Malware Analysis Report

2024-11-16 15:03

Sample ID 240620-ewvkkaybrf
Target Taxsex.com.exe
SHA256 3250f973c9d64981862cda1fdc1a38dfb1dc6ddf8aacd8618286df07a7c6e56a
Tags
blackmoon banker evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3250f973c9d64981862cda1fdc1a38dfb1dc6ddf8aacd8618286df07a7c6e56a

Threat Level: Known bad

The file Taxsex.com.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon banker evasion trojan upx

Blackmoon, KrBanker

Detect Blackmoon payload

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

UPX packed file

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:17

Reported

2024-06-20 04:20

Platform

win10-20240404-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 5004 created 3448 N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\syswow64\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\XSecurite.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
File opened for modification C:\Windows\SysWOW64\XSecurite.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\mfc90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\Microsoft.VC80.CRT.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\XLGameUpdate.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Browser_1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp140_2.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\libmini.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AARV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\TOFNC C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lastnama C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\MemDefrag.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\oDayProtect.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\et.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\globalV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\libmini.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcp90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\NVIDIA_GeForce_Experience_json C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\rtl120.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\ComeOn C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\LICENSE.libdt C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\APXmodule-2.0.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\LICENSE.3rd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostP C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\NULL.bin C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\version C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\en-US.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\WGLogin.olg C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hu.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\lco.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\li.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\package.json C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\WinCall C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hi.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\am.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMRtpDLL.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\Microsoft.VC80.ATL.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp110.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ovf-vmware.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\fa.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CharMainoV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\ComeOn C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\http.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\contribscr.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostHe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\version C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CjLibV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\4352d88a78aa3975HHI.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\SysP2.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\7z.dll C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\eE3myMsQE5fMQEaGfWHcwmTjYnsA1RTfNJe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\KwLib.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140_1.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\QdLibV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\BoukenP C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\KwLayoutMgr.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\en-GB.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMDns.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMOfficeScan.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\qvlnkbroV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\WindowsInstallerMB\holder0.aiph C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\Installer\e57a633.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS1.msi C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\Installer\MSIA914.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EAF3B236-F7BE-48D9-920D-2C3CD1BCB37B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAF5E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57a633.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA6B0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA7AB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB339.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA7EA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS11.cab C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 2624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3428 wrote to memory of 2624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3428 wrote to memory of 2624 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4116 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 4116 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 4116 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 3428 wrote to memory of 3176 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3428 wrote to memory of 3176 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3428 wrote to memory of 652 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3428 wrote to memory of 652 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3428 wrote to memory of 652 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 652 wrote to memory of 4560 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 4560 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 4560 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 1484 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 1484 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 1484 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 2696 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 2696 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 652 wrote to memory of 2696 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4656 wrote to memory of 5004 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe
PID 4656 wrote to memory of 5004 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe
PID 4656 wrote to memory of 5004 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 72D053F5F0BAEB9A2EE8CBC678CE54D1 C

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" /i C:\Windows\Fonts\WindowsInstallerMB\TS1.msi AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\UaCVWFATNNPN" SECONDSEQUENCE="1" CLIENTPROCESSID="4116" CHAINERUIPROCESSID="4116Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718616495 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D70A9F6C8D006CAFAEB46099AFD1AB3D

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC -o"C:\Program Files (x86)\Common Files\microsoft shared" -pf1d3ff8443297732HIF -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX -oC:\Users\Default\Desktop\UaCVWFATNNPN\ -pf1d3ff8443297732NGH -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.KXF -oC:\Users\Admin\AppData\Roaming\ -pf1d3ff8443297732MUT -aos

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

"C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe"

C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 ws9pnb42v0r6ip2vzo.oss-cn-hongkong.aliyuncs.com udp
HK 47.79.64.206:80 ws9pnb42v0r6ip2vzo.oss-cn-hongkong.aliyuncs.com tcp
HK 202.162.99.6:63531 tcp
US 8.8.8.8:53 upuoup99999jigtewrngldf.oss-cn-hongkong.aliyuncs.com udp
HK 47.79.64.175:80 upuoup99999jigtewrngldf.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 206.64.79.47.in-addr.arpa udp
US 8.8.8.8:53 175.64.79.47.in-addr.arpa udp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp

