Malware Analysis Report

2025-08-05 20:45

Sample ID 240302-3a4s4saf96
Target Vega X Executor.zip
SHA256 0a82474b2b7c723f30d82c48a89c3199dfa903c6a52a825704879fca4a235829
Tags
discovery upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0a82474b2b7c723f30d82c48a89c3199dfa903c6a52a825704879fca4a235829

Threat Level: Likely malicious

The file Vega X Executor.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery upx persistence

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks installed software on the system

Enumerates connected drives

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Windows directory

Registers COM server for autorun

Modifies system executable filetype association

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win7-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\PCMaintainer\Uninstaller.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe N/A
File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f784492.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f784494.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f784492.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4BD9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4940.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4971.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4BDA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C0B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B1A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4981.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f78448f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4992.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B4A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B7A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B7B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f78448f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4950.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D35.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A3E.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\DP\DPService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\DP\DPService.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\DP\DPService.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\DP\DPService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe
PID 1584 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe
PID 1584 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe
PID 1584 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 1048 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp
PID 2964 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp
PID 2964 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp
PID 2964 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp
PID 2964 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp
PID 2964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Windows\system32\schtasks.exe
PID 2964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\DP\DPService.exe
PID 2964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\DP\DPService.exe
PID 2964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\DP\DPService.exe
PID 2964 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp C:\Users\Admin\AppData\Local\DP\DPService.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 1048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe
PID 2020 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
PID 2020 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
PID 2020 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
PID 2020 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1048 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe
PID 1736 wrote to memory of 1676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1736 wrote to memory of 1676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1736 wrote to memory of 1676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1736 wrote to memory of 1676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1736 wrote to memory of 1676 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe

"C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"

C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe

"C:\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe"

C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe

"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe

"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=2778

C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp" /SL5="$E0166,6358074,832512,C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=2964 /CLICKID=2778 /SOURCEID=2778

C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp

helper 105 0x1FC

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DPUpdateTask"

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DPUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Local\DP\DPUpdate.exe"

C:\Users\Admin\AppData\Local\DP\DPService.exe

"C:\Users\Admin\AppData\Local\DP\DPService.exe" 2964:::clickId=2778:::srcId=2778

C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe

"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe" 2778 s

C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe

"C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe" 2778 ng83 18 "http://www.pcmaintainer.com?c=18&s=cb94bb52-11a0-49f7-b506-4f4499ea7c4d&subid=2778"

C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe

"C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe" /qn CAMPAIGN="2778"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B1247103FC99C0492EA7DF8E31D73324 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2778 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1709162200 /qn CAMPAIGN=""2778"" " CAMPAIGN="2778"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 211C1842D9AA51F1E4DDB2CEB29112DC

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AD1FDEBB763BDE54D0D056D0DCEA57C9 M Global\MSI0000

Network

Country Destination Domain Proto
US 8.8.8.8:53 ducksstop.site udp
US 172.67.181.77:80 ducksstop.site tcp
US 8.8.8.8:53 yarnglove.xyz udp
US 172.67.211.172:80 yarnglove.xyz tcp
US 8.8.8.8:53 glovefire.site udp
US 104.21.23.216:443 glovefire.site tcp
US 104.21.23.216:80 glovefire.site tcp
US 8.8.8.8:53 www.biphic.com udp
US 104.21.12.132:443 www.biphic.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 104.21.23.216:80 glovefire.site tcp
US 8.8.8.8:53 www.thefastcenter.com udp
GB 23.106.59.52:80 www.thefastcenter.com tcp
US 8.8.8.8:53 d1775hpp85xweo.cloudfront.net udp
GB 18.244.183.111:443 d1775hpp85xweo.cloudfront.net tcp
US 8.8.8.8:53 api.rtbdigitalpulse.com udp
CA 15.223.143.111:443 api.rtbdigitalpulse.com tcp
US 8.8.8.8:53 mydomen.info udp
IE 38.180.21.119:80 mydomen.info tcp
US 8.8.8.8:53 finers.s3.amazonaws.com udp
US 52.217.100.36:443 finers.s3.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
GB 18.245.159.27:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 z3zfwte1.rpcvzlefx8j.com udp
GB 99.86.114.38:80 z3zfwte1.rpcvzlefx8j.com tcp
GB 99.86.114.38:443 z3zfwte1.rpcvzlefx8j.com tcp
GB 99.86.114.38:443 z3zfwte1.rpcvzlefx8j.com tcp
GB 99.86.114.38:443 z3zfwte1.rpcvzlefx8j.com tcp
US 8.8.8.8:53 kapetownlink.com udp
DE 159.223.29.40:80 kapetownlink.com tcp
US 8.8.8.8:53 collect.installeranalytics.com udp
US 54.209.163.101:443 collect.installeranalytics.com tcp
GB 18.245.159.27:80 ocsp.r2m01.amazontrust.com tcp
US 54.209.163.101:443 collect.installeranalytics.com tcp
US 54.209.163.101:443 collect.installeranalytics.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\nsd1E6A.tmp\rem.exe

