Malware Analysis Report

2024-11-13 13:50

Sample ID 240405-188hvaeb2s
Target NightVerse Setup.exe
SHA256 af0a92ede514d4efa9e6abb5206ed59214d5eb7f9dc700c868e59db5958334dc
Tags
rhadamanthys stealc discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af0a92ede514d4efa9e6abb5206ed59214d5eb7f9dc700c868e59db5958334dc

Threat Level: Known bad

The file NightVerse Setup.exe was found to be: Known bad.

Malicious Activity Summary

rhadamanthys stealc discovery spyware stealer

Rhadamanthys

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

.NET Reactor proctector

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 22:21

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\ReachFramework.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\ReachFramework.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Input.Manipulations.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Input.Manipulations.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationProvider.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationProvider.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationTypes.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationTypes.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsBase.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsBase.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:25

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:40

Platform

win10v2004-20231215-en

Max time kernel

447s

Max time network

450s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3736 created 2640 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\sihost.exe

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 396 set thread context of 2740 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 set thread context of 3776 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NightVerse\System.Transactions.Local.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\cs\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\de\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Private.Xml.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\it\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\zh-Hant\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Text.Encodings.Web.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Xml.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Runtime.Serialization.Formatters.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Text.Encoding.Extensions.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\de\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Runtime.Serialization.Xml.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ComponentModel.Annotations.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\cs\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File opened for modification C:\Program Files (x86)\NightVerse\NightVerse website.url C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\es\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationFramework-SystemDrawing.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Private.DataContractSerialization.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Security.Cryptography.X509Certificates.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\it\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pl\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Net.Sockets.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\Microsoft.Win32.Primitives.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.CodeDom.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Globalization.Extensions.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationFramework-SystemCore.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Management.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ja\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.AppContext.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Console.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Diagnostics.EventLog.Messages.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Runtime.InteropServices.JavaScript.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\zh-Hans\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\zh-Hans\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Web.HttpUtility.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\cs\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\mscordaccore.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\de\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\it\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\it\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationNative_cor3.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1620 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1896 wrote to memory of 1204 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 1204 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2076 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 2076 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4176 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 4176 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 892 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 892 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1896 wrote to memory of 1976 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe
PID 1896 wrote to memory of 1976 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe
PID 1896 wrote to memory of 1976 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe
PID 1976 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 1976 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 1976 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 976 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 976 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 976 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2740 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2740 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2740 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1896 wrote to memory of 1948 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe
PID 1896 wrote to memory of 1948 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe
PID 1896 wrote to memory of 1948 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe
PID 1948 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3776 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3776 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3776 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3736 wrote to memory of 1880 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 3736 wrote to memory of 1880 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 3736 wrote to memory of 1880 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 3736 wrote to memory of 1880 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe
PID 3736 wrote to memory of 1880 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe

"C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe"

C:\Program Files (x86)\NightVerse\NightVerse.exe

"C:\Program Files (x86)\NightVerse\NightVerse.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe

"C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss1.exe"

C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe

"C:\Users\Admin\AppData\Local\Temp\4a22406a-9770-4f9b-bc00-89a610422be9\snss2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\DisableImport.potm"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 showpiecekennelmating.com udp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 8.8.8.8:53 33.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 89.105.201.33:80 89.105.201.33 tcp
US 8.8.8.8:53 33.201.105.89.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
DE 195.201.57.90:443 ipwho.is tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\InstallOptions.dll

MD5 d095b082b7c5ba4665d40d9c5042af6d
SHA1 2220277304af105ca6c56219f56f04e894b28d27
SHA256 b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA512 61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\ioSpecial.ini

MD5 1990275dc6d0ea5d8178ec5c99c39142
SHA1 5720599c3e50da8499db8e77967c4fd8a0ab504f
SHA256 e1cc352752a72665c400193334b008888277c1fe52337523821a2a77f37c485e
SHA512 f1ee6fe6a249a5410afc574fe5c64b3ee7880e9222bbc4e530a61b2be4bfef165e29b50eb0bb469d5b811fcf95106c6867d903a432a3b502be690184b19125ab

C:\Program Files (x86)\NightVerse\NightVerse.exe

MD5 f034c12cf8a8e4f7e889303ed7362c12
SHA1 68e95e5dbdac16ee941d62297d3e5aea2a49e9ab
SHA256 27c97c6bb1482509918ed30bef35569e13d86c704d884a340438b308b9d8b341
SHA512 43d983dfcfda921e20d1a9f8ac40cf6ab936f57eb09e9c30de2e81063424023f54ae3bcba15ae7806f6a57a937536a68d568254e971b3e7d70319c47d4233bdf

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\ioSpecial.ini

MD5 39f6a00e800398d93fd2e3844e1fbc53
SHA1 728e9bfaf8e93e64ee7b5e948da3730796b0284d
SHA256 b0ab0c73d2c3c3712f73e4a41590592f3cd28191340a885ccd799057f3b95029
SHA512 b5422683077ceebabed71c309a5a6e8dbc063faf080efe86798abd81a52e2709a2d5d3241e637f67dccada4b63dfb99bef1cd886c4c31f0b97942dbd89de1683

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nsc59CA.tmp\ioSpecial.ini

MD5 0354f968183527d86f6d7facf300c822
SHA1 3c81eeba1e4999e5ca3fec9da9bb2ac9bbb3ed8d
SHA256 73d41a892161a5fa37f43f3dafb20b1218e8c0f663e1a197dbcdc157fe43a82c
SHA512 835fdf33c012677157b8045a506dfca406a70b0c05c04bf5fc9ab13c99caf4b45cac9698af47a2d7cc8ccd597db6b69a9fb606c60ccb467b0996c19ab2222be7

C:\Program Files (x86)\NightVerse\hostfxr.dll

MD5 16532d13721ba4eac3ca60c29eefb16d
SHA1 f058d96f8e93b5291c07afdc1d891a8cc3edc9a0
SHA256 5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303
SHA512 9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

C:\Program Files (x86)\NightVerse\hostpolicy.dll

MD5 a7e9ed205cf16318d90734d184f220d0
SHA1 10de2d33e05728e409e254441e864590b77e9637
SHA256 02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62
SHA512 3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

C:\Program Files (x86)\NightVerse\coreclr.dll

MD5 9369162a572d150dca56c7ebcbb19285
SHA1 81ce4faeecbd9ba219411a6e61d3510aa90d971d
SHA256 871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5
SHA512 1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