Files

C:\Windows\Fonts\WindowsInstallerMB\TS1.msi

MD5 1351753a06e2e6571648e8bb973eed38
SHA1 2eda221eb389c428505a0dfeed4c8b0e424af1c6
SHA256 489d14a2058a380f9f47df51a4da684f3fa088772ec1a606b6cce3fc73804864
SHA512 6d5bcc71f4b0621f12641de32acce9e4a26c0916c27d3e3ffec7d0043c2e9634809d2e5a6b29bd0d6c46296b0de99d5953610e0961ba9173a3481f89f49b42ce

C:\Users\Admin\AppData\Local\Temp\MSI6B7C.tmp

MD5 0dd1f1ff906c4d1fc7ad962e994cad7f
SHA1 4d1549cf7ef6a63baf83280143d7797d4df4fa2d
SHA256 140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588
SHA512 8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_close_hot.bmp

MD5 2b4492d6f63f5c41aa26de798f68b982
SHA1 2840f9587b63f203639a88731df67c22796155a9
SHA256 be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624
SHA512 fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_min_hot.bmp

MD5 02f22afae35430f2092e77bf1ca577b0
SHA1 91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8
SHA256 d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542
SHA512 fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

C:\Users\Admin\AppData\Local\Temp\MSI6C97.tmp

MD5 9b4b4ea6509e4db1e2a8f09a7c6f8f04
SHA1 512880abe3c9696edb042599bd199f1d05210aa2
SHA256 3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94
SHA512 63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

C:\Users\Admin\AppData\Local\Temp\shi7C15.tmp

MD5 032bb369103dac02606fb919f6658f3c
SHA1 60b39428ab3493aab7babf3a1c5f2a951ae853bd
SHA256 daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff
SHA512 0f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313

\??\Volume{38ff9706-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ecbf9457-8c6d-4a56-961a-eca50bc23c04}_OnDiskSnapshotProp

MD5 b01de447fd3e745c4949614f24eb738a
SHA1 41654eed37120a35e62e449d794fed5e3ec2fc80
SHA256 bf352c9476fc7d301e0d2c93278f1f35625c287c9448f545eddd7634c85c3293
SHA512 52e1d41cdfc5b624ac97f45399fa9687584ab8b9458883b0cec8035636478b517907cc4a29f93334de0af7a4d0c5f8bebf153ae971f409c4269dfbdbdce91dfb

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 f7d3eac271b2700f52cc5e26595fe779
SHA1 725cd9d9c8819539302913d426bfd955eccb5eaa
SHA256 d83684485987f5f226e5297f1e12dd97d85cf3210f4ee1101f9fe9be5df6d60c
SHA512 2340fd5f5380cb564b1ce0c3881b2c6722369d2c259c2fce453f4b44b012047bb3655d08990620d40d67d74e69195cd30541b9fb4c714b6a46fbb5e7de1dda93

C:\Windows\Installer\MSIB339.tmp

MD5 56ab5899ad5803f38145ea2a9ac5f80d
SHA1 c1b899b3caedae7d4ffc393e1a673c90a042cc6e
SHA256 da8d91e2c7c89bc9493c3db0b85f6f1934a86e1d360e12ae351ab5f8a47def0e
SHA512 78d04910f66450b04b62761efb7605a52d32a26c64f37057e5f3137665f01067b0da3aaf2d123bb94e060ac5e05ed8ac479958729c99d8792b9ecca2b1c87d78

C:\Users\Default\Desktop\UaCVWFATNNPN\WHelp.dll

MD5 ac682bdb71c4193c99741e7a1be901ab
SHA1 9e61d347344decc056ff8a6980716a34c71a7617
SHA256 cc490a1d0203e350809cab3b3d6c9ce88173fb273a445168fab6fe0e2ff02329
SHA512 6fd9970e23115e38a0b5047d2064abe8fd4214cf1b8acca29746590091565e4c2d42da5685f7b7f0e0c8924aaa96029cb1d52bdb763d69b48bff559771f140de

