Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:19

General

  • Target

    Vega X Executor.exe

  • Size

    3.6MB

  • MD5

    a686d0021f0ba9da27dbe213b65ae4ab

  • SHA1

    8ddab9c0f8e9f26e8acf35010d2db8cfd6d481b9

  • SHA256

    3046b3cee8825417932df44387b9370dbc658fbe217f650c65689a062168e71b

  • SHA512

    bd8c268c87625df7a2514449aea804990e030e576e3edc5e8ab25d89da08421bb20aeda4e42e93b7af4c356d693932989ba983a9376ec7fe38e200cac214909e

  • SSDEEP

    98304:DjT3zBOBfKMpHGqcfsLyQecNEqCNCjRqGy5XYBHOhN2qlxl:Dn3z/MpmJ0LdDLCAyiHOvR

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 52 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Blocklisted process makes network request 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe
      "C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
        "C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe" --silent --allusers=0
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1296
      • C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
        "C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=2778
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp" /SL5="$E0166,6358074,832512,C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=2778
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp
            helper 105 0x1FC
            5⤵
            • Executes dropped EXE
            PID:1688
          • C:\Windows\system32\schtasks.exe
            "schtasks" /Query /TN "DPUpdateTask"
            5⤵
              PID:2828
            • C:\Windows\system32\schtasks.exe
              "schtasks" /Create /TN "DPUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Local\DP\DPUpdate.exe"
              5⤵
              • Creates scheduled task(s)
              PID:284
            • C:\Users\Admin\AppData\Local\DP\DPService.exe
              "C:\Users\Admin\AppData\Local\DP\DPService.exe" 2964:::clickId=2778:::srcId=2778
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1564
        • C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
          "C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe" 2778 s
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
            "C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe" 2778 ng83 18 "http://www.pcmaintainer.com?c=18&s=cb94bb52-11a0-49f7-b506-4f4499ea7c4d&subid=2778"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
        • C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
          "C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe" /qn CAMPAIGN="2778"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2944
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2778 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1709162200 /qn CAMPAIGN=""2778"" " CAMPAIGN="2778"
            4⤵
              PID:2560
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding B1247103FC99C0492EA7DF8E31D73324 C
          2⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:1676
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding 211C1842D9AA51F1E4DDB2CEB29112DC
          2⤵
          • Loads dropped DLL
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          PID:1936
          • C:\Windows\SysWOW64\taskkill.exe
            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
            3⤵
            • Kills process with taskkill
            PID:2332
        • C:\Windows\syswow64\MsiExec.exe
          C:\Windows\syswow64\MsiExec.exe -Embedding AD1FDEBB763BDE54D0D056D0DCEA57C9 M Global\MSI0000
          2⤵
          • Loads dropped DLL
          PID:108

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\f784493.rbs

              Filesize

              200KB

              MD5

              a2c9bab35ac2853ce1aa34621d012572

              SHA1

              ea6068ecbe8ce97ceb4023671c10616d91cf075a

              SHA256

              b6576b2853ce7751f4bc799cba54017abccd8d30898d5a299f8531ed4d7b7ca3

              SHA512

              501a06990da10a44bc455d1bfedb3b473635cc9d5092b00dbdd4c9e40e4b644d0e20656f0cdf84b14c74d9805bcf617b3807a8590a31c1c5ffa2b359754299d6

            • C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

              Filesize

              284B

              MD5

              064f9a5abec87750eefd0b16f53cfa6f

              SHA1

              5ab69b97fc77bbfa06ed94dc895643730f5b56df

              SHA256

              b796ac54b9bf8af72f074bd9a5f9fff7bc5ff48af047d2a39c3f3c0d6f9746fa

              SHA512

              03c9ed48a5686ba1aa6f6c566807ddf04ee010ff907700a2acb9b9bb424eb5fa3f4df0edb48a9f34fb1257b879722ff43b8d9c4bd6f37a5595903e859be56a02