C:\Program Files (x86)\NightVerse\System.Private.CoreLib.dll

MD5 805cf170e27dd31219a6b873c17dce88
SHA1 ac90fa4690a8b54b6248dcb4c41a2c9a74547667
SHA256 ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0
SHA512 fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

C:\Program Files (x86)\NightVerse\clrjit.dll

MD5 8b81a3f0521b10e9de59507fe8efd685
SHA1 0516ff331e09fbd88817d265ff9dd0b647f31acb
SHA256 0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb
SHA512 ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

C:\Program Files (x86)\NightVerse\NightVerse.dll

MD5 6c021a36ae428093771b3600e2b0a024
SHA1 b589a03a18b4680745a4ae2df5a5f656f87de6c9
SHA256 cdd060b97e938dbf1cdd125e3b7667d23190bfe046939f297c6b83891cb0d7e1
SHA512 563e399d96cb70b501d56b4ae48b7f11a6d56c0137d3df97f0084c27d8386f564354cd55f0019a765d464f049f5b64f1ff0b642e40eecdc068c6b9c6bffb376f

C:\Program Files (x86)\NightVerse\System.Runtime.dll

MD5 53501b2f33c210123a1a08a977d16b25
SHA1 354e358d7cf2a655e80c4e4a645733c3db0e7e4d
SHA256 1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100
SHA512 9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Csp.dll

MD5 c7f55dbc6f5090194c5907054779e982
SHA1 efa17e697b8cfd607c728608a3926eda7cd88238
SHA256 16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a
SHA512 ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.dll

MD5 75f18d3666eb009dd86fab998bb98710
SHA1 b273f135e289d528c0cfffad5613a272437b1f77
SHA256 4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e
SHA512 9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

C:\Program Files (x86)\NightVerse\System.Collections.Concurrent.dll

MD5 38d21e067d7673194a84cced59066ac8
SHA1 e64362176f714b23603f3a67f1e741f12e35a832
SHA256 483130bfd1e57a0cbfd8a4f3c6e2353ac3f246276f9476c83cca1cadbc47ef47
SHA512 3fa6f78ff0cb527a8e82261549f24a8609d005821ac5c5e7257670dffd55472a134af3ef78d73779758303ae5a90728181cd4caebc871c5cfa4c309141201baf

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Algorithms.dll

MD5 8f3b379221c31a9c5a39e31e136d0fda
SHA1 e57e8efe5609b27e8c180a04a16fbe1a82f5557d
SHA256 c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388
SHA512 377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

C:\Program Files (x86)\NightVerse\System.Collections.dll

MD5 92063926c04f2e4bf5b5fde16542831d
SHA1 e7be34eaff2d3d8796911d21f1fdbb93bf231dec
SHA256 9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541
SHA512 e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

C:\Program Files (x86)\NightVerse\mscorrc.dll

MD5 53e03d5e3bffa02fbc7fb1420ac8e858
SHA1 36c44c9ff39815aa167f341c286c5cd1514f771f
SHA256 23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960
SHA512 f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Primitives.dll

MD5 777ac34f9d89c6e4753b7a7b3be4ca29
SHA1 27e4bd1bfd7c9d9b0b19f3d6008582b44c156443
SHA256 6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622
SHA512 a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

C:\Program Files (x86)\NightVerse\System.Runtime.InteropServices.dll

MD5 49c86e36b713e2b7daeb7547cede45fb
SHA1 75fe38864362226d2cce32b2c25432b1fd18ba37
SHA256 756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d
SHA512 a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

C:\Program Files (x86)\NightVerse\System.Private.Xml.dll

MD5 46aebfbd6d7e74d4d558da62d7600d25
SHA1 9c1cd44ab8b5e283967427e91cbddddfc0c2bf5a
SHA256 834e304221e742a831be5c5178892258e689eae35b730172e74161af2785aab9
SHA512 9c4499d174a988cc3830aafcc42f79defff37b16198f49cf5d2dc86f88809fcb44e0c300351f813d46addf9998f64448c50213f1721c6a307aad21c205db1524

C:\Program Files (x86)\NightVerse\System.Private.Xml.Linq.dll

MD5 60ed8b2bffc748d6a2a1fed8fa923368
SHA1 be411429b9a649a495124558c5e5d95a83525d58
SHA256 0b63cebb991d1911a607993ea5b4639f34a2b0b381a73973542db2d3591e9f90
SHA512 b0a4ac2aa96d827258bb30f098512741ad3f93585e05ceae0255e15cd8dc9ab8048788902c1eb32a813e9c69c8a923200a716b4e00f579c22a0b425665e575f8

C:\Program Files (x86)\NightVerse\System.Threading.dll

MD5 32aa6e809d0ddb57806c6c23b584440e
SHA1 6bd651b9456f88a28f7054af475031afe52b7b64
SHA256 e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d
SHA512 fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

C:\Program Files (x86)\NightVerse\System.Threading.Thread.dll

MD5 72d839e793c4f3200d4c5a6d4aa28d20
SHA1 fbc25dd97b031a6faddd7e33bc500719e8eead19
SHA256 84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd
SHA512 a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

C:\Program Files (x86)\NightVerse\System.Windows.Forms.dll

MD5 a51632facb386d55cc3bc1f0822e4222
SHA1 59144c26183277304933fd8bb5da7d363fcc11fa
SHA256 efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e
SHA512 2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

C:\Program Files (x86)\NightVerse\System.Memory.dll

MD5 7e999da530c21a292cec8a642127b8c8
SHA1 6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f
SHA256 3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4
SHA512 a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

C:\Program Files (x86)\NightVerse\System.IO.FileSystem.dll

MD5 35e27f4c681085a4b096826ee8ea4f53
SHA1 cf3ea4304e5558c8fdd4422e4d72509cd91ea719
SHA256 7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad
SHA512 1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

C:\Program Files (x86)\NightVerse\System.Windows.Forms.Primitives.dll

MD5 8129c2d72bcba8b50576e7c43e558832
SHA1 f4892f78d2496f3a2e1fa2380ff68fbeb62e2dca
SHA256 5794a3996a0b4ab9cb13f3de0f87d50462615a7d0eb1d243d9324a682c1b58cb
SHA512 40fafbf9590d2b2c8f487f44708e9e97ddce03b1487be5c7cb3d4c92bdb7100a98aebada379f63003f0dd9d447ee2b0b9dfa0b057320ac05f7f77b31c5ffa97d

