fa69d9f291c93655dc25807f2c069ac39cf706c710c3aa4311b
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\InstallOptions.dll
executable
MD5: 3e277798b9d8f48806fbb5ebfd4990db
SHA256: fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\log.dll
executable
MD5: ec1e44616127cd10c9f8c4a5feb1b1fe
SHA256: 80e9a9a8e69d77332e98a0134c239d63ac77d1ef6aea205bf9e42d2d61344b40
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\scenario.stg
––
MD5:  ––
SHA256:  ––
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\license.rtf
text
MD5: 09c67fb585e292d8d8026b90017c8697
SHA256: 8644e60698bac2e4570d0a794452c053595237e91872d629fdfb34a6fc180209
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisualData Òîâàðíûé ÷åê\Óäàëåíèå ïðîãðàììû.lnk
lnk
MD5: ddb1b49810e9c477d6c495a6f529c4bb
SHA256: 87fafe754cf2579796315f6aed6fe357c2e02d9e1d63eb64e17ec903bdf20b2e
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vds\WorkArea\00002.vdo
binary
MD5: 3b08cdefea0d246059c834a8f980f90e
SHA256: afcd68310f5daa19da205552c3ec2136da1762b1e81cd8c9e90616c3bf282ba9
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\doc\license.rtf
text
MD5: 09c67fb585e292d8d8026b90017c8697
SHA256: 8644e60698bac2e4570d0a794452c053595237e91872d629fdfb34a6fc180209
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vds\WorkArea\00001.vdo
binary
MD5: dda447dcfe4c984c996cad650ab5218a
SHA256: 5220bc68c0a69249d0f0ee7174fe61660f63b73f25e9ea178cf0fa74683b2f3f
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vds\WorkArea\00001.vdl
binary
MD5: b700c86e754d94a7c5dc316b6e727d36
SHA256: abb6c0d4f94e4e719b5693b2a03ce2128dbb3b75aa9f04baba7be0b687886888
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vds\WorkArea\00001.vdc
binary
MD5: fe9ce8c20978db278ebda4ea2e37ab61
SHA256: 809dd07625fcc45139c583a40de4191b779963e1988e7e54a29c703ffa0a249b
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vds\WorkArea\00001.vda
binary
MD5: af5b4fec5a9bb476782c566e6d1ba0b3
SHA256: 89cfc2d8540d99e8d497e7b4a8ea8ffced633a687fcfebbe5f13be231e1f7910
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\Meta\MetaAuto.xml
binary
MD5: 3408ba8bc13705a3c7c338f1e72c6d81
SHA256: ea40814a366ed698ddf3dafcb1b7920b1917ff85e3a8f99f31dfefa1f2d9fc14
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\modern-header.bmp
image
MD5: 8c4fbf57882b49af15a5956503298f5a
SHA256: 08a64efd306d643859ba3e48b78d0c8348c0f939c259531641ae9109dcc63465
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisualData Òîâàðíûé ÷åê\VisualData Òîâàðíûé ÷åê.lnk
lnk
MD5: 5802f78b2b923a988de51d9a0a3f2ecc
SHA256: 5c266509ecf3337cd1694b1bfedc13378e86170e619ff137da54f986f04de455
1184
cash-memo-9.1.1.exe
C:\Users\admin\Desktop\VisualData Òîâàðíûé ÷åê.lnk
lnk
MD5: b45e6d060dab3c7dbf7671588b780467
SHA256: e346eafcf6ebf28ba6e26de941d9257cc72039a4ae5d415d75e850397734c120
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\config.vdr
dbf
MD5: e7cc523712aa239484c2bd8ed7b25b45
SHA256: 6d1005cc2e3daf962661a7962c2ec2f7dfe81f2442ad74a7e19f9215ce805179
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vd-icon.ico
image
MD5: 2d178382820a74e2034e878f91736b3c
SHA256: ba1819d071de7600b7ac06726ef4e13a6abcf301bad88d1bf0d5e2b9430c4a37
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\config.ini
text
MD5: 41441bd75bde9d5b47b1ba331d7caa10
SHA256: 67df90ef7a50bdb936b008a39870db672c7180847325be22aa1ed17181847327
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsb7B1E.tmp
––
MD5:  ––
SHA256:  ––
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\ioSpecial.ini
text
MD5: f94e2be40494f22a4c6adb26f9aa666e
SHA256: 2a8af0ada07348d62f60dc8c80e78f7627ea6da38e669baa65d03c8d0e4b47d9
2740
cash-memo.exe
C:\VisualData\cash-memo\Local\cash-memo.log
text
MD5: 33201b8ef3f7986475795a3e71714be1
SHA256: 61738771e259376eb6bb9cd80145c57b636e54de7d94189d23a3beb119d65635
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\extimg.vdr
dbf
MD5: 4b3aa88ccd4edc64ee84cd9d4a0783c5
SHA256: 78c5f83a3f6d8b1197c568d3d8f55506425434caf4c03f3e7741bc655242c739
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\Local\vd.vdr
dbf
MD5: aec924d24ec238fd2c1100b68b007b08
SHA256: 6e9b1ec159344cec23d4aafe1f5cc249826c742f2af8ea4fa4b851ad63e37187
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisualData Òîâàðíûé ÷åê\Ëèöåíçèÿ.lnk
lnk
MD5: 67ad098b33566f8f1fec058c0dfc6e3c
SHA256: 420ac9bf58d9f9cd145934bc485a5faaef9bfb29d345b4ddd8d39f70915b3069
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisualData Òîâàðíûé ÷åê\×òî íîâîãî.lnk
lnk
MD5: a852c2e7921c2a3c87c5ba172c71a326
SHA256: 7366ee897da662573649e51adbf7f8965ad9d1ce149c13de5abe5808dbfc742f
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\vd-icon.ico
image
MD5: 2d178382820a74e2034e878f91736b3c
SHA256: ba1819d071de7600b7ac06726ef4e13a6abcf301bad88d1bf0d5e2b9430c4a37
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\ioSpecial.ini
text
MD5: 57a34b9488d9c0284c272a2a1998870c
SHA256: e5dade58ec6491c8ef68616c9731d1c0d15ad47c86826cfa6c0c6275b52773df
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\ioSpecial.ini
text
MD5: 8e11668ec0eb3ac8d5623d9cfba7dac4
SHA256: 3fd5f2f2c791340bd16535576e1124c6e89dc900069b7e3e002fd7fd5b6633d8
1184
cash-memo-9.1.1.exe
C:\VisualData\cash-memo\whatsnew.html
html
MD5: b7ed48c0a0b0d10ba14e1a535fd79401
SHA256: d486425ce5c7d57816b19983a53acee211b14022dee5a99c18913624fa7479ca
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\modern-wizard.bmp
image
MD5: 755ee551622f820d4adca2fa92b5d9ab
SHA256: 8ede27442b843ee84bb733227ee7b2ffec45f6b5d1cfde7eb36348203c7428b4
1184
cash-memo-9.1.1.exe
C:\Users\admin\AppData\Local\Temp\nsr7B2F.tmp\ioSpecial.ini
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.