            • C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

              Filesize

              395B

              MD5

              426fafdc8036ab61ddd25d3027c4f192

              SHA1

              370496efd4916099c4b2b9441bf89eb0eefdc6e9

              SHA256

              4671edbba3f050a9233f4dadd1e83e74a3e9f077de1dba6e8c2b76d0404ef37c

              SHA512

              3d49f912f72701ea3cf62d42a2f1d828ba0459996da08cf5fce0ffdf0edc843ff6bd3ae747969677624d69ddb2b48cd41f64eee892d58340ffc97c025385ce73

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

              Filesize

              579B

              MD5

              f55da450a5fb287e1e0f0dcc965756ca

              SHA1

              7e04de896a3e666d00e687d33ffad93be83d349e

              SHA256

              31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

              SHA512

              19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              67KB

              MD5

              753df6889fd7410a2e9fe333da83a429

              SHA1

              3c425f16e8267186061dd48ac1c77c122962456e

              SHA256

              b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

              SHA512

              9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

              Filesize

              1KB

              MD5

              78f2fcaa601f2fb4ebc937ba532e7549

              SHA1

              ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

              SHA256

              552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

              SHA512

              bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

              Filesize

              252B

              MD5

              7ec15640a4c3aeebcc95111152893454

              SHA1

              d73c00d150399a5c8c873a1bb368f38f345a94b5

              SHA256

              4c6ffd6f66f12cb60ab6588c40de15e817d31eb300ceb57dc99391849a496847

              SHA512

              1edeacacd09af2ed1ad8b955fbfd131b6e9f209a15f152ee1710cd66ce4c0a8a6bb2bdc4fdcbf1867d578a8d86dc794aa22a36c44e4d00ca92e93ce4bd1f0c22

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              d906de2ce71c556f2f6ee3655e2f27ec

              SHA1

              ab0befcd9db3bd41f4d84bb538577412a39dfffc

              SHA256

              79d98492cb7f18eeb472db6e88883d7f330a63ecd551e23632e9976df2628a1d

              SHA512

              121d45e778fd1f4fd478df2e7dcbf1c7f03300f199ce2be4614c356fedaaace7d6a69ca16c0fc63f7a9e2243c1628ff89a02ee9755f17a301afebabaeaa9078b

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              8dd7d82a6f7181adfc89bdda0cd5e938

              SHA1

              5c2ce5cbdc90db32101b114a96643123fdd579b1

              SHA256

              2ac24c3a6ab790e2e364c66ec5c2144b854fe61bafabcc305b1b5c3f4b1cb0ec

              SHA512

              754c685d3071f6fc4f5266b8599e1d914cf92ab7fe6988a35f88ae08ade68fe704273283ea086a987e976c17f46e1f51b927f25e45544f6673c3544aecdd530b

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              18e8b3bd8c3a23586c3362a5c0e0ced9

              SHA1

              4b59f4fc1d6c7af785c01a1170b61799ec328a37

              SHA256

              c762831a5abf526a96a4639bb30ef1138fb52d4ef0b25fccb962bc962d6471a1

              SHA512

              791238a5d8125abbb6a110c4f78f57766293bcc00fd43792aa8e41365326d46fec6a02e01c1fc6d2738c8bab3ae0d34081e0b539592afc0a8f9f021c7e5517fe

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              864530dba57760eb8bd041b3062bd962

              SHA1

              f7af87e798649e3648aafd500c5e1774febf8ae7

              SHA256

              68991357a19989ebe5209360154081275bacf4b313d0b6b7e19a2757b5d87631

              SHA512

              dad0e12240583da69b9d396997b9d53d15715e07e7183b71d101c7b823cab3c28ccdc1a1af9dbcdc471f581d0565c0b53cd5cd62226a924632b7053c4bdb09b2

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              852a053d9578371eb7a27d304eb0dadd

              SHA1

              a6448b718b20da186446f95b21f9236ce2df868d

              SHA256

              1a1d0ad5697f085eec155e24bcf61e803af579d60bb8d1003ce0d36fe691d7a3

              SHA512

              0970ec52600df72f8eb7ba3dc3d44a528c7769b154b6506c4e8f3dcc7543a06b9ddb8fa39f7b4966e7745faebba36b6ed4845169ed233b61fbd073c2ff6dcb69