C:\Program Files (x86)\NightVerse\System.ComponentModel.Primitives.dll

MD5 1c59c00ab0850af4b4d2bafd6be47db3
SHA1 4c6185b2f42987e25a5fdf2aa30cf4150de25d5b
SHA256 133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b
SHA512 8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

C:\Program Files (x86)\NightVerse\System.ComponentModel.EventBasedAsync.dll

MD5 333639248121fb67d18323613a8203ea
SHA1 0cee5f7d46596239b833b3b30dccde27b0136959
SHA256 4c97d7bc0742faaa52ba86018b040aac44ddfc88a5835f9e6a659e03b4558999
SHA512 714fcb7299abcb26100b5f4103834c11c58f535ee9853fca2bcb22f43a3d1e7608d6ccae2dcc93d1687a4f1c8b521afe683d537f70f858681e62fff2d79c4acb

C:\Program Files (x86)\NightVerse\Microsoft.Win32.Primitives.dll

MD5 300c95ff95b52e8a02fec6bfcfa58225
SHA1 b646f89fcd463ad5c19889b4fea40540568b780c
SHA256 f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c
SHA512 9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

C:\Program Files (x86)\NightVerse\System.Drawing.Common.dll

MD5 e4715322db624dc52947a42ac67757ab
SHA1 ba0b0850142ecc3910927d6f2e5781b896d7d442
SHA256 75b1e772a4355145364121af00e5b5cf06c7212aa53d662fdc996bc11e8092a9
SHA512 3c86d44eb209a3a1f2001968a2b139e532a0513fd2decff04aa1bf8b30b6202c70fc0e7ac8b22ace563023671259cd74cf65062132e7f1b97d3580621686b05a

C:\Program Files (x86)\NightVerse\System.Diagnostics.TraceSource.dll

MD5 fe6a4b96e144131788108c8396a849eb
SHA1 40e6e5d03cfe036645ae854d5a2262faec6bed32
SHA256 22365ee4e3ba3c991d495e41f92e29bf6ddb38a48c44f55651271b80ee62b6d1
SHA512 61644c0e970dd6a6ff697b110bf99962931dd94deda5a966ea0fded3d23cba7433b802656295e04f1a95421774ea3c838f0a642d26b5e46ae6c05becb52eb7f1

C:\Program Files (x86)\NightVerse\System.Collections.Specialized.dll

MD5 cc26e9e30ffab763a1e54c0ef3713382
SHA1 c3be6646b7a4576ebd7729dbf4dccbd1fc159d51
SHA256 0cbabb81eae22f4c07c6c846054d207ae3f25da15649eb7fa29e4e2cecd24db4
SHA512 c8e57fb70cfa7667f9a5484c99eedd0bf34004ee26e9642e99a6b90624caa804af571d8aaafa7e9b121550af58205f8ed197b4ddb928210d394ff0b4c1897149

C:\Program Files (x86)\NightVerse\System.Drawing.Primitives.dll

MD5 b5ca10a41cc865048491f617678722a9
SHA1 afe171d9d676b78983b802e18ef8e00927073c64
SHA256 cbe9fbb1d1e4850460854474ffd8c01ddcc756dcb33a86d1674c0cb2e2a0b026
SHA512 2afdce56b7eec6deb82f8b2d5ec3029b5a0ee1e8bbf2e0ff9a0a5310bf265ddcdf63660546b4dbcc3c5fb0cba3cbb94f2408fe5cb4d14dbe0e74aba6dd5a2192

C:\Program Files (x86)\NightVerse\System.ComponentModel.TypeConverter.dll

MD5 f6f78df8a3ef64639ac0cb7de24ed66b
SHA1 384422c0ceb6bb6870c4f7d9074e9c78d33e4c0c
SHA256 88129c110d748f7c8ef8a923f68cd26d39e0505b49bf5cc10cbd23b92f1a00a3
SHA512 ed63f75e3477196b5308c42f259c0294a29ef5edf6eb0df4f8268be3f0495b9cfd8ca3467bc1574db142571c368940468bb84d14c26aaccacd6eee66ddd98403

C:\Program Files (x86)\NightVerse\System.Diagnostics.FileVersionInfo.dll

MD5 1daf75cc369569182bbdb664eb8cb4c7
SHA1 ec0ff43694f0027a469d31221b591bff2ef29d69
SHA256 92ae8401342fd8484e749c65a7726a0f5bff69346ad4e96026bfa063ff567b8b
SHA512 9d0ee9b59354f721136a1631e46d395b763f755b212e44daea5c62a91b4c5edfd218587c8aa56db27f7efc7b9678c59ea822964f279a7837aa5e12f46be4e79b

C:\Program Files (x86)\NightVerse\Accessibility.dll

MD5 fb554f9fe0b91f135d26ac6459cfd6f2
SHA1 b1269a2c28bded872b14fe70b69484631ef3a65d
SHA256 929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271
SHA512 8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_052dkfnj.kk1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1204-726-0x0000026B29380000-0x0000026B293A2000-memory.dmp

memory/1204-736-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/1204-738-0x0000026B28C40000-0x0000026B28C50000-memory.dmp

memory/1204-737-0x0000026B28C40000-0x0000026B28C50000-memory.dmp

memory/1204-741-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/2076-742-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/2076-743-0x00000277DB460000-0x00000277DB470000-memory.dmp

memory/2076-744-0x00000277DB460000-0x00000277DB470000-memory.dmp

memory/4176-754-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/4176-755-0x0000010D0B420000-0x0000010D0B430000-memory.dmp

memory/4176-757-0x0000010D0B420000-0x0000010D0B430000-memory.dmp

memory/2076-758-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/892-770-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/4176-769-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/892-771-0x0000015CC30F0000-0x0000015CC3100000-memory.dmp

memory/892-772-0x0000015CC30F0000-0x0000015CC3100000-memory.dmp

memory/892-783-0x00007FF9C89C0000-0x00007FF9C9481000-memory.dmp

memory/1976-787-0x0000000000400000-0x0000000000AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3cb33899