C:\Users\Default\Desktop\UaCVWFATNNPN\7z.dll

MD5 292575b19c7e7db6f1dbc8e4d6fdfedb
SHA1 7dbcd6d0483adb804ade8b2d23748a3e69197a5b
SHA256 9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590
SHA512 d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

C:\Users\Default\Desktop\UaCVWFATNNPN\4352d88a78aa3975HHI.exe

MD5 fae7d0a530279838c8a5731b086a081b
SHA1 6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b
SHA256 eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439
SHA512 e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

C:\Users\Default\Desktop\UaCVWFATNNPN\QKFJSGCGWGRQ

MD5 7ad0ae80da103fe4b8274b7aaa3c0561
SHA1 d539a22a49015b1e6a098ea204ca50d84bd50b39
SHA256 cb776e5b3a087666ab840bbb4859222e2c92c86c65426ff93c3d91c03e05dd1c
SHA512 1c80122516eaff3728a5a6bf1252d65fe5ade07af47317cfe813a778042b78e9d80143308feb87c6a19e9e78d3ec4b571a397bad767f5558d877b48731719ee8

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC

MD5 a79c83162c432d885aa1e9ebaa4aee8b
SHA1 9e089545fb77b80b1be8c851af2f5629f08f705d
SHA256 788da5d96874e015ad464383738e39fe4bda9152f9aad79b683a3c9c97156402
SHA512 b2c5366dca80c608a52d27d32de7ea6b4aaf93f9d5998c57156f50f1e5e9eb609a9f2df8ce66bccf23e0399cd3362819fee43aaa08c602dc7b34d1e2ec83b66f

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\version

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.CRT.manifest

MD5 710c54c37d7ec902a5d3cdd5a4cf6ab5
SHA1 9e291d80a8707c81e644354a1e378aeca295d4c7
SHA256 ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80
SHA512 4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.ATL.manifest

MD5 0bc6649277383985213ae31dbf1f031c
SHA1 7095f33dd568291d75284f1f8e48c45c14974588
SHA256 c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158
SHA512 6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX

MD5 7e7b2ecfaa0a1789892c3dae390ef3d6
SHA1 7f4531e0bd06060fabc2833b0a290efefb21a37e
SHA256 8cd53e015579257510501f6865a03308e7a66279b63326a39bb7b3bf5d25dd29
SHA512 4375848534a7afe3cc1d97eceaac63b09f49afd8236f1ea16afbd94d389957fbacca72f6412cfc978120d3427059c6fc27dd6e51c5209b164873df0a30ad218a

C:\Config.Msi\e57a634.rbs

MD5 2fdc2ed6aba92a19bd0c79aa97ed3d62
SHA1 a97e7389212d783f6984aca7bd4715d44fd823da
SHA256 4ff3e16fe2cd8df93571ff1c22b259c9802fe5a6675b40d25b257e68d775bd0b
SHA512 0ff5634f478c34c63910dad9f6cad46a5f1fd5000527764ca536481ab4c15be43840771a64a0560e70c5c01a53a17a621ce09f7a828b2732bbffe7bee258c8e5

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

MD5 938c33c54819d6ce8d731b68d9c37e38
SHA1 5debc5aecea887d17e342e3651006e1db351034f
SHA256 e705895392acd9768f413e35545c6581b3bac8c05dce97bc9af6a37be7cb7de3
SHA512 16deaf3b8c9a29b73d6530474f2a0bf5ac756d44a04d2468464fb78c9048ca9f1e1ebbcc91adfc74963b7083b0381a47f76c70baddeb44026c969125ea1c929a

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPCONTROL.DLL

MD5 4ff45827ec92e40935f9939142cd40dc
SHA1 cad74928f3387e6bf28c3625803706061e956b34
SHA256 012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434
SHA512 a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

\Users\Default\Desktop\UaCVWFATNNPN\yybob\libcurl.dll

MD5 ec9483f4b8c3910b09caab0f6cb7cd1b
SHA1 9931aaa8e626df273ee42f98e2fc91c2078fdc07
SHA256 4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f
SHA512 84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPSTAT.dll

