asyncrat | 058d30b271cc0bd169d08954f17e3977861dbe95fea8b7a550b48d8c914e8567

Analysis

max time kernel
146s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerBI tips Business Ops Setup 3.0.4.exe
Size

525.8MB
MD5

ceabe8661ec16fa125098bfd4cea1b23
SHA1

295b1b946bddf5366c7a1c886a5738b8fbfa8813
SHA256

2b3fa61129683f095d1e148a02d8783489e11553e4fb710a70e5b7f763917522
SHA512

a9d70b6c40122083dc993f70f7fdf8560f1a3cd3522aaed7dca19243e3da16b93b72fbba290c8a24cc909a0f25204a0796e0d6338e12e253857c84b3a08110f6
SSDEEP

12582912:Dgn00M6JgmlXDzVmljR3MN+ceOgBCOZKCVVE/+YxqummrFY5qgaqUAQ2BzpAPhEf:8n7+m9GjR8N+ce2mKCVC/nmd5qpYzVf

Score

10^/10

asyncrat plugx redline xworm discovery infostealer rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Detects PlugX payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023284-4519.dat	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023284-4519.dat	family_redline

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000023284-4519.dat	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	PowerBI tips Business Ops.exe

Executes dropped EXE 4 IoCs

pid	Process
1068	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3552	PowerBI tips Business Ops.exe
2420	PowerBI tips Business Ops.exe

Loads dropped DLL 16 IoCs

pid	Process
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
1068	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3552	PowerBI tips Business Ops.exe
2420	PowerBI tips Business Ops.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Assets\ManageDates\Templates\DateTemplate-05.json	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\System.ValueTuple.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Steve_Campbell\HotSwapV2\HotSwapConnections.ps1	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\Microsoft.Xaml.Behaviors.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Xml.Serialization.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Threading.Timer.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\html-resources\dist\31.chunk.js	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\sr-Latn\Microsoft.AnalysisServices.Tabular.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\bg\Microsoft.AnalysisServices.Core.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\html-resources\dist\43.chunk.js	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\x64\locales\ko.pak	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\wwwroot\favicons\icon-152.png	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\lv\Microsoft.AnalysisServices.Tabular.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Antlr4.Runtime.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\D3DCompiler_47_cor3.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Data_Marc\model-documenterV2\app\CommandLineArgumentsParser.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Reza_Rad\pbihelperV1\app\System.Globalization.Calendars.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\x86\cef_100_percent.pak	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\ko\System.Windows.Forms.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Net.WebClient.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Reza_Rad\pbihelperV1\app\System.ComponentModel.TypeConverter.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Core.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Data_Marc\model-documenterV2\ModelDocumentationTemplate_v2.0.1.pbit	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\sv\Microsoft.AnalysisServices.AdomdClient.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\eu\Microsoft.AnalysisServices.Core.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\sk\Microsoft.AnalysisServices.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\zh-HANT\Microsoft.AnalysisServices.AdomdClient.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Microsoft.AspNetCore.CookiePolicy.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\x86\snapshot_blob.bin	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Assets\ManageDates\Templates\DateTemplate-03.json	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\Dax.Model.Extractor.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Microsoft.Extensions.Diagnostics.HealthChecks.Abstractions.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\ms\Microsoft.AnalysisServices.AdomdClient.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Reza_Rad\pbihelperV1\app\Microsoft.IdentityModel.Clients.ActiveDirectory.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Kay_Unkroth\MetadataTranslator\app\sr-Latn\Microsoft.AnalysisServices.Core.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\cs\PresentationFramework.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\Microsoft.AspNetCore.Server.HttpSys.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Daniel_Otykier\TabularV3\app\Newtonsoft.Json.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\th\Microsoft.AnalysisServices.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\ja\Microsoft.AnalysisServices.AdomdClient.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Net.HttpListener.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Reza_Rad\pbihelperV1\app\System.IO.UnmanagedMemoryStream.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\hi-IN	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\x86\v8_context_snapshot.bin	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Daniel_Otykier\TabularV3\app\Microsoft.AnalysisServices.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Runtime.Caching.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Text.Encoding.CodePages.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\UIAutomationProvider.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Kay_Unkroth\MetadataTranslator\app\Microsoft.AnalysisServices.Tabular.xml	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\wwwroot\images\bravo.svg	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Steve_Campbell\045-SQLProfiler.pbitool.json	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\System.Text.Encoding.CodePages.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\th\Microsoft.AnalysisServices.Tabular.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\fi\Microsoft.AnalysisServices.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.ServiceModel.NetTcp.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Windows.Forms.Design.Editors.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\icudtl.dat	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Christian_Wade\ALMToolkitV1\app\html-resources\dist\assets\action-Delete.png	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\ar\Microsoft.AnalysisServices.Tabular.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\wwwroot\images\connect-pbi.svg	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\tr\Microsoft.AnalysisServices.resources.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Runtime.Serialization.Primitives.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File opened for modification	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__SQL_BI\BravoV0\app\System.Threading.Overlapped.dll	PowerBI tips Business Ops Setup 3.0.4.exe
File created	C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Data_Marc\model-documenterV2\app\netstandard.dll	PowerBI tips Business Ops Setup 3.0.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
4328	PowerBI tips Business Ops Setup 3.0.4.exe
3552	PowerBI tips Business Ops.exe
3552	PowerBI tips Business Ops.exe
2420	PowerBI tips Business Ops.exe
2420	PowerBI tips Business Ops.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4328	PowerBI tips Business Ops Setup 3.0.4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1068	PowerBI tips Business Ops.exe
3672	PowerBI tips Business Ops.exe
3552	PowerBI tips Business Ops.exe
2420	PowerBI tips Business Ops.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3672	1068	PowerBI tips Business Ops.exe	83
PID 1068 wrote to memory of 3552	1068	PowerBI tips Business Ops.exe	86
PID 1068 wrote to memory of 3552	1068	PowerBI tips Business Ops.exe	86
PID 1068 wrote to memory of 2420	1068	PowerBI tips Business Ops.exe	84
PID 1068 wrote to memory of 2420	1068	PowerBI tips Business Ops.exe	84