MD5 8ae28789402a7fc569fb06de1a1ce7a9
SHA1 a3f68ea1aaf8f2a9b017ad9acaa8f9a607dbb006
SHA256 48d316932fc697d69ef6806bcb018e6b42c14e38ec09731a7279a4b1d7f977d6
SHA512 dcad5eb2c68cb84b5d81260f8629aa7c02346c2a08d3596895ba118279b2c42a69a5bb21ce54bf4f5d560fb1a413b5037095c3e5f5d0a05772a42dc2b499a665

memory/1976-793-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/1976-794-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/1976-797-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/1976-804-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/1976-807-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/976-809-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/976-810-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/396-817-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/396-818-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/396-819-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/1976-820-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/396-821-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/2740-823-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/2740-824-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2740-825-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/2740-826-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/2740-828-0x0000000075170000-0x00000000752EB000-memory.dmp

memory/4812-829-0x0000000001000000-0x000000000123D000-memory.dmp

memory/4812-831-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/4812-832-0x0000000001000000-0x000000000123D000-memory.dmp

memory/4812-835-0x0000000000870000-0x0000000000CA3000-memory.dmp

memory/4812-836-0x0000000001000000-0x000000000123D000-memory.dmp

memory/4812-838-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4812-902-0x0000000001000000-0x000000000123D000-memory.dmp

memory/1948-904-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1948-905-0x0000000000400000-0x0000000000ACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a3353527

MD5 f3fd4037985d849b63bade11dd4dc958
SHA1 5ddd89e550379c7b2f2d0bf491e8cb2524078a6d
SHA256 7a068b03e7c8934e9bbaa3777b6f55b6cd5c3834113956a7e857547cdfff448f
SHA512 3a92315043c9ed25b05bc8ac9c18758b21144f6bd55c9284adf4b5829b7050e1c46af51b5519494ecb4694405efb732e23962df262dd3fe288f763d1da083b3c

memory/1948-911-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/1948-912-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/1948-913-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/1948-914-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/3776-916-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/2312-918-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-919-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-920-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-921-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-923-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-924-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-922-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-926-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-925-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-927-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-929-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-928-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-930-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-931-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-932-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-933-0x00007FF9A9020000-0x00007FF9A9030000-memory.dmp

memory/2312-934-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-935-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-936-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-937-0x00007FF9A9020000-0x00007FF9A9030000-memory.dmp

memory/2312-938-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-939-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-940-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-941-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/3776-950-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-963-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-964-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-965-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-967-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-966-0x00007FF9AB0B0000-0x00007FF9AB0C0000-memory.dmp

memory/2312-969-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/2312-968-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/3776-970-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/3776-971-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/3776-973-0x0000000074E20000-0x0000000074F9B000-memory.dmp

memory/3736-974-0x00000000010C0000-0x000000000112F000-memory.dmp

memory/3736-975-0x00007FF9EB030000-0x00007FF9EB225000-memory.dmp

memory/3736-976-0x00000000010C0000-0x000000000112F000-memory.dmp

memory/3736-978-0x0000000000870000-0x0000000000CA3000-memory.dmp

memory/3736-981-0x0000000004760000-0x0000000004B60000-memory.dmp

memory/3736-984-0x0000000004760000-0x0000000004B60000-memory.dmp

memory/3736-988-0x00000000010C0000-0x000000000112F000-memory.dmp

memory/1880-991-0x0000000001FF0000-0x00000000023F0000-memory.dmp

memory/1880-995-0x0000000001FF0000-0x00000000023F0000-memory.dmp

memory/1880-996-0x0000000001FF0000-0x00000000023F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Controls.Ribbon.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Controls.Ribbon.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20231215-en

Max time kernel

89s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Controls.Ribbon.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Controls.Ribbon.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240319-en

Max time kernel

118s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

161s

Max time network

177s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Xaml.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Xaml.resources.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3408 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 172.217.18.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.18.217.172.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClientSideProviders.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClientSideProviders.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClientSideProviders.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClientSideProviders.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240215-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\ReachFramework.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\ReachFramework.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20231215-en

Max time kernel

117s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClient.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClient.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240220-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationProvider.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationProvider.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

120s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\PresentationUI.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\PresentationUI.resources.dll,#1

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Input.Manipulations.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Input.Manipulations.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240220-en

Max time kernel

120s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Primitives.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Primitives.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsBase.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsBase.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240319-en

Max time kernel

142s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationTypes.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationTypes.resources.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
GB 51.11.108.188:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
GB 13.105.221.15:443 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240215-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClient.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\UIAutomationClient.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsFormsIntegration.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsFormsIntegration.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\PresentationUI.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\PresentationUI.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

122s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsFormsIntegration.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\WindowsFormsIntegration.resources.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Design.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Design.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:25

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Design.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Design.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Primitives.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Windows.Forms.Primitives.resources.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:26

Platform

win7-20240221-en

Max time kernel

120s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Xaml.resources.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\zh-Hans\System.Xaml.resources.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 22:20

Reported

2024-04-05 22:40

Platform

win7-20240221-en

Max time kernel

842s

Max time network

845s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe"

Signatures

Stealc

stealer stealc

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 set thread context of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NightVerse\it\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationNative_cor3.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Resources.Writer.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ComponentModel.EventBasedAsync.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Runtime.Serialization.Formatters.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Security.Cryptography.ProtectedData.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\hostfxr.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\Microsoft.Win32.Registry.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.IO.Compression.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\de\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PenImc_cor3.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Data.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ValueTuple.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\Microsoft.Win32.Primitives.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Net.NameResolution.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Windows.Controls.Ribbon.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ComponentModel.Primitives.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Private.CoreLib.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Security.SecureString.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ServiceModel.Web.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Security.Claims.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Threading.Tasks.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Xml.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\cs\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\cs\WindowsBase.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationFramework.Luna.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Data.Common.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\clrjit.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ja\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ko\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Xml.XDocument.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Xml.XPath.XDocument.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\tr\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Configuration.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\it\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\pt-BR\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.ComponentModel.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Diagnostics.PerformanceCounter.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\mscorrc.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\netstandard.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\PresentationFramework.Aero2.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ja\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\ru\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Drawing.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Reflection.Emit.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Windows.Forms.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Xaml.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\es\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Text.Encodings.Web.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\de\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\System.Formats.Asn1.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File created C:\Program Files (x86)\NightVerse\fr\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A
File opened for modification C:\Program Files (x86)\NightVerse\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\NightVerse\Microsoft.VisualBasic.dll C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\NightVerse\NightVerse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\NightVerse\NightVerse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1220 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe C:\Program Files (x86)\NightVerse\NightVerse.exe
PID 1988 wrote to memory of 1632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 1632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 1632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 1692 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 1692 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 1692 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 632 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2508 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2508 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2508 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2440 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe
PID 1988 wrote to memory of 2440 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe
PID 1988 wrote to memory of 2440 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe
PID 1988 wrote to memory of 2440 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 2440 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 1264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe
PID 2732 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3060 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3060 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3060 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 3060 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1988 wrote to memory of 1868 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe
PID 1988 wrote to memory of 1868 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe
PID 1988 wrote to memory of 1868 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe
PID 1988 wrote to memory of 1868 N/A C:\Program Files (x86)\NightVerse\NightVerse.exe C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1876 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1876 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1876 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1876 wrote to memory of 996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe

"C:\Users\Admin\AppData\Local\Temp\NightVerse Setup.exe"

C:\Program Files (x86)\NightVerse\NightVerse.exe

"C:\Program Files (x86)\NightVerse\NightVerse.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\Admin'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe

"C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe"

C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Local\Temp\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe

C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe

"C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 showpiecekennelmating.com udp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
DE 195.201.57.90:443 ipwho.is tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
NL 89.105.201.33:80 89.105.201.33 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
DE 195.201.57.90:443 ipwho.is tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp
US 104.21.21.33:443 showpiecekennelmating.com tcp

Files

\Users\Admin\AppData\Local\Temp\nso344C.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

\Users\Admin\AppData\Local\Temp\nso344C.tmp\InstallOptions.dll

MD5 d095b082b7c5ba4665d40d9c5042af6d
SHA1 2220277304af105ca6c56219f56f04e894b28d27
SHA256 b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
SHA512 61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

C:\Users\Admin\AppData\Local\Temp\nso344C.tmp\ioSpecial.ini

MD5 3be750526a832c196e2ebd9bdd9cd2d5
SHA1 dfc90803b4d0c0753b73ed903812ac7bda4b9335
SHA256 09d70bdc653e52d8e6effc577bf1607106b248e51e7a0e24a72e9383b4c5c574
SHA512 4b0537a2bd83e0073913ee5eb9797391c670e04f3c79772629739ce29e4017e2c56d45cbce6a9a2d6e559a6010663c546df668223527ef433e02ae41018087d4

\Program Files (x86)\NightVerse\NightVerse.exe

MD5 f034c12cf8a8e4f7e889303ed7362c12
SHA1 68e95e5dbdac16ee941d62297d3e5aea2a49e9ab
SHA256 27c97c6bb1482509918ed30bef35569e13d86c704d884a340438b308b9d8b341
SHA512 43d983dfcfda921e20d1a9f8ac40cf6ab936f57eb09e9c30de2e81063424023f54ae3bcba15ae7806f6a57a937536a68d568254e971b3e7d70319c47d4233bdf

C:\Users\Admin\AppData\Local\Temp\nso344C.tmp\ioSpecial.ini

MD5 8166ccdbb25f409f1c1bb7bbd66fc16b
SHA1 cf941319285b115642909ca2e9bfbf073af2da43
SHA256 8156c2f6b96bdf336ed3d3a5ef7ff3a6157b1d4477cd02cc22bcbd902a373be1
SHA512 5d051ba15005431a9b9eae8d8f4911ed50a7392bae03ed85198d56618a847aa09dfc419c99a19b4b8964cd8230f0bdd41af4de7afe646262ee3f76cb2de40c2a

C:\Users\Admin\AppData\Local\Temp\nso344C.tmp\ioSpecial.ini

MD5 9c78fd020ef56da60597bc72b8f63611
SHA1 e728bbd45cf1a973a372f47808d06a635e3b60dc
SHA256 4d4c00241feb3ad1ecefed2a27ae8bfdbfbfb63091a13e25ee4219a4f3307cd1
SHA512 146b0c5e9f3e992e5c1a1582d66add599fdfdb2ac928fe76c8e7c3babff7d3af884bdcf518a4a549945bc0af81045756a98aa0491bc108f733a70f04a35b5459

\Users\Admin\AppData\Local\Temp\nso344C.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

\Program Files (x86)\NightVerse\coreclr.dll

MD5 9369162a572d150dca56c7ebcbb19285
SHA1 81ce4faeecbd9ba219411a6e61d3510aa90d971d
SHA256 871949a2ec19c183ccdacdea54c7b3e43c590eaf445e1b58817ee1cb3ce366d5
SHA512 1eb5eb2d90e3dd38023a3ae461f717837ce50c2f9fc5e882b0593ab81dae1748bdbb7b9b0c832451dfe3c1529f5e1894a451365b8c872a8c0a185b521dbcd16b

\Program Files (x86)\NightVerse\hostpolicy.dll

MD5 a7e9ed205cf16318d90734d184f220d0
SHA1 10de2d33e05728e409e254441e864590b77e9637
SHA256 02c8dbe7bf1999352fc561cb35b51c6a88c881a4223c478c91768fdaf8e47b62
SHA512 3ecbaf20946e27d924a38c5a2bf11bac7b678b8c4ebf6f436c923ea935982500e97f91d0e934b7fd6b1fc2a2fd34e7d7b31dbbe91314a218724b3b2fd64c4052

\Program Files (x86)\NightVerse\hostfxr.dll

MD5 16532d13721ba4eac3ca60c29eefb16d
SHA1 f058d96f8e93b5291c07afdc1d891a8cc3edc9a0
SHA256 5aa15c6119b971742a7f824609739198a3c7c499370ed8b8df5a5942f69d9303
SHA512 9da30d469b4faed86a4bc62617b309f34e6bda66a3021b4a27d197d4bcb361f859c1a7c0aa2d16f0867ad93524b62a5f4e5ae5cf082da47fece87fc3d32ab100

\Program Files (x86)\NightVerse\System.Private.CoreLib.dll

MD5 805cf170e27dd31219a6b873c17dce88
SHA1 ac90fa4690a8b54b6248dcb4c41a2c9a74547667
SHA256 ba7e61a00e7a4634b5c5a79b83126f75580ceec235c613000c3efbc01826cad0
SHA512 fa946aae906b66cb5570155a1c77340f2b6d4efb9be16068da03a8f1c5b5f37ad847d65cd1416017db19375dc6a72670300da4c766e6d9bb1a00374f492bd866

\Program Files (x86)\NightVerse\clrjit.dll

MD5 8b81a3f0521b10e9de59507fe8efd685
SHA1 0516ff331e09fbd88817d265ff9dd0b647f31acb
SHA256 0759c8129bc761fe039e1cacb92c643606591cb8149a2ed33ee16babc9768dcb
SHA512 ea11c04b92a76957dcebe9667bef1881fc9afa0f8c1547e23ada8125aa9e40d36e0efaf5749da346ba40c66da439cbd15bf98453e1f8dab4fe1efd5618fdc176