MD5 b8253f0dd523bc1e2480f11a9702411d
SHA1 61a4c65eb5d4176b00a1ff73621521c1e60d28ea
SHA256 01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c
SHA512 4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_left.bmp

MD5 d4757da90bf3a96d5ca1b7d8fedf0a1f
SHA1 c4be7503191c6926ad33853b05cc43ad87a6b1e8
SHA256 0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168
SHA512 b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_left_inactive.bmp

MD5 df94017171d579959895edc072d39120
SHA1 0c0facceafac06c603f125cc170973851796d961
SHA256 706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8
SHA512 2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

\Users\Default\Desktop\UaCVWFATNNPN\yybob\UPSDK.dll

MD5 d75e14313fc8a0850f3190ce67509475
SHA1 74474830bc0706e5c0a8b455a4e1b47d9f1de741
SHA256 e5c711bdb99ab55ebd96b3636c7396566c98acffd03df735a15f1e18936a718a
SHA512 a4260f1a9a77bc41fc54532bdbf51f831004767e08150bff95374663930bbe4fca81790aa4578c062674557a02a698ea798cfc00f2355f6b8fa71bf2915cbaaa

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_mid.bmp

MD5 440363d27344241cf3574cdc43cca3d5
SHA1 cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2
SHA256 358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b
SHA512 4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_mid_inactive.bmp

MD5 fc284f137a181d626cbfb9b980265a14
SHA1 af1dc42b8706f65e80b5aa021da38e7c48bf5ac5
SHA256 ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c
SHA512 aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_caption.bmp

MD5 a8a4420fbe5dbe8fff5a4457fbdc0923
SHA1 4475046bf4a5b7af62099521d2a28df47eb14fc8
SHA256 4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582
SHA512 dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_caption_inactive.bmp

MD5 3d8494dd57ae17b57726e6530fc60237
SHA1 09b19ee5fc72b2a07452ed242983c464e2ed5eb0
SHA256 196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c
SHA512 3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_right.bmp

MD5 50656c6f33cb1490eee92cfcf2f4fa80
SHA1 ca5a3fe9b1f6130e6452cedf5d3734781f6e150b
SHA256 ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9
SHA512 b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_top_right_inactive.bmp

MD5 4178d84d2cd986063d2a7c91c57295d2
SHA1 fc5ea9402cd9c325716a2b79d070ac3e756c9f2f
SHA256 5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e
SHA512 aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_left.bmp

MD5 78e5adef0e9078c2a76ddea85c1c4dc4
SHA1 8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18
SHA256 84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe
SHA512 a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_left_inactive.bmp

MD5 39cbd0b2cf89509c50ee74963f89f70d
SHA1 777755cb3e7eac9f8377552820dec7bf9d48fbfb
SHA256 a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f
SHA512 8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_right.bmp

MD5 2e805b0982cda361e322e201df8cceff
SHA1 a199d51aac3ac44c62b7cf9afae22eea7932c63b
SHA256 c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22
SHA512 dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_right_inactive.bmp

MD5 171e23cd227d985b89098c5cc632c144
SHA1 2349eca4f92e1d4dcc2d47bc3d166a7081a5485b
SHA256 c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924
SHA512 d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_left.bmp

MD5 0edd17e9905d463ce23fbae64563c8da
SHA1 2c26d30e1b7a5761f5048d9494349cafe40979d9
SHA256 237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467
SHA512 fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_left_inactive.bmp

MD5 1b38ef93df0c5d4c6c2a10ca0115a28d
SHA1 17fa1779a66696f9ee1406da73133745eb4429dd
SHA256 4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d
SHA512 1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_mid.bmp

MD5 445b2b911b105ced9b1a3a5caaa594dd
SHA1 c326010a040a6d19837360907745a7a05982254f
SHA256 ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63
SHA512 1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_mid_inactive.bmp

MD5 7610648b8e31404e1621a7a5b510b86d
SHA1 d51d517a8472bfe40c469afa8869385d5a0e9783
SHA256 48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3
SHA512 24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_right.bmp