MD5 97239488089234cba883c71bdfe72dc3
SHA1 adb6d883443bd1cd76873636bca83397d965202f
SHA256 c2177fb623e3a75ed102871baa2c8f46beb2b78a4898832753c7bdcec849781f
SHA512 5587e27ddbb8a2f57e3e608cd934cdf25622694a7ec7b20225ecc11e3ae02572f6f68c774c22fb5e71fd5d25a59d8b2231ed0550370e9d3f437698cd84b74135

C:\Users\Admin\AppData\Local\Temp\Cab3F36.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3F49.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4332b2a9f5e22be18336c57377ec52d9
SHA1 05b874569e5c6d80b5989506514dfebc2877b736
SHA256 82403b18b18dab31339a14670a0b1d37760897bd8d1794dc38bc5bf6a8d4dbad
SHA512 f444559705a86e12b3f9f1377d6fcec13c873eead52ba268ae4125f45c1f75f70d3a0d3dfdb3dbcf6f63a448c1314c17d50ae20a7f99b73ff7a98fa367539432

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar4096.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dd7d82a6f7181adfc89bdda0cd5e938
SHA1 5c2ce5cbdc90db32101b114a96643123fdd579b1
SHA256 2ac24c3a6ab790e2e364c66ec5c2144b854fe61bafabcc305b1b5c3f4b1cb0ec
SHA512 754c685d3071f6fc4f5266b8599e1d914cf92ab7fe6988a35f88ae08ade68fe704273283ea086a987e976c17f46e1f51b927f25e45544f6673c3544aecdd530b

\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_0.exe

MD5 a4021bbb19c38a8816dcbf7ff8c4dbc5
SHA1 adb50991e404bdab31f1f42fba1555c4048f437d
SHA256 aa9e875a62c99e4a11e2a7e38e2869f2fe5e7c7ea804158069f96690870f47fa
SHA512 8964ae43e02094bd6ddc8852b26c92be96323a4da91a9ee6b18989f8994b6405ce8b96e521640e01522cc0264650b7bf778e1a7ed8b0ac712c8b95338ceba9f7

memory/1048-145-0x0000000004930000-0x0000000004EF1000-memory.dmp

memory/1296-146-0x0000000000350000-0x0000000000911000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_2403022320124261296.dll

MD5 2e9e548040cbc282125031030041b2a9
SHA1 a84b26339be4cdd889ac806227c3260d57296605
SHA256 b44501388ac04d3db78e167cc1dc4daea68aa5c7140a2976b5a8e04f6d2438eb
SHA512 8be8af00aabe5e5ccac38faaf9ed499ea9c84d6a180a3cbce81297b58e1b4cfff5597638587c8f81058f59e19f87ac4bcdacfb34e1fce7ac61128837e39d3e7b

memory/1296-154-0x0000000000350000-0x0000000000911000-memory.dmp

memory/1048-155-0x0000000004930000-0x0000000004EF1000-memory.dmp

memory/1296-165-0x0000000000350000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\dub[1].php

MD5 444bcb3a3fcf8389296c49467f27e1d6
SHA1 7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
SHA256 2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
SHA512 9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 864530dba57760eb8bd041b3062bd962
SHA1 f7af87e798649e3648aafd500c5e1774febf8ae7
SHA256 68991357a19989ebe5209360154081275bacf4b313d0b6b7e19a2757b5d87631
SHA512 dad0e12240583da69b9d396997b9d53d15715e07e7183b71d101c7b823cab3c28ccdc1a1af9dbcdc471f581d0565c0b53cd5cd62226a924632b7053c4bdb09b2