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              4332b2a9f5e22be18336c57377ec52d9

              SHA1

              05b874569e5c6d80b5989506514dfebc2877b736

              SHA256

              82403b18b18dab31339a14670a0b1d37760897bd8d1794dc38bc5bf6a8d4dbad

              SHA512

              f444559705a86e12b3f9f1377d6fcec13c873eead52ba268ae4125f45c1f75f70d3a0d3dfdb3dbcf6f63a448c1314c17d50ae20a7f99b73ff7a98fa367539432

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

              Filesize

              254B

              MD5

              73bd11080f91237cbc03d663d699fbac

              SHA1

              28258c6eabb84d5333889b674136ef01a3a25c42

              SHA256

              c6ff6dfb3add5f83c3a32b748e8e2c39ef1ff5aff9151bcc5b75e00df57c163f

              SHA512

              dc0fdf91fe3cb3221e9ce621e5ee712ace4d6338d2e1278b7766fdcc87006b9482fb05737d69f14de11dbad4b42197ff88bb62be117724cbf99cc6b624bac84d

            • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

              Filesize

              84B

              MD5

              db8b69bb83c5cf122ad8f18187cee0ec

              SHA1

              4d84b7b1bb49f3713edc434697e2f447e37d036b

              SHA256

              2c2395c4c4467de0c7c929f2b4f6dd2f4f6b182be61b7be17c9a560d4df65e2e

              SHA512

              07f19eb7bafe21f54fb1474a76935857352936238b801d5979169ec8d49e25b899bc32e1a0474527d6855f0bced8358a3f3545da32e5d8b24ea5a7eaab9474c3

            • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

              Filesize

              26B

              MD5

              6bc190dd42a169dfa14515484427fc8e

              SHA1

              b53bd614a834416e4a20292aa291a6d2fc221a5e

              SHA256

              b3395b660eb1edb00ff91ece4596e3abe99fa558b149200f50aabf2cb77f5087

              SHA512

              5b7011ed628b673217695809a38a800e9c8a42ceb0c54ab6f8bc39dba0745297a4fbd66d6b09188fcc952c08217152844dfc3ada7cf468c3aafcec379c0b16b6

            • C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{D1246B32-8898-40AA-8BF6-982CB33EDBA0}.session

              Filesize

              4KB

              MD5

              d41afeeae1ae9ccbb9b7ffbdb0573fd7

              SHA1

              6f173cffa47003e616b8b05b5be0c43f4250ba50

              SHA256

              8de820384039a051768c506fd2e39632695a05c8b949d1202b5035779e43c78d

              SHA512

              7316cee0464383c6ad3f43f6377f550d2a0f2c8d22c2da5c8b673da4c7f1f3761171a1c63759a3175d2bb7bafe7fab6e7734c7a6108cdd948b6f7a07a240c6e5

            • C:\Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              4.6MB

              MD5

              12c4578c48034f0265a1197310bb6703

              SHA1

              3448d16b94eae3c13bc5cc90a235e4e53e9186db

              SHA256

              4d78a57c19991d539f965e5721c96e5f271f6bc5951c67cef12dcae9bca9d612

              SHA512

              3733098ff842d338fb4331588cdcd9ff093ec28b237cac244fcaa8b8241c530bef5f977acfc587cde4e30a39a164ad5a82d24a07eb6825173c1634601d352b30

            • C:\Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              4.2MB

              MD5

              9ad938fc71eac8865f494f3eafa2ac2f

              SHA1

              fffb84856e73fbe9a84fc0aadbf0a2affcedd4dc

              SHA256

              aa2583eb25a48ded4591e5ce150b20affd46ddec667d40003ae54a71fe338ebf

              SHA512

              207c33acfaf098d2de8564d8b7942e84e3c7edf83e6dbd09ec0b1361a100b8845814ad8a2436917659e950ce0b56b3c7d6e08d83880dfe791f0126466fda0230