MD5 c288357164d52b2cfd695c792074323b
SHA1 c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3
SHA256 709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674
SHA512 8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\frame_bottom_right_inactive.bmp

MD5 2c84c848bbcd7bd57579d3431e8a363a
SHA1 5dc73f68798e73318d03979810bc00a4e94956d9
SHA256 f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3
SHA512 5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_min_normal.bmp

MD5 eeda62be091f6ef68d9ba7d76c9cfd84
SHA1 822372b556a550dd93f931b1d115c888d611fd20
SHA256 3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8
SHA512 ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

memory/4656-819-0x0000000000630000-0x0000000000695000-memory.dmp

memory/4656-861-0x0000000010000000-0x0000000010021000-memory.dmp

memory/4656-815-0x00000000009A0000-0x0000000000AC3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_min_inactive.bmp

MD5 216e32733b99d128ba7b1de8748a5d12
SHA1 2b857cb52ce605e9b8470683468bf331a86a042d
SHA256 f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3
SHA512 3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_min_down.bmp

MD5 ba8de1a4fb2e3ca280cd7a3f72d28bcd
SHA1 4bcb1fbe1390eb0101df72725b34e364ec0cc551
SHA256 a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8
SHA512 dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_close_normal.bmp

MD5 8d5e21a5aabb3581d5e5a2e5907ef7fb
SHA1 f810a458cc0a28e72e65887a744ccd5be07f4b82
SHA256 5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda
SHA512 86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_close_inactive.bmp

MD5 e7952db81da0e938aae851a1927682bd
SHA1 52d937797974c2a285a1456b133024107eea351d
SHA256 834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f
SHA512 0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

memory/4656-817-0x0000000000AD0000-0x0000000000BDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4116\sys_close_down.bmp

MD5 4e21b56ffc64f5bc7c4248e33801b011
SHA1 39c05ba5b899f37d90b3722e7edc02149eeb365d
SHA256 ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac
SHA512 1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

memory/4656-862-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/4656-866-0x0000000000630000-0x0000000000695000-memory.dmp

memory/4656-865-0x0000000000AD0000-0x0000000000BDA000-memory.dmp

memory/4656-864-0x00000000009A0000-0x0000000000AC3000-memory.dmp

memory/4656-863-0x000000006B240000-0x000000006B29A000-memory.dmp

memory/4656-869-0x0000000002C30000-0x0000000003215000-memory.dmp

memory/4656-871-0x00000000023B0000-0x00000000023BB000-memory.dmp

memory/5004-875-0x0000000010000000-0x0000000010055000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4U56X23\AuLibV1[1]

MD5 50fc2f13624f2282b862184d2cfdeae4
SHA1 438724fc5a189d12406b495d70d8618acec3f38b
SHA256 858d43377075140dd6061aa919c06aec2f950207500e314546031b99cbaab21e
SHA512 a4c0bd9905ce3593eb5d4d213eceb038226efa9c5f1b0a96e427e0a25b21f32baf5f1f970b42155dc21a9b261397564262bfd7aa5eb73f371938df01f37a8437

memory/4656-910-0x0000000010000000-0x0000000010021000-memory.dmp

memory/4656-911-0x0000000072310000-0x0000000072322000-memory.dmp

memory/5004-918-0x00000000003E0000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:17