\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_2.exe

MD5 1bde4b674f3e45559ff359381e197f81
SHA1 9d2bc8567fc6bfbd15464daf4cba4c3addedd84d
SHA256 ced1aaaf3b853d319a353d7538c7e88c2ae91349b3f05ffad3f39c3954e6673d
SHA512 8dc369bb0d4a2f31273507bd867ca3f1e669fe12ac77c19dee62f272289c1aa71cc0b9567b56176103d0e33bb9ae1fa383d65499da73bc7c748e82944149ecdd

memory/2552-328-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SCJJ1.tmp\set_2.tmp

MD5 0d719712d6af3886ee54f9bb1ab4d052
SHA1 eb954d80e14b1a32f3596adf707339d5f49a2cdb
SHA256 4737957a65dce16f7a7e3fecd591eb578ff919139b70bf653611e618ff0c2964
SHA512 39d1ddc8f02f2a8a830a5587323e35fbbd70fdcd3bf7331c81d5e52c002dc5a0dbd0f7dda78338dcc11645aaa7d1562975f5000d9f504fe88696ec5a3607715a

memory/2964-336-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ASNVH.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

\Users\Admin\AppData\Local\DP\DPService.exe

MD5 720238100bceabcd27b01f6bc5c0d2de
SHA1 e15b82e9f14ef454bc79ebe40a64d5703cdc1b45
SHA256 5c21d2dcae08f8331b6061764aa801af20557c0da43ab4736ea2c8fc32878c86
SHA512 ed29eeba3b1a680ed7dd7f859503fc73d719d944e6c28089d28d8feb81ed462c5ba9269d54a11d2470bf27130b43a9a9ab1e51b6bc7122a80e263b782f855c33

\Users\Admin\AppData\Local\DP\DPService.exe

MD5 762917612bcaa7c4ccb893b0e5a7341e
SHA1 848855805937109215efce31217a243ff50f79d8
SHA256 9c88f6b5aa0497ca9e5dcf8214d07f4c4d7e48136fc3c8581b0e37193c03c553
SHA512 d359668e38f7a99b3d39260d91914da956127284f358075f0be6ebb843c21d477158dcc01dc243f47024d64a8d5bef57b526b68af6d2afa2ebfb32653224392d

\Users\Admin\AppData\Local\DP\DPService.exe

MD5 ef687899a2d59b5db2acf3eaea128582
SHA1 884ab8eec19be39d87669208442917745415c5cc
SHA256 f245f481478648d92bc12e576de32fb1f9c8a82144c32e3419f2ea93d4b6c1d8
SHA512 a252a7405b6536c5098a8f0e1022281a779eb4e482b0babfed9dad55517d74247b64e03411f047f0a58be7c38a900e32874e36659609452d3bd5dabae0055d0c

\Users\Admin\AppData\Local\DP\DPService.exe

MD5 b63b701a8733e67bfc8f602402e46170
SHA1 8cefd36f1a1eba4ba4edbb5d4397a2ae6f6c0862
SHA256 5b60e1a426848da9bef61e4008d15b76309c87461c3c5d00cbcbbbea20b3fca2
SHA512 6cdceddca68688bfd9b081667579ece48e6306bdb91a29c29e98984d4a33c6414064b757cda91745888adba0fbae68c433e46870d3f39ba40155fad894b96e8f

C:\Users\Admin\AppData\Local\DP\DPService.exe

MD5 44581a8bed641c316baeed5e8b218b42
SHA1 693614d3922a9a6b492bea3cecb71742cbc16539
SHA256 72ff94a0c27ceb49205cd92553f930e249361d369347d4559f3273a0083bd04d
SHA512 001584218e1086c492c40d8425cbdf8fe75bdbae4304ab989dd1fab64162da1789084a9faaaf666414c83f0dfc9e47b90b0cd10e6e0df88268126215d0297100