            • C:\Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              3.6MB

              MD5

              44581a8bed641c316baeed5e8b218b42

              SHA1

              693614d3922a9a6b492bea3cecb71742cbc16539

              SHA256

              72ff94a0c27ceb49205cd92553f930e249361d369347d4559f3273a0083bd04d

              SHA512

              001584218e1086c492c40d8425cbdf8fe75bdbae4304ab989dd1fab64162da1789084a9faaaf666414c83f0dfc9e47b90b0cd10e6e0df88268126215d0297100

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\dub[1].php

              Filesize

              2B

              MD5

              444bcb3a3fcf8389296c49467f27e1d6

              SHA1

              7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

              SHA256

              2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

              SHA512

              9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

            • C:\Users\Admin\AppData\Local\Temp\Cab3F36.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\MSI4345.tmp

              Filesize

              524KB

              MD5

              6ea65025106536eb75f026e46643b099

              SHA1

              d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

              SHA256

              dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

              SHA512

              062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

            • C:\Users\Admin\AppData\Local\Temp\MSI43A4.tmp

              Filesize

              914KB

              MD5

              91d4a8c2c296ef53dd8c01b9af69b735

              SHA1

              ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

              SHA256

              a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

              SHA512

              63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

            • C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe

              Filesize

              28KB

              MD5

              2f39d3e995c35e2ea9eabbd5963fa3ff

              SHA1

              4ee22f02bda76e606eb63e21d82a330a25e8466b

              SHA256

              dd858cdba29785ce9a8c96d7e0ddb81dd85e19d1f3dffcdb321125ff3d6b2497

              SHA512

              a19e40e2e9e019b55f839403db03d7aa27098a44db5b5ea579bdc83c56dcf10419f94ab2c03669203bf742895c997c1e9740dd7ac2ea8049177112e2b3a2511d

            • C:\Users\Admin\AppData\Local\Temp\Tar3F49.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

            • C:\Users\Admin\AppData\Local\Temp\Tar4096.tmp

              Filesize

              175KB

              MD5

              dd73cead4b93366cf3465c8cd32e2796

              SHA1

              74546226dfe9ceb8184651e920d1dbfb432b314e

              SHA256

              a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

              SHA512

              ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

            • C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp

              Filesize

              6KB

              MD5

              e4211d6d009757c078a9fac7ff4f03d4

              SHA1

              019cd56ba687d39d12d4b13991c9a42ea6ba03da

              SHA256

              388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

              SHA512

              17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

            • C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe

              Filesize

              67KB

              MD5

              5e4a373d57593278e2d4c25e56240c39

              SHA1

              e626bface70ec78f0d928d3ae0a403fb2b9d3456

              SHA256

              f72e9e6a36f55eb9dab2be7006194979fd8ecf9322d2a920f5a528e7799ccdb0

              SHA512

              8d0fe0ed3ee747cbf6b5768964f43eced592fd1af588ccaa9b16a2c3f6c2bb498f5692f73853fc6dcb1f1e665f71f8821de0cebb0d25bf3ccdd3f2e0f92308b6

            • C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

              Filesize

              3.8MB

              MD5

              6024d8c2207fc4610416beaf8d360527

              SHA1

              793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

              SHA256

              cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

              SHA512

              0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

            • \Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              3.9MB

              MD5

              720238100bceabcd27b01f6bc5c0d2de

              SHA1

              e15b82e9f14ef454bc79ebe40a64d5703cdc1b45

              SHA256

              5c21d2dcae08f8331b6061764aa801af20557c0da43ab4736ea2c8fc32878c86

              SHA512

              ed29eeba3b1a680ed7dd7f859503fc73d719d944e6c28089d28d8feb81ed462c5ba9269d54a11d2470bf27130b43a9a9ab1e51b6bc7122a80e263b782f855c33

            • \Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              2.7MB

              MD5

              762917612bcaa7c4ccb893b0e5a7341e

              SHA1

              848855805937109215efce31217a243ff50f79d8

              SHA256

              9c88f6b5aa0497ca9e5dcf8214d07f4c4d7e48136fc3c8581b0e37193c03c553

              SHA512

              d359668e38f7a99b3d39260d91914da956127284f358075f0be6ebb843c21d477158dcc01dc243f47024d64a8d5bef57b526b68af6d2afa2ebfb32653224392d