Reported

2024-06-20 04:20

Platform

win7-20240419-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\syswow64\MsiExec.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\cbg.sig C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\CIM_VirtualSystemSettingData.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\el.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AuLibV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AuLibV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\vmauthd.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\CIM_ResourceAllocationSettingData.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\libtemp.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Mellogdoc C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\madExcept_.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcp90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\oDayProtect.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\es-419.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hu.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\lco.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\iopdate.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ovfenv-vmware.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\PSpendZ.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\VNL.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\slist.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcp90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcr100.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\xml.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\pp_helper.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\zip.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Watson2.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostShe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\madDisAsm_.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\NVIDIA_GeForce_Experience_json C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMOfficeScan.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\TPClnVM.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\settingV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\XLGameUpdate.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\4352d88a78aa3975HHI.exe C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hi.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\LICENSE.libdt C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ca.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\es-419.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\cor.sig C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\common.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\li.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostHe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\Microsoft.VC80.CRT.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\en-US.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\et.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\cbg.sig C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\eE3myMsQE5fMQEaGfWHcwmTjYnsA1RTfNJe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hi.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\fa.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\sample.flp C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMDns.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Win.rbg C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\APKwait.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostPShe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostShe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\libcurl.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcr90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ovfenv-vmware.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\qvlnk.bro C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\SysP2.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lastname C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI64D0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7654b6.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS1.msi C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f7654b5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS11.cab C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\Installer\MSI5541.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI56C9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f7654b5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI55EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6107.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\holder0.aiph C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\Installer\f7654b6.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 2560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 1988 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2648 wrote to memory of 1540 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1540 wrote to memory of 904 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 904 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 904 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 904 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 2384 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 2384 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 2384 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 2384 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 320 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 320 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 320 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 1540 wrote to memory of 320 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 24A0CEBBE986DE2915FCDBA74DC200C1 C

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" /i C:\Windows\Fonts\WindowsInstallerMB\TS1.msi AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\UaCVWFATNNPN" SECONDSEQUENCE="1" CLIENTPROCESSID="1988" CHAINERUIPROCESSID="1988Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718597707 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000005B4"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C7E13C47CE277124811754A185B69FF9

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC -o"C:\Program Files (x86)\Common Files\microsoft shared" -pf1d3ff8443297732HIF -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX -oC:\Users\Default\Desktop\UaCVWFATNNPN\ -pf1d3ff8443297732NGH -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.KXF -oC:\Users\Admin\AppData\Roaming\ -pf1d3ff8443297732MUT -aos

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

"C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe"

Network

N/A

Files

memory/1988-0-0x0000000000300000-0x0000000000301000-memory.dmp

C:\Windows\Fonts\WindowsInstallerMB\TS1.msi

MD5 1351753a06e2e6571648e8bb973eed38
SHA1 2eda221eb389c428505a0dfeed4c8b0e424af1c6
SHA256 489d14a2058a380f9f47df51a4da684f3fa088772ec1a606b6cce3fc73804864
SHA512 6d5bcc71f4b0621f12641de32acce9e4a26c0916c27d3e3ffec7d0043c2e9634809d2e5a6b29bd0d6c46296b0de99d5953610e0961ba9173a3481f89f49b42ce

C:\Users\Admin\AppData\Local\Temp\MSI1516.tmp

MD5 0dd1f1ff906c4d1fc7ad962e994cad7f
SHA1 4d1549cf7ef6a63baf83280143d7797d4df4fa2d
SHA256 140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588
SHA512 8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_close_hot.bmp

MD5 2b4492d6f63f5c41aa26de798f68b982
SHA1 2840f9587b63f203639a88731df67c22796155a9
SHA256 be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624
SHA512 fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_min_hot.bmp

MD5 02f22afae35430f2092e77bf1ca577b0
SHA1 91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8
SHA256 d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542
SHA512 fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

C:\Users\Admin\AppData\Local\Temp\MSI1601.tmp

MD5 9b4b4ea6509e4db1e2a8f09a7c6f8f04
SHA1 512880abe3c9696edb042599bd199f1d05210aa2
SHA256 3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94
SHA512 63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

C:\Windows\Installer\MSI64D0.tmp

MD5 56ab5899ad5803f38145ea2a9ac5f80d
SHA1 c1b899b3caedae7d4ffc393e1a673c90a042cc6e
SHA256 da8d91e2c7c89bc9493c3db0b85f6f1934a86e1d360e12ae351ab5f8a47def0e
SHA512 78d04910f66450b04b62761efb7605a52d32a26c64f37057e5f3137665f01067b0da3aaf2d123bb94e060ac5e05ed8ac479958729c99d8792b9ecca2b1c87d78