C:\Users\Admin\AppData\Local\DP\DPService.exe

MD5 9ad938fc71eac8865f494f3eafa2ac2f
SHA1 fffb84856e73fbe9a84fc0aadbf0a2affcedd4dc
SHA256 aa2583eb25a48ded4591e5ce150b20affd46ddec667d40003ae54a71fe338ebf
SHA512 207c33acfaf098d2de8564d8b7942e84e3c7edf83e6dbd09ec0b1361a100b8845814ad8a2436917659e950ce0b56b3c7d6e08d83880dfe791f0126466fda0230

C:\Users\Admin\AppData\Local\DP\DPService.exe

MD5 12c4578c48034f0265a1197310bb6703
SHA1 3448d16b94eae3c13bc5cc90a235e4e53e9186db
SHA256 4d78a57c19991d539f965e5721c96e5f271f6bc5951c67cef12dcae9bca9d612
SHA512 3733098ff842d338fb4331588cdcd9ff093ec28b237cac244fcaa8b8241c530bef5f977acfc587cde4e30a39a164ad5a82d24a07eb6825173c1634601d352b30

memory/2964-368-0x0000000000400000-0x000000000071C000-memory.dmp

\Users\Admin\AppData\Local\DP\DPService.exe

MD5 ff9eb15075f81b658bc729a5f576fc8f
SHA1 ce632eacb5f4f5f2089f83522b8b241ab2cd7733
SHA256 92f5308f1b34aa3ce666523fdc19a2da5b4cca6c319c8d97f60a210cdfd11791
SHA512 26c7e5d505ae1e3078f650c1786947742a86f9acecec176682d3f99aab46046d0e813437075fcea0cb758bef982e9b7610c8478d726651ea5aaacfb980d6421d

memory/2552-369-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 852a053d9578371eb7a27d304eb0dadd
SHA1 a6448b718b20da186446f95b21f9236ce2df868d
SHA256 1a1d0ad5697f085eec155e24bcf61e803af579d60bb8d1003ce0d36fe691d7a3
SHA512 0970ec52600df72f8eb7ba3dc3d44a528c7769b154b6506c4e8f3dcc7543a06b9ddb8fa39f7b4966e7745faebba36b6ed4845169ed233b61fbd073c2ff6dcb69

C:\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_4.exe

MD5 5e4a373d57593278e2d4c25e56240c39
SHA1 e626bface70ec78f0d928d3ae0a403fb2b9d3456
SHA256 f72e9e6a36f55eb9dab2be7006194979fd8ecf9322d2a920f5a528e7799ccdb0
SHA512 8d0fe0ed3ee747cbf6b5768964f43eced592fd1af588ccaa9b16a2c3f6c2bb498f5692f73853fc6dcb1f1e665f71f8821de0cebb0d25bf3ccdd3f2e0f92308b6

memory/2020-439-0x0000000000EF0000-0x0000000000F04000-memory.dmp

memory/2020-440-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/2020-441-0x00000000043A0000-0x00000000043E0000-memory.dmp

memory/1416-449-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MaintenanceHelper.exe

MD5 2f39d3e995c35e2ea9eabbd5963fa3ff
SHA1 4ee22f02bda76e606eb63e21d82a330a25e8466b
SHA256 dd858cdba29785ce9a8c96d7e0ddb81dd85e19d1f3dffcdb321125ff3d6b2497
SHA512 a19e40e2e9e019b55f839403db03d7aa27098a44db5b5ea579bdc83c56dcf10419f94ab2c03669203bf742895c997c1e9740dd7ac2ea8049177112e2b3a2511d

memory/1416-451-0x0000000004780000-0x00000000047C0000-memory.dmp

memory/1416-450-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/1416-452-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/2020-1029-0x0000000073430000-0x0000000073B1E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi390B.tmp\set_5.exe

MD5 fa24733f5a6a6f44d0e65d7d98b84aa6
SHA1 51a62beab55096e17f2e17f042f7bd7dedabf1ae
SHA256 da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e
SHA512 1953201d8cd448aa7d23c3e57665546ace835f97c8cc8d0f323573cef03a6f317f86c7c3841268ece1760b911c67845d7e6aa198a44f720dca02a5a8bcb8e21e

memory/2944-1047-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5 8a3f1a0da39530dcb8962dd0fadb187f
SHA1 d5294f6be549ec1f779da78d903683bab2835d1a
SHA256 c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f
SHA512 1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