            • \Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              2.9MB

              MD5

              ef687899a2d59b5db2acf3eaea128582

              SHA1

              884ab8eec19be39d87669208442917745415c5cc

              SHA256

              f245f481478648d92bc12e576de32fb1f9c8a82144c32e3419f2ea93d4b6c1d8

              SHA512

              a252a7405b6536c5098a8f0e1022281a779eb4e482b0babfed9dad55517d74247b64e03411f047f0a58be7c38a900e32874e36659609452d3bd5dabae0055d0c

            • \Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              4.5MB

              MD5

              b63b701a8733e67bfc8f602402e46170

              SHA1

              8cefd36f1a1eba4ba4edbb5d4397a2ae6f6c0862

              SHA256

              5b60e1a426848da9bef61e4008d15b76309c87461c3c5d00cbcbbbea20b3fca2

              SHA512

              6cdceddca68688bfd9b081667579ece48e6306bdb91a29c29e98984d4a33c6414064b757cda91745888adba0fbae68c433e46870d3f39ba40155fad894b96e8f

            • \Users\Admin\AppData\Local\DP\DPService.exe

              Filesize

              4.2MB

              MD5

              ff9eb15075f81b658bc729a5f576fc8f

              SHA1

              ce632eacb5f4f5f2089f83522b8b241ab2cd7733

              SHA256

              92f5308f1b34aa3ce666523fdc19a2da5b4cca6c319c8d97f60a210cdfd11791

              SHA512

              26c7e5d505ae1e3078f650c1786947742a86f9acecec176682d3f99aab46046d0e813437075fcea0cb758bef982e9b7610c8478d726651ea5aaacfb980d6421d

            • \Users\Admin\AppData\Local\Temp\INA4315.tmp

              Filesize

              789KB

              MD5

              dd1f93eb81e6c99ba9be55b0c12e8bb4

              SHA1

              1d767983aaa4eb5c9e19409cf529969142033850

              SHA256

              f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

              SHA512

              7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

            • \Users\Admin\AppData\Local\Temp\Opera_installer_2403022320124261296.dll

              Filesize

              5.2MB

              MD5

              2e9e548040cbc282125031030041b2a9

              SHA1

              a84b26339be4cdd889ac806227c3260d57296605

              SHA256

              b44501388ac04d3db78e167cc1dc4daea68aa5c7140a2976b5a8e04f6d2438eb

              SHA512

              8be8af00aabe5e5ccac38faaf9ed499ea9c84d6a180a3cbce81297b58e1b4cfff5597638587c8f81058f59e19f87ac4bcdacfb34e1fce7ac61128837e39d3e7b

            • \Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp

              Filesize

              3.1MB

              MD5

              0d719712d6af3886ee54f9bb1ab4d052

              SHA1

              eb954d80e14b1a32f3596adf707339d5f49a2cdb

              SHA256

              4737957a65dce16f7a7e3fecd591eb578ff919139b70bf653611e618ff0c2964

              SHA512

              39d1ddc8f02f2a8a830a5587323e35fbbd70fdcd3bf7331c81d5e52c002dc5a0dbd0f7dda78338dcc11645aaa7d1562975f5000d9f504fe88696ec5a3607715a

            • \Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\INetC.dll

              Filesize

              25KB

              MD5

              40d7eca32b2f4d29db98715dd45bfac5

              SHA1

              124df3f617f562e46095776454e1c0c7bb791cc7

              SHA256

              85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

              SHA512

              5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

            • \Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\System.dll

              Filesize

              12KB

              MD5

              4add245d4ba34b04f213409bfe504c07

              SHA1

              ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

              SHA256

              9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

              SHA512

              1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

            • \Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\nsDialogs.dll

              Filesize

              9KB

              MD5

              1d8f01a83ddd259bc339902c1d33c8f1

              SHA1

              9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

              SHA256

              4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

              SHA512

              28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

            • \Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe

              Filesize

              67KB

              MD5

              97239488089234cba883c71bdfe72dc3

              SHA1

              adb6d883443bd1cd76873636bca83397d965202f

              SHA256

              c2177fb623e3a75ed102871baa2c8f46beb2b78a4898832753c7bdcec849781f

              SHA512

              5587e27ddbb8a2f57e3e608cd934cdf25622694a7ec7b20225ecc11e3ae02572f6f68c774c22fb5e71fd5d25a59d8b2231ed0550370e9d3f437698cd84b74135