C:\Program Files (x86)\NightVerse\System.Runtime.dll

MD5 53501b2f33c210123a1a08a977d16b25
SHA1 354e358d7cf2a655e80c4e4a645733c3db0e7e4d
SHA256 1fc86ada2ec543a85b8a06a9470a7b5aaa91eb03cfe497a32cd52a1e043ea100
SHA512 9ef3b47ddd275de9dfb5ded34a69a74af2689ebcb34911f0e4ffef9e2faf409e2395c7730bce364b5668b2b3b3e05a7b5998586563fb15e22c223859b2e77796

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.dll

MD5 75f18d3666eb009dd86fab998bb98710
SHA1 b273f135e289d528c0cfffad5613a272437b1f77
SHA256 4582f67764410785714a30fa05ffaaad78fe1bc8d4689889a43c2af825b2002e
SHA512 9e110e87e00f42c228729e649903ad649b962ae28900d486ee8f96c47acca094dbace608f9504745abf7e69597cdef3c6b544b5194703882a0a7f27b011fa8d5

C:\Program Files (x86)\NightVerse\System.Collections.dll

MD5 92063926c04f2e4bf5b5fde16542831d
SHA1 e7be34eaff2d3d8796911d21f1fdbb93bf231dec
SHA256 9193aaef3ea8f19408f88c25fcaf5880e7836d1c35028d7e4077f6090b083541
SHA512 e855ee37980d1da2d143ee39133b05fff81937e529cffe74433e73088549daabd3abadbf05f3765bf3ffffd50313f0ed966efec0eb244d7363241affd73cc29f

C:\Program Files (x86)\NightVerse\System.Collections.Concurrent.dll

MD5 38d21e067d7673194a84cced59066ac8
SHA1 e64362176f714b23603f3a67f1e741f12e35a832
SHA256 483130bfd1e57a0cbfd8a4f3c6e2353ac3f246276f9476c83cca1cadbc47ef47
SHA512 3fa6f78ff0cb527a8e82261549f24a8609d005821ac5c5e7257670dffd55472a134af3ef78d73779758303ae5a90728181cd4caebc871c5cfa4c309141201baf

C:\Program Files (x86)\NightVerse\System.Memory.dll

MD5 7e999da530c21a292cec8a642127b8c8
SHA1 6585d0260ae98bab2ad1eaba0f9cfe8ebb8a0b3f
SHA256 3af25e0c81c1462d0db86f55c4e5fd8c048c70685f9a566d29d499bc46935fb4
SHA512 a18b6649b5c2f9f96bf639863df9faad436759200a64f91fb2d955f33c71ce4b2d5798be982f692a247ac864d8acb63fb731b31c06333e5c7d9a9c895ecd6451

C:\Program Files (x86)\NightVerse\System.Threading.dll

MD5 32aa6e809d0ddb57806c6c23b584440e
SHA1 6bd651b9456f88a28f7054af475031afe52b7b64
SHA256 e8d1f5c422ee0ba3b235b22028ab92dc77c1ff9774edc0b940cad7224a30ba7d
SHA512 fe43b3d6ed5c37d59a44636d3c7522a88d83e6ec074bf69d3cbb6e5454fdd8f0523ea10fdf6fd452cbd0e2fc159cf9d03dfad6b30e80e400e7f1773b5a2e8632

C:\Program Files (x86)\NightVerse\System.Threading.Thread.dll

MD5 72d839e793c4f3200d4c5a6d4aa28d20
SHA1 fbc25dd97b031a6faddd7e33bc500719e8eead19
SHA256 84c9a95609878542f00fe7da658f62d1a6943a43e6346af80d26bcff069a4dbd
SHA512 a414cd9d7cf6a04709f3bdbef0295349b845a8301171ed6394e97b9993f35816383b958736c814f91c359a783cca86ee04802856486d4b4e0ab90a45da39db1d

C:\Program Files (x86)\NightVerse\System.Windows.Forms.Primitives.dll

MD5 8129c2d72bcba8b50576e7c43e558832
SHA1 f4892f78d2496f3a2e1fa2380ff68fbeb62e2dca
SHA256 5794a3996a0b4ab9cb13f3de0f87d50462615a7d0eb1d243d9324a682c1b58cb
SHA512 40fafbf9590d2b2c8f487f44708e9e97ddce03b1487be5c7cb3d4c92bdb7100a98aebada379f63003f0dd9d447ee2b0b9dfa0b057320ac05f7f77b31c5ffa97d

C:\Program Files (x86)\NightVerse\Accessibility.dll

MD5 fb554f9fe0b91f135d26ac6459cfd6f2
SHA1 b1269a2c28bded872b14fe70b69484631ef3a65d
SHA256 929ea150ad45b7c7dd5427461fbec44d43b67c08081f59b42b6abf570feae271
SHA512 8dffde6cddfc59ec380111fd36048126559e1f1e080c081ca0d09021bb23d6888e93e1659c7b3a8fa46f76602b03cf3e638ec1a80fba79e51648dcb32362e10c

\Program Files (x86)\NightVerse\System.ComponentModel.EventBasedAsync.dll

MD5 333639248121fb67d18323613a8203ea
SHA1 0cee5f7d46596239b833b3b30dccde27b0136959
SHA256 4c97d7bc0742faaa52ba86018b040aac44ddfc88a5835f9e6a659e03b4558999
SHA512 714fcb7299abcb26100b5f4103834c11c58f535ee9853fca2bcb22f43a3d1e7608d6ccae2dcc93d1687a4f1c8b521afe683d537f70f858681e62fff2d79c4acb

C:\Program Files (x86)\NightVerse\Microsoft.Win32.Primitives.dll

MD5 300c95ff95b52e8a02fec6bfcfa58225
SHA1 b646f89fcd463ad5c19889b4fea40540568b780c
SHA256 f1b40565e5c4c41da810aee5b7d2272a0906e88f796812435aa5ed712bcac40c
SHA512 9bfe0eb6eea98b2d35aa42986a273ec82424143965e173b32bb4b7e5537580a027940a6952a45fc54f0b665e871deb2a95651106c2f24c7de3b3d3cd2dec7e89

\Program Files (x86)\NightVerse\System.Drawing.Common.dll

MD5 e4715322db624dc52947a42ac67757ab
SHA1 ba0b0850142ecc3910927d6f2e5781b896d7d442
SHA256 75b1e772a4355145364121af00e5b5cf06c7212aa53d662fdc996bc11e8092a9
SHA512 3c86d44eb209a3a1f2001968a2b139e532a0513fd2decff04aa1bf8b30b6202c70fc0e7ac8b22ace563023671259cd74cf65062132e7f1b97d3580621686b05a