MD5 6024d8c2207fc4610416beaf8d360527
SHA1 793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a
SHA256 cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829
SHA512 0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d906de2ce71c556f2f6ee3655e2f27ec
SHA1 ab0befcd9db3bd41f4d84bb538577412a39dfffc
SHA256 79d98492cb7f18eeb472db6e88883d7f330a63ecd551e23632e9976df2628a1d
SHA512 121d45e778fd1f4fd478df2e7dcbf1c7f03300f199ce2be4614c356fedaaace7d6a69ca16c0fc63f7a9e2243c1628ff89a02ee9755f17a301afebabaeaa9078b

\Users\Admin\AppData\Local\Temp\INA4315.tmp

MD5 dd1f93eb81e6c99ba9be55b0c12e8bb4
SHA1 1d767983aaa4eb5c9e19409cf529969142033850
SHA256 f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b
SHA512 7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

C:\Users\Admin\AppData\Local\Temp\MSI4345.tmp

MD5 6ea65025106536eb75f026e46643b099
SHA1 d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99
SHA256 dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb
SHA512 062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

C:\Users\Admin\AppData\Local\Temp\MSI43A4.tmp

MD5 91d4a8c2c296ef53dd8c01b9af69b735
SHA1 ad2e5311a0f2dbba988fbdb6fcf70034fda3920d
SHA256 a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23
SHA512 63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

MD5 73bd11080f91237cbc03d663d699fbac
SHA1 28258c6eabb84d5333889b674136ef01a3a25c42
SHA256 c6ff6dfb3add5f83c3a32b748e8e2c39ef1ff5aff9151bcc5b75e00df57c163f
SHA512 dc0fdf91fe3cb3221e9ce621e5ee712ace4d6338d2e1278b7766fdcc87006b9482fb05737d69f14de11dbad4b42197ff88bb62be117724cbf99cc6b624bac84d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

MD5 78f2fcaa601f2fb4ebc937ba532e7549
SHA1 ddfb16cd4931c973a2037d3fc83a4d7d775d05e4
SHA256 552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
SHA512 bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18e8b3bd8c3a23586c3362a5c0e0ced9
SHA1 4b59f4fc1d6c7af785c01a1170b61799ec328a37
SHA256 c762831a5abf526a96a4639bb30ef1138fb52d4ef0b25fccb962bc962d6471a1
SHA512 791238a5d8125abbb6a110c4f78f57766293bcc00fd43792aa8e41365326d46fec6a02e01c1fc6d2738c8bab3ae0d34081e0b539592afc0a8f9f021c7e5517fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 7ec15640a4c3aeebcc95111152893454
SHA1 d73c00d150399a5c8c873a1bb368f38f345a94b5
SHA256 4c6ffd6f66f12cb60ab6588c40de15e817d31eb300ceb57dc99391849a496847
SHA512 1edeacacd09af2ed1ad8b955fbfd131b6e9f209a15f152ee1710cd66ce4c0a8a6bb2bdc4fdcbf1867d578a8d86dc794aa22a36c44e4d00ca92e93ce4bd1f0c22

C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{D1246B32-8898-40AA-8BF6-982CB33EDBA0}.session

MD5 d41afeeae1ae9ccbb9b7ffbdb0573fd7
SHA1 6f173cffa47003e616b8b05b5be0c43f4250ba50
SHA256 8de820384039a051768c506fd2e39632695a05c8b949d1202b5035779e43c78d
SHA512 7316cee0464383c6ad3f43f6377f550d2a0f2c8d22c2da5c8b673da4c7f1f3761171a1c63759a3175d2bb7bafe7fab6e7734c7a6108cdd948b6f7a07a240c6e5

C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

MD5 db8b69bb83c5cf122ad8f18187cee0ec
SHA1 4d84b7b1bb49f3713edc434697e2f447e37d036b
SHA256 2c2395c4c4467de0c7c929f2b4f6dd2f4f6b182be61b7be17c9a560d4df65e2e
SHA512 07f19eb7bafe21f54fb1474a76935857352936238b801d5979169ec8d49e25b899bc32e1a0474527d6855f0bced8358a3f3545da32e5d8b24ea5a7eaab9474c3