C:\Users\Admin\AppData\Local\Temp\PowerBI tips Business Ops Setup 3.0.4.exe
"C:\Users\Admin\AppData\Local\Temp\PowerBI tips Business Ops Setup 3.0.4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
"C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
  "C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe" --type=gpu-process --field-trial-handle=1644,18306277401735570682,13789737780020234056,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3672
- C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
  "C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe" --type=renderer --field-trial-handle=1644,18306277401735570682,13789737780020234056,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\PowerBI tips Business Ops\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#ffffff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2420
- C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe
  "C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe" --type=utility --field-trial-handle=1644,18306277401735570682,13789737780020234056,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PowerBI tips Business Ops\D3DCompiler_47.dll

Filesize
4.3MB

MD5
d52ae547c1b9d0a7ef9ab4699163ebf5

SHA1
9a113875543a4d03f8c2407604668a550b3efd81

SHA256
5ae422564201a0dfceb269dfebc4c3d697dc6b069a80631e2cd55fbcbfc38d33

SHA512
7748cbeb079aecda6ba9accc8df720fa1d416d36fa2bca60bac8a5f13e2a660af1b06ddf826fe35eaeec990efe0728ec7aa580cf11e3e0584c2a7f35f6876598

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\PowerBI tips Business Ops.exe

Filesize
105.6MB

MD5
f22316d4e8b55654093791b128d6150a

SHA1
ca335e13258c2cff8d48f130a5da75472e75abd2

SHA256
e130517411da8c6bfa5852f7f2859ff40b72baa57f8c9fb712f776c4385ae246

SHA512
7dada0eeb17f9c6c629a76ebd1ad2e34d55b510de07e123400bbfe497d94f4bdb265382fe2d361e3d78196e0bd5503096a604378024313810ff32161f64cb7b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\chrome_100_percent.pak

Filesize
175KB

MD5
7c4728b2d58afdd97c4549c96b9561cc

SHA1
1e0d251eedd67e7021fc764b9188184617465c54

SHA256
419cfcc6dc5f38b2e0c970ebd4fad1ef55054579d5c0db2521d7ae494996aac3

SHA512
82d0931e4d1cf38f88050980f518cdacdc981c382771b1732bfbe69f601074a0e7378e27a7470c7dea4e287cb1617a5c038052908ed85134abcd5b6591b4e7df

Download Submit
C:\Program Files\PowerBI tips Business Ops\chrome_200_percent.pak

Filesize
312KB

MD5
6af049ad6fd11ee90ad9db31c4e02082

SHA1
5d2f9a59a74dc584b5dd78aeb6de583e969e3eb7

SHA256
edecf8e1ac353bfdae534e42507e5a59973cb4cab76fbb1ff1a470363e725bc4

SHA512
c7fa6e1a57861e62b9b4d615a988c98d13cde8abc23eaed7c36c2ecb86409da4b65b1f579ca2f307e90eb4d08d14b07f7f41ccb8d8c165d6de67c09c16009715