\Program Files (x86)\NightVerse\System.Diagnostics.TraceSource.dll

MD5 fe6a4b96e144131788108c8396a849eb
SHA1 40e6e5d03cfe036645ae854d5a2262faec6bed32
SHA256 22365ee4e3ba3c991d495e41f92e29bf6ddb38a48c44f55651271b80ee62b6d1
SHA512 61644c0e970dd6a6ff697b110bf99962931dd94deda5a966ea0fded3d23cba7433b802656295e04f1a95421774ea3c838f0a642d26b5e46ae6c05becb52eb7f1

\Program Files (x86)\NightVerse\System.Collections.Specialized.dll

MD5 cc26e9e30ffab763a1e54c0ef3713382
SHA1 c3be6646b7a4576ebd7729dbf4dccbd1fc159d51
SHA256 0cbabb81eae22f4c07c6c846054d207ae3f25da15649eb7fa29e4e2cecd24db4
SHA512 c8e57fb70cfa7667f9a5484c99eedd0bf34004ee26e9642e99a6b90624caa804af571d8aaafa7e9b121550af58205f8ed197b4ddb928210d394ff0b4c1897149

\Program Files (x86)\NightVerse\System.Drawing.Primitives.dll

MD5 b5ca10a41cc865048491f617678722a9
SHA1 afe171d9d676b78983b802e18ef8e00927073c64
SHA256 cbe9fbb1d1e4850460854474ffd8c01ddcc756dcb33a86d1674c0cb2e2a0b026
SHA512 2afdce56b7eec6deb82f8b2d5ec3029b5a0ee1e8bbf2e0ff9a0a5310bf265ddcdf63660546b4dbcc3c5fb0cba3cbb94f2408fe5cb4d14dbe0e74aba6dd5a2192

\Program Files (x86)\NightVerse\System.ComponentModel.Primitives.dll

MD5 1c59c00ab0850af4b4d2bafd6be47db3
SHA1 4c6185b2f42987e25a5fdf2aa30cf4150de25d5b
SHA256 133ec34432ab8fa4f63ade636193864b6a62a089a0c98d746f5532c8a52f437b
SHA512 8425c02c4afb274e862e4ed5dd1c766ebfa1bcf5bf59018d86238014a52603331a8b7c1e233f5a1f22171e90132ddd585db0d2561ff2cd287d703397afdff4b1

\Program Files (x86)\NightVerse\System.Windows.Forms.dll

MD5 a51632facb386d55cc3bc1f0822e4222
SHA1 59144c26183277304933fd8bb5da7d363fcc11fa
SHA256 efc52dbbef5202d9ff424d7adc6e2249b66450a5fd5414891776fc617b00123e
SHA512 2a8d8e2ee8168e6f79476616385320f463ebc161c7393db2b18a7d35ca0111c5100b83954c5eabfe32b12cac3dbfdc514271dde4cc4468dd26235eb7020d9c14

\Program Files (x86)\NightVerse\System.Private.Xml.dll

MD5 46aebfbd6d7e74d4d558da62d7600d25
SHA1 9c1cd44ab8b5e283967427e91cbddddfc0c2bf5a
SHA256 834e304221e742a831be5c5178892258e689eae35b730172e74161af2785aab9
SHA512 9c4499d174a988cc3830aafcc42f79defff37b16198f49cf5d2dc86f88809fcb44e0c300351f813d46addf9998f64448c50213f1721c6a307aad21c205db1524

\Program Files (x86)\NightVerse\System.Private.Xml.Linq.dll

MD5 60ed8b2bffc748d6a2a1fed8fa923368
SHA1 be411429b9a649a495124558c5e5d95a83525d58
SHA256 0b63cebb991d1911a607993ea5b4639f34a2b0b381a73973542db2d3591e9f90
SHA512 b0a4ac2aa96d827258bb30f098512741ad3f93585e05ceae0255e15cd8dc9ab8048788902c1eb32a813e9c69c8a923200a716b4e00f579c22a0b425665e575f8

C:\Program Files (x86)\NightVerse\System.IO.FileSystem.dll

MD5 35e27f4c681085a4b096826ee8ea4f53
SHA1 cf3ea4304e5558c8fdd4422e4d72509cd91ea719
SHA256 7bd41c6b12b73e6e90476f2d56db8581664abe07e7ab9bf2917bb254ed1d75ad
SHA512 1f9e6519ff29524e57cb0b3576ab118014293aade8f30027ef44b1f29a8e9a54e7bcb3b288a92dba996053b16016807d93fa9f44f2c43666ddc6425ddd7ae4b9

\Program Files (x86)\NightVerse\System.Runtime.InteropServices.dll

MD5 49c86e36b713e2b7daeb7547cede45fb
SHA1 75fe38864362226d2cce32b2c25432b1fd18ba37
SHA256 756de3f5f2e07b478ac046a0ac976b992ef6bc653a1be2bb1e28524a4ff8d67d
SHA512 a9bd42b626158c540be04f8d392620daba544a55b7438d6caefe93b9df10ec2219f28959c4e0d706a86b92008275de94dfdf19de730787cdacf46d99fc45e3a9

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Algorithms.dll

MD5 8f3b379221c31a9c5a39e31e136d0fda
SHA1 e57e8efe5609b27e8c180a04a16fbe1a82f5557d
SHA256 c99c6b384655e1af4ae5161fe9d54d95828ae17b18b884b0a99258f1c45aa388
SHA512 377f4e611a7cf2d5035f4622c590572031a476dd111598168acea1844aaa425c0fe012c763fbc16290c7b32c6c7df7b2563c88227e3dbc5d2bd02250c9d368d9

memory/1988-730-0x000007FEF5B80000-0x000007FEF606B000-memory.dmp

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Csp.dll

MD5 c7f55dbc6f5090194c5907054779e982
SHA1 efa17e697b8cfd607c728608a3926eda7cd88238
SHA256 16bc1f72938d96deca5ce031a29a43552385674c83f07e4f91d387f5f01b8d0a
SHA512 ae0164273b04afdec2257ae30126a8b44d80ee52725009cc917d28d09fcfb19dfbbb3a817423e98af36f773015768fed9964331d992ad1830f6797b854c0c355