C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

MD5 064f9a5abec87750eefd0b16f53cfa6f
SHA1 5ab69b97fc77bbfa06ed94dc895643730f5b56df
SHA256 b796ac54b9bf8af72f074bd9a5f9fff7bc5ff48af047d2a39c3f3c0d6f9746fa
SHA512 03c9ed48a5686ba1aa6f6c566807ddf04ee010ff907700a2acb9b9bb424eb5fa3f4df0edb48a9f34fb1257b879722ff43b8d9c4bd6f37a5595903e859be56a02

C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

MD5 426fafdc8036ab61ddd25d3027c4f192
SHA1 370496efd4916099c4b2b9441bf89eb0eefdc6e9
SHA256 4671edbba3f050a9233f4dadd1e83e74a3e9f077de1dba6e8c2b76d0404ef37c
SHA512 3d49f912f72701ea3cf62d42a2f1d828ba0459996da08cf5fce0ffdf0edc843ff6bd3ae747969677624d69ddb2b48cd41f64eee892d58340ffc97c025385ce73

C:\Config.Msi\f784493.rbs

MD5 a2c9bab35ac2853ce1aa34621d012572
SHA1 ea6068ecbe8ce97ceb4023671c10616d91cf075a
SHA256 b6576b2853ce7751f4bc799cba54017abccd8d30898d5a299f8531ed4d7b7ca3
SHA512 501a06990da10a44bc455d1bfedb3b473635cc9d5092b00dbdd4c9e40e4b644d0e20656f0cdf84b14c74d9805bcf617b3807a8590a31c1c5ffa2b359754299d6

C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

MD5 6bc190dd42a169dfa14515484427fc8e
SHA1 b53bd614a834416e4a20292aa291a6d2fc221a5e
SHA256 b3395b660eb1edb00ff91ece4596e3abe99fa558b149200f50aabf2cb77f5087
SHA512 5b7011ed628b673217695809a38a800e9c8a42ceb0c54ab6f8bc39dba0745297a4fbd66d6b09188fcc952c08217152844dfc3ada7cf468c3aafcec379c0b16b6

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe

"C:\Users\Admin\AppData\Local\Temp\Vega X Executor.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\rem.exe

"C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\rem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 ducksstop.site udp
US 104.21.83.206:80 ducksstop.site tcp
US 8.8.8.8:53 yarnglove.xyz udp
US 172.67.211.172:80 yarnglove.xyz tcp
US 8.8.8.8:53 206.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nsu2B61.tmp\rem.exe

MD5 7d45f4dfd30962889c40269c85db74d7
SHA1 baf58f4ce8b71090144d0510e2b2f7aa75e1c785
SHA256 28c1006cf9b88ddba7e8c94274f51597e944c6965c3a6865ebc217cdd437e784
SHA512 ad10983f34fe75108e8f32c45bf17f1d167b394bf0ea372440db2b3aa4acfb16e3aa4d249b29bfb6a681c79f778cdba942b625289b098148c1391f8ff643639a

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3700 wrote to memory of 2116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win7-20240221-en

Max time kernel

121s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 4328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe"

Signatures

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\WinCon64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Zip64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Zip.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Uninstall.lst C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Default64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExtInstaller.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\UnRAR.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExt32.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Zip.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\WinRAR.chm C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Zip64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\rarnew.dat C:\Program Files\WinRAR\uninstall.exe N/A
File created C:\Program Files\WinRAR\RarExtPackage.msix C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Rar.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExt32.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\Resources.pri C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\WinCon64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\WhatsNew.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\WinRAR.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarFiles.lst C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259498396 C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\License.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Uninstall.lst C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\WinRAR.chm C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Rar.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\UnRAR.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\WinRAR.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Resources.pri C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\License.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File opened for modification C:\Program Files\WinRAR\WhatsNew.txt C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\RarFiles.lst C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\7zxa.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Default64.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
File created C:\Program Files\WinRAR\zipnew.dat C:\Program Files\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files\WinRAR\7zxa.dll C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\WinRAR\uninstall.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\WinRAR\uninstall.exe N/A
N/A N/A C:\Program Files\WinRAR\uninstall.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\WinRAR\uninstall.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zst C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r27 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tar C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uu C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xz C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.taz C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r14 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon C:\Program Files\WinRAR\uninstall.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe"