Download Submit
C:\Program Files\PowerBI tips Business Ops\d3dcompiler_47.dll

Filesize
4.3MB

MD5
d52ae547c1b9d0a7ef9ab4699163ebf5

SHA1
9a113875543a4d03f8c2407604668a550b3efd81

SHA256
5ae422564201a0dfceb269dfebc4c3d697dc6b069a80631e2cd55fbcbfc38d33

SHA512
7748cbeb079aecda6ba9accc8df720fa1d416d36fa2bca60bac8a5f13e2a660af1b06ddf826fe35eaeec990efe0728ec7aa580cf11e3e0584c2a7f35f6876598

Download Submit
C:\Program Files\PowerBI tips Business Ops\ffmpeg.dll

Filesize
2.7MB

MD5
9bc89883221006653709e9372a956bea

SHA1
e93da810ab27a779dd46f21a8b81bd69316755a1

SHA256
a0318757cbfa60e49d32319e7adab10368547e85579e0a39670efeec86e505a2

SHA512
4468c0bed971e2f83e22213847d1546e3ca37619cd08710e618694e6c4f44ea250b39789e34c79c0ee6282940abe749c08cb5f71e316ed017d8ec6b98ad303b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\ffmpeg.dll

Filesize
2.7MB

MD5
9bc89883221006653709e9372a956bea

SHA1
e93da810ab27a779dd46f21a8b81bd69316755a1

SHA256
a0318757cbfa60e49d32319e7adab10368547e85579e0a39670efeec86e505a2

SHA512
4468c0bed971e2f83e22213847d1546e3ca37619cd08710e618694e6c4f44ea250b39789e34c79c0ee6282940abe749c08cb5f71e316ed017d8ec6b98ad303b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\ffmpeg.dll

Filesize
2.7MB

MD5
9bc89883221006653709e9372a956bea

SHA1
e93da810ab27a779dd46f21a8b81bd69316755a1

SHA256
a0318757cbfa60e49d32319e7adab10368547e85579e0a39670efeec86e505a2

SHA512
4468c0bed971e2f83e22213847d1546e3ca37619cd08710e618694e6c4f44ea250b39789e34c79c0ee6282940abe749c08cb5f71e316ed017d8ec6b98ad303b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\ffmpeg.dll

Filesize
2.7MB

MD5
9bc89883221006653709e9372a956bea

SHA1
e93da810ab27a779dd46f21a8b81bd69316755a1

SHA256
a0318757cbfa60e49d32319e7adab10368547e85579e0a39670efeec86e505a2

SHA512
4468c0bed971e2f83e22213847d1546e3ca37619cd08710e618694e6c4f44ea250b39789e34c79c0ee6282940abe749c08cb5f71e316ed017d8ec6b98ad303b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\ffmpeg.dll

Filesize
2.7MB

MD5
9bc89883221006653709e9372a956bea

SHA1
e93da810ab27a779dd46f21a8b81bd69316755a1

SHA256
a0318757cbfa60e49d32319e7adab10368547e85579e0a39670efeec86e505a2

SHA512
4468c0bed971e2f83e22213847d1546e3ca37619cd08710e618694e6c4f44ea250b39789e34c79c0ee6282940abe749c08cb5f71e316ed017d8ec6b98ad303b1

Download Submit
C:\Program Files\PowerBI tips Business Ops\icudtl.dat

Filesize
10.0MB

MD5
3f019441588332ac8b79a3a3901a5449

SHA1
c8930e95b78deef5b7730102acd39f03965d479a

SHA256
594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57

SHA512
ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9

Download Submit
C:\Program Files\PowerBI tips Business Ops\locales\en-US.pak

Filesize
79KB

MD5
98c8cfc3cb98ab34e06d4323b8bcb043

SHA1
2c0bda072161530b710fa0a1dfc3c23926184afe

SHA256
35adc5aeeebfe440e295b88d2a4089360ada33c353843b1f5438f4118501878b

SHA512
25edeca13b4a29f63bdc4f135eda1b1b8c72f3a58315f57895950bdc15f56b2af1aca42affe397716f5965437ece836f683265a33ec919b8b26056634612ed3c