            • \Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe

              Filesize

              3.4MB

              MD5

              a4021bbb19c38a8816dcbf7ff8c4dbc5

              SHA1

              adb50991e404bdab31f1f42fba1555c4048f437d

              SHA256

              aa9e875a62c99e4a11e2a7e38e2869f2fe5e7c7ea804158069f96690870f47fa

              SHA512

              8964ae43e02094bd6ddc8852b26c92be96323a4da91a9ee6b18989f8994b6405ce8b96e521640e01522cc0264650b7bf778e1a7ed8b0ac712c8b95338ceba9f7

            • \Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe

              Filesize

              6.9MB

              MD5

              1bde4b674f3e45559ff359381e197f81

              SHA1

              9d2bc8567fc6bfbd15464daf4cba4c3addedd84d

              SHA256

              ced1aaaf3b853d319a353d7538c7e88c2ae91349b3f05ffad3f39c3954e6673d

              SHA512

              8dc369bb0d4a2f31273507bd867ca3f1e669fe12ac77c19dee62f272289c1aa71cc0b9567b56176103d0e33bb9ae1fa383d65499da73bc7c748e82944149ecdd

            • \Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe

              Filesize

              4.5MB

              MD5

              fa24733f5a6a6f44d0e65d7d98b84aa6

              SHA1

              51a62beab55096e17f2e17f042f7bd7dedabf1ae

              SHA256

              da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

              SHA512

              1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

            • \Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

              Filesize

              206KB

              MD5

              8a3f1a0da39530dcb8962dd0fadb187f

              SHA1

              d5294f6be549ec1f779da78d903683bab2835d1a

              SHA256

              c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

              SHA512

              1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

            • memory/1048-155-0x0000000004930000-0x0000000004EF1000-memory.dmp

              Filesize

              5.8MB

            • memory/1048-145-0x0000000004930000-0x0000000004EF1000-memory.dmp

              Filesize

              5.8MB

            • memory/1296-165-0x0000000000350000-0x0000000000911000-memory.dmp

              Filesize

              5.8MB

            • memory/1296-146-0x0000000000350000-0x0000000000911000-memory.dmp

              Filesize

              5.8MB

            • memory/1296-154-0x0000000000350000-0x0000000000911000-memory.dmp

              Filesize

              5.8MB

            • memory/1416-452-0x0000000073430000-0x0000000073B1E000-memory.dmp

              Filesize

              6.9MB

            • memory/1416-450-0x0000000073430000-0x0000000073B1E000-memory.dmp

              Filesize

              6.9MB

            • memory/1416-451-0x0000000004780000-0x00000000047C0000-memory.dmp

              Filesize

              256KB

            • memory/1416-449-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

              Filesize

              40KB

            • memory/2020-439-0x0000000000EF0000-0x0000000000F04000-memory.dmp

              Filesize

              80KB

            • memory/2020-440-0x0000000073430000-0x0000000073B1E000-memory.dmp

              Filesize

              6.9MB

            • memory/2020-441-0x00000000043A0000-0x00000000043E0000-memory.dmp

              Filesize

              256KB

            • memory/2020-1029-0x0000000073430000-0x0000000073B1E000-memory.dmp

              Filesize

              6.9MB

            • memory/2552-369-0x0000000000400000-0x00000000004D8000-memory.dmp

              Filesize

              864KB

            • memory/2552-328-0x0000000000400000-0x00000000004D8000-memory.dmp

              Filesize

              864KB

            • memory/2944-1047-0x0000000000240000-0x0000000000241000-memory.dmp

              Filesize

              4KB

            • memory/2964-368-0x0000000000400000-0x000000000071C000-memory.dmp

              Filesize

              3.1MB

            • memory/2964-336-0x0000000000240000-0x0000000000241000-memory.dmp

              Filesize

              4KB