C:\Program Files\WinRAR\uninstall.exe

"C:\Program Files\WinRAR\uninstall.exe" /setup

Network

N/A

Files

\Program Files\WinRAR\Uninstall.exe

MD5 75aac9d1f8f9079920e67a2e5a69756e
SHA1 9a82e23162f801ae9025d3bdb504b8be6f01367d
SHA256 66440d6bd2554caec740850782036b372d15f298af28f68c5daec9f13a42e3ab
SHA512 9f54d32817d561fadfc32f99ecc809d6f9eb87f0fe1409882307a5407218a73dc6e00610501d59e0acc9b9bf1a12e8bc311da7ec471b785df6d39f3d626a3542

C:\Program Files\WinRAR\WinRAR.exe

MD5 ee69d18ef002d3119c8b67acf2243103
SHA1 3edf9831a6536e6351b85501253794a6e0bf98e3
SHA256 41bd325aff9b19c028c1e96eb1a3b08a8d00859004dbd16b7495b6a4cfdc1227
SHA512 813c9e3dd61ea8778089468f04e7c844248321ce92a2c4eeeea758c1eb2480e3cf3d041a38f23efab64f459167d0c7bbbb26a3d5345332ededcfcf281b991bbe

C:\Program Files\WinRAR\WinRAR.chm

MD5 70f999656185c78c219fa1eab112e92a
SHA1 1970bbc16947648e3abcdd431c1be6af945073bd
SHA256 6958bd49bcb61617eb8bc1c222cc65319c281357f8bb83d1526c576cb137f08a
SHA512 da62040a72babbdd150c30734a79f70b9f91addcf70c50a309538df6f2e06b8e20aae621f56a25ea21112fa94733a5e45ace91824c1c731ee8bb9adb8aaa3862

C:\Program Files\WinRAR\Rar.txt

MD5 a9369594740dc19b0e95ea48dca8bc23
SHA1 f4fa020e0bb4076411dc792eab887d876734672a
SHA256 05addd3d2be44b79266e6758239191147705e2918809cc21d821fb11a14bee2f
SHA512 a8f53f97c93157eecef6015b7e86f3cf4aca593098ef5cba4a0c23829efea580d92012673b4abc66deac5c868f4c76e762eb5e8b03e722ac6c6ac6a500119d20

C:\Program Files\WinRAR\WhatsNew.txt

MD5 575f5596dab03c85365221907a806b55
SHA1 0b99cf32075936f8ceb8bd900a9770713a61f31a
SHA256 aefcdffa9a231ea50b75785bd9a96a7bc209a33b1bddc26c643415ed6439483a
SHA512 4abe3b5c33e6e9ece1b3e95ac95d87451fff62e09d30c6fcca4965e6d226d480c396b5f47db3abc13e2520827514bcb5c030b664f299622df2ecc5eaa5d2051e

\Program Files\WinRAR\WinRAR.exe

MD5 56702716ecf0ccaf9131943f85f07eae
SHA1 cbcc4b552adace221aad6e4a88978179269109fe
SHA256 3d5404ec47e939941db9373aadf803b9dceccb30e3ad1923691bc6ab99422d7b
SHA512 a640b698f255ddd5dec17cadfa222ff731f9ea070cfeb855e1e6781bd7693c672c47fe01e8d50858a395b0e757794fcb0813fc34d4869510f9a0909078ee7a27

\Program Files\WinRAR\WinRAR.exe

MD5 02a6532b41765cf151a9b57cc795da7c
SHA1 5dfed83965e58d934ac3d11627db61b5a5cdad22
SHA256 abf6108192c3a8fcf1bea3e4a812e00c2e94d41e8f585e98d2e3158097711e13
SHA512 cf612687d4109f31310257b699f848e472a15d36513f81f5f71a260cafb0730e7216cb120769ee4e2df33ec6e9c69ec9fc0ec90b05a6be45b47a525817dc901c

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win10v2004-20240226-en

Max time kernel

105s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 240

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win10v2004-20240226-en

Max time kernel

107s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3484 wrote to memory of 1820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-02 23:19

Reported

2024-03-02 23:22

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 244

Network

N/A

Files

N/A