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources.pak

Filesize
4.6MB

MD5
d9022282a7fbf3aa354559ab6a9c7926

SHA1
ff1f2b77d80848bc1a51e48c21a033eb57d8776c

SHA256
ddc85d749b19cbabae11a0b8f7114daf75900179a2147280dd0f9f8faee7d65c

SHA512
6b9ab157cf8e10d8a79ea2ad4e247210fe2a7fd75dab086eb55951d4e028af3060e1f42175be936c6b093abc2c3071c0fd1c45afee3c567a79e1b722fe5f5d97

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\app.asar

Filesize
713.9MB

MD5
1c1ace30015c7cacb83c42a4431dc531

SHA1
5a41b9e032a8f79f4fc355ca56ebd5cd12b491c3

SHA256
c2d5d824c23b802cf8b0cdbe33a8e9ac791e724e68e46a2cdc9f537fe54e7d22

SHA512
65303e34fcd214339fded25293dfa410a6277f31a8976bdda8701b7caf37483d0b2c381d1212da55e017864dbe1062c351b8d5068c1dd52de2ce49277d005794

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\DaxStudio.QueryTrace.Excel.dll.config

Filesize
278B

MD5
68399b53b17068b9fd58f0866be0df36

SHA1
aec4f07cefdad8854d3f002f40f3149b90e06e69

SHA256
0d1c657e0d50639011f2bc384e360070a32a369a8c75b2534261893f5184077e

SHA512
09966b246837b73647fd199062884b4691e2837d955901c2df61933930469cd96dad07253e2f283cbea7e213ac43fa4b7679be51769cb654f3e7e7a28196dd42

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\010__Darren_Gosbell\DaxStudioV1\app\bin\Newtonsoft.Json.dll

Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\020__Data_Marc\model-documenterV2\app\System.Net.Http.dll

Filesize
84KB

MD5
cfaedd3de549e3cb02f8bb77a28bc076

SHA1
859c5f82a2fc22a6bcfbee92b841761a1b5b08b2

SHA256
cb1b1ac1c1a435f7ea7ee75914aa7bb1324bfafb7910d8c814db62a77b09ffa0

SHA512
d0cb88b8a6e6b27c159d609069ac4c586e0236dd0721c8c51e7e64202a17fda3084d0c035da8009162f8a00d20ef70f3b296c00b3096e87ab1819fe0e276956d

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.AdomdClient.dll

Filesize
1.1MB

MD5
0803d402716365bfccc612fe270a82b7

SHA1
2b3cd9200465d788e8500982c90398c7c831331a

SHA256
e28bf785a287f8bcad8f42a415d8a92514c89ce6f893df3149173ca70e6b4ce6

SHA512
b02c08e1d8a448111fdea098f5893101ad8d7e0702dae8ac4612589fc66a341be066083a8b6d4e21f0f449434e1b08d2d7281772842bb3a3e54f9d1a8eb2ea34

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Core.dll

Filesize
1.4MB

MD5
d7d71fc93effe1a7ee26df3d91a53396

SHA1
1b21e44eff40afb9b3c360d821289b56611012a4

SHA256
c71c8d1d6616cdf29ab2cd0d6984bc652ae44611156c1275b268ff48ddbb512c

SHA512
01ee5b5e7fd5de3b1bb690898f10643e83a880db9988eda396400295a529595bf601a9f6d83555a67aba6290658e89c6d41821086104ef699799d477789cc5f8

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.SPClient.Interfaces.dll

Filesize
29KB

MD5
8f1b8d355d07594287c67f93f8875712

SHA1
a1dfb9f3c3ded7d549d0036aff4f78ae6fafeffd

SHA256
3280381cb8127e818b20817210bd51ee0d2f89e25366db9a262f2cc746305b26

SHA512
9b55b7198ee821b2c2d998cc14494ec6be2f71ce53269ae828be8c20771c46eb5531cf72e968d3e4dafb0e1993941dbdb34cb87b217da7c95a6213cb193c9833

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Tabular.Json.dll

Filesize
547KB

MD5
64a8698baaaa3e291ecdee959a77bf3c

SHA1
0a070a7060f7aad60a02cace39d86ec721915840

SHA256
0237c578afc10222120281e45861f22d476568143d178edaf6f42b8e3d6b0c3f

SHA512
6c30c235975245559d7f1871c04282b62aad3aaf42bc04cf2dbf4d90f676a12aa0525851fd27ae5269f13778e096d3374037c8506662258cda1f575561a61238

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.Tabular.dll

Filesize
1.2MB

MD5
7b920de3a5c597cc4a955c6037ba7255

SHA1
0d207b4bf91b72033f289bd6de68e3ffba1a1fdc

SHA256
2a1b1325a6221db2e4167c09861c0ba424727e89612c4500bfa47d96749da412

SHA512
8ff20d39ff8fd998bfce5412131dfd882a9d21509d735689bd584585335990235413993a4bafb98f84f27e11568289d73a0e3c43e9f3ae9c24426579d50eaf50