C:\Program Files (x86)\NightVerse\System.Security.Cryptography.Primitives.dll

MD5 777ac34f9d89c6e4753b7a7b3be4ca29
SHA1 27e4bd1bfd7c9d9b0b19f3d6008582b44c156443
SHA256 6703e8d35df4b6389f43df88cc35fc3b3823fb3a7f04e5eb540b0af39f5fa622
SHA512 a791fa27b37c67ace72956680c662eb68f053fa8c8f4205f6ed78ecb2748d27d9010a8de94669d0ee33a8fca885380f8e6cfad9f475b07f60d34cdcb02d57439

C:\Program Files (x86)\NightVerse\mscorrc.dll

MD5 53e03d5e3bffa02fbc7fb1420ac8e858
SHA1 36c44c9ff39815aa167f341c286c5cd1514f771f
SHA256 23a433398be5135222ee14bb1de6334e7b22bad1a38664a83f1cf19dfbddd960
SHA512 f6aca16b90f6b4efa413dc9a8f1d05e83c1e3791b2cb988f9bce69d5272a0077c1edcae4111a494d166b5e3ab4e25956dead4e93ee1e43417c2b7bb082292170

\Program Files (x86)\NightVerse\NightVerse.dll

MD5 6c021a36ae428093771b3600e2b0a024
SHA1 b589a03a18b4680745a4ae2df5a5f656f87de6c9
SHA256 cdd060b97e938dbf1cdd125e3b7667d23190bfe046939f297c6b83891cb0d7e1
SHA512 563e399d96cb70b501d56b4ae48b7f11a6d56c0137d3df97f0084c27d8386f564354cd55f0019a765d464f049f5b64f1ff0b642e40eecdc068c6b9c6bffb376f

memory/1632-735-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/1632-736-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/1632-738-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/1632-737-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1632-740-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1632-741-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1632-742-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1632-739-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7SC6VBF52FH8D2E9B8FC.temp

MD5 987d9572b6efbbab0990cca6bbe0cd9c
SHA1 15232a0ae9a0c57e40b41a3c903dd1b63a533edc
SHA256 9b96a095d4af5ded203d63a8d9e425d6caeb5552969eaabd0c5d69fd940b2e07
SHA512 070fc17f26eececa7623b8ee67457b2d0ba3031773ac7bffcb25f5b6411f188d0ccdb0753ffccc89e6bb0f11dff704a445ed28091fb15b745098ce97a114cd28

memory/1632-743-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/632-767-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2508-766-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/2508-765-0x0000000002890000-0x0000000002910000-memory.dmp

memory/1692-764-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/632-763-0x0000000002800000-0x0000000002880000-memory.dmp

memory/632-762-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/632-761-0x0000000002800000-0x0000000002880000-memory.dmp

memory/632-760-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/1692-759-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1692-758-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/1692-753-0x0000000002A30000-0x0000000002AB0000-memory.dmp

memory/1692-752-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/632-769-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/1692-768-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

memory/2508-770-0x000007FEF2050000-0x000007FEF29ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d496654c-a63d-4aa5-a768-a67fda040982\snss1.exe

MD5 80ee144eb3eb89624d5e5b2fda0f59e8
SHA1 7b7c359697a204f56b458dc8337a6aa4927f5209
SHA256 7918139a1c231cbae81e6f93d5151b98c45d977d5b49f45134cdce8aa047a25b
SHA512 0906fcd0f8594071700f0db3823d1e69af39518ed3465b184b3ba0221d738c5bd73337dccffaf5bb8e74da813a5bcef3e03f94887de2a6f38fdd787661cd471d

memory/2440-777-0x0000000000400000-0x0000000000AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD0E6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\af24b5b0

MD5 8ae28789402a7fc569fb06de1a1ce7a9
SHA1 a3f68ea1aaf8f2a9b017ad9acaa8f9a607dbb006
SHA256 48d316932fc697d69ef6806bcb018e6b42c14e38ec09731a7279a4b1d7f977d6
SHA512 dcad5eb2c68cb84b5d81260f8629aa7c02346c2a08d3596895ba118279b2c42a69a5bb21ce54bf4f5d560fb1a413b5037095c3e5f5d0a05772a42dc2b499a665

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/2440-817-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/2440-818-0x0000000077190000-0x0000000077339000-memory.dmp

memory/2440-820-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/1988-821-0x000007FEF5B80000-0x000007FEF606B000-memory.dmp

memory/2440-828-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/2440-831-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/1264-834-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/1264-835-0x0000000077190000-0x0000000077339000-memory.dmp

C:\Users\Admin\AppData\Roaming\clientpowerv5\UniversalInstaller.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

memory/2732-843-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/2732-844-0x0000000077190000-0x0000000077339000-memory.dmp

memory/2732-845-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/2440-846-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/2732-847-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/3060-849-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/3060-851-0x0000000077190000-0x0000000077339000-memory.dmp

memory/3060-852-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/3060-853-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/3060-855-0x0000000074380000-0x00000000744F4000-memory.dmp

memory/1184-856-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1184-857-0x0000000077190000-0x0000000077339000-memory.dmp

memory/1184-858-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1184-860-0x00000000008A0000-0x0000000000B21000-memory.dmp

memory/1184-861-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1184-862-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1184-894-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1184-917-0x0000000000400000-0x000000000063D000-memory.dmp

memory/1868-921-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1868-920-0x0000000000400000-0x0000000000ACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15a74bc1

MD5 f3fd4037985d849b63bade11dd4dc958
SHA1 5ddd89e550379c7b2f2d0bf491e8cb2524078a6d
SHA256 7a068b03e7c8934e9bbaa3777b6f55b6cd5c3834113956a7e857547cdfff448f
SHA512 3a92315043c9ed25b05bc8ac9c18758b21144f6bd55c9284adf4b5829b7050e1c46af51b5519494ecb4694405efb732e23962df262dd3fe288f763d1da083b3c

memory/1868-927-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1868-928-0x0000000077190000-0x0000000077339000-memory.dmp

memory/1868-929-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1868-930-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1876-933-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1876-934-0x0000000077190000-0x0000000077339000-memory.dmp

memory/1876-935-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1876-936-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/1988-937-0x000007FEF5B80000-0x000007FEF606B000-memory.dmp

memory/1876-939-0x0000000074150000-0x00000000742C4000-memory.dmp

memory/996-940-0x0000000000400000-0x000000000046F000-memory.dmp

memory/996-941-0x0000000077190000-0x0000000077339000-memory.dmp

memory/996-942-0x0000000000400000-0x000000000046F000-memory.dmp

memory/996-944-0x00000000005E0000-0x0000000000861000-memory.dmp

memory/996-945-0x0000000000400000-0x000000000046F000-memory.dmp