Download Submit
C:\Program Files\PowerBI tips Business Ops\resources\static\external-tools\030__Didier_Terrien\PowerBISideTools\app\Microsoft.AnalysisServices.dll

Filesize
677KB

MD5
44a6c3dc63fedafe91ff98a269c7a0b9

SHA1
3707e4c80d7287e4e19c44729137d2413fcb36b3

SHA256
3495cb74ff5519c5ece1fc1530225e15d7a99bc032e21ec2bf622e5363598e24

SHA512
df3f45a82e84af294a7f9653b63f34b079f13bf259110f09b6c77981500a3d918507074baacfbebc1a3eb06a5f3b130206ebfa6a4064117625a6e29f7d3d8bfb

Download Submit
C:\Program Files\PowerBI tips Business Ops\swiftshader\libEGL.dll

Filesize
391KB

MD5
d68ace0c88e1b4e933d8947f7d1caaa0

SHA1
f526193c10720426ba8b1fc54bf0de2138eaffc0

SHA256
158ebdba4bf1003734d9353d310e2ba5e1c271058bd6f9f45aa255175412c5da

SHA512
f427a9d95ca2b38cb7f8a9d5dc9c2016f9d6957bb01319136195b2c59a576d4722a4d0455eb6bc8f8b6d39e99dd6e4e5904491458ee307ed0e5f8e61db8f6659

Download Submit
C:\Program Files\PowerBI tips Business Ops\swiftshader\libGLESv2.dll

Filesize
3.6MB

MD5
e6c88513ead7aecc9e40ca4ba6b336be

SHA1
51d4727e361a397f5a0625dcf86c7d8089e7f9a2

SHA256
612f229de2cb68d7c635eff653fa5ff91047c3a66cb0d5d1358af02b8da6824d

SHA512
6ca4d7b7eb95153648786717772ec2c4f689f012f1d2d778e4e4d3166c0360f3770c634c74902515d1c7c54eb94343c778db361b672cacb719fb66b46b391f02

Download Submit
C:\Program Files\PowerBI tips Business Ops\swiftshader\libegl.dll

Filesize
391KB

MD5
d68ace0c88e1b4e933d8947f7d1caaa0

SHA1
f526193c10720426ba8b1fc54bf0de2138eaffc0

SHA256
158ebdba4bf1003734d9353d310e2ba5e1c271058bd6f9f45aa255175412c5da

SHA512
f427a9d95ca2b38cb7f8a9d5dc9c2016f9d6957bb01319136195b2c59a576d4722a4d0455eb6bc8f8b6d39e99dd6e4e5904491458ee307ed0e5f8e61db8f6659

Download Submit
C:\Program Files\PowerBI tips Business Ops\swiftshader\libglesv2.dll

Filesize
3.6MB

MD5
e6c88513ead7aecc9e40ca4ba6b336be

SHA1
51d4727e361a397f5a0625dcf86c7d8089e7f9a2

SHA256
612f229de2cb68d7c635eff653fa5ff91047c3a66cb0d5d1358af02b8da6824d

SHA512
6ca4d7b7eb95153648786717772ec2c4f689f012f1d2d778e4e4d3166c0360f3770c634c74902515d1c7c54eb94343c778db361b672cacb719fb66b46b391f02

Download Submit
C:\Program Files\PowerBI tips Business Ops\v8_context_snapshot.bin

Filesize
166KB

MD5
d9b62a61b9242c2d29da71d58421f08c

SHA1
62eb4411599dba13fe617a860096fe21a8141d0f

SHA256
9010758e1b4453957e561dfe6dd1c891400d7a0fb78097e8e67d9a8076644588

SHA512
1d0bd25bd3c5cb55e80592bc2a15ec94c31263fc518533c8f8d6434e9896f11aabeda2a8fa08601829fcb395ea5c69629ce2ded43d1f8106d982e1d21946832a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstD24A.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/3672-4522-0x00007FFB293D0000-0x00007FFB293D1000-memory.dmp

Filesize
4KB

Download
memory/3672-4558-0x000001F6255F0000-0x000001F625945000-memory.dmp

Filesize
3.3MB

Download
memory/3672-4582-0x000001F6255F0000-0x000001F625945000-memory.dmp

Filesize
3.3MB

Download