C:\Users\Default\Desktop\UaCVWFATNNPN\WHelp.dll

MD5 ac682bdb71c4193c99741e7a1be901ab
SHA1 9e61d347344decc056ff8a6980716a34c71a7617
SHA256 cc490a1d0203e350809cab3b3d6c9ce88173fb273a445168fab6fe0e2ff02329
SHA512 6fd9970e23115e38a0b5047d2064abe8fd4214cf1b8acca29746590091565e4c2d42da5685f7b7f0e0c8924aaa96029cb1d52bdb763d69b48bff559771f140de

C:\Users\Default\Desktop\UaCVWFATNNPN\4352d88a78aa3975HHI.exe

MD5 fae7d0a530279838c8a5731b086a081b
SHA1 6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b
SHA256 eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439
SHA512 e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

C:\Users\Default\Desktop\UaCVWFATNNPN\QKFJSGCGWGRQ

MD5 7ad0ae80da103fe4b8274b7aaa3c0561
SHA1 d539a22a49015b1e6a098ea204ca50d84bd50b39
SHA256 cb776e5b3a087666ab840bbb4859222e2c92c86c65426ff93c3d91c03e05dd1c
SHA512 1c80122516eaff3728a5a6bf1252d65fe5ade07af47317cfe813a778042b78e9d80143308feb87c6a19e9e78d3ec4b571a397bad767f5558d877b48731719ee8

C:\Users\Default\Desktop\UaCVWFATNNPN\7z.dll

MD5 292575b19c7e7db6f1dbc8e4d6fdfedb
SHA1 7dbcd6d0483adb804ade8b2d23748a3e69197a5b
SHA256 9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590
SHA512 d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC

MD5 a79c83162c432d885aa1e9ebaa4aee8b
SHA1 9e089545fb77b80b1be8c851af2f5629f08f705d
SHA256 788da5d96874e015ad464383738e39fe4bda9152f9aad79b683a3c9c97156402
SHA512 b2c5366dca80c608a52d27d32de7ea6b4aaf93f9d5998c57156f50f1e5e9eb609a9f2df8ce66bccf23e0399cd3362819fee43aaa08c602dc7b34d1e2ec83b66f

C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\Microsoft.VC80.ATL.manifest

MD5 0bc6649277383985213ae31dbf1f031c
SHA1 7095f33dd568291d75284f1f8e48c45c14974588
SHA256 c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158
SHA512 6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\Microsoft.VC80.CRT.manifest

MD5 710c54c37d7ec902a5d3cdd5a4cf6ab5
SHA1 9e291d80a8707c81e644354a1e378aeca295d4c7
SHA256 ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80
SHA512 4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\version

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX

MD5 7e7b2ecfaa0a1789892c3dae390ef3d6
SHA1 7f4531e0bd06060fabc2833b0a290efefb21a37e
SHA256 8cd53e015579257510501f6865a03308e7a66279b63326a39bb7b3bf5d25dd29
SHA512 4375848534a7afe3cc1d97eceaac63b09f49afd8236f1ea16afbd94d389957fbacca72f6412cfc978120d3427059c6fc27dd6e51c5209b164873df0a30ad218a

C:\Config.Msi\f7654b7.rbs

MD5 2fdc2ed6aba92a19bd0c79aa97ed3d62
SHA1 a97e7389212d783f6984aca7bd4715d44fd823da
SHA256 4ff3e16fe2cd8df93571ff1c22b259c9802fe5a6675b40d25b257e68d775bd0b
SHA512 0ff5634f478c34c63910dad9f6cad46a5f1fd5000527764ca536481ab4c15be43840771a64a0560e70c5c01a53a17a621ce09f7a828b2732bbffe7bee258c8e5

memory/2560-751-0x0000000000370000-0x0000000000372000-memory.dmp

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

MD5 938c33c54819d6ce8d731b68d9c37e38
SHA1 5debc5aecea887d17e342e3651006e1db351034f
SHA256 e705895392acd9768f413e35545c6581b3bac8c05dce97bc9af6a37be7cb7de3
SHA512 16deaf3b8c9a29b73d6530474f2a0bf5ac756d44a04d2468464fb78c9048ca9f1e1ebbcc91adfc74963b7083b0381a47f76c70baddeb44026c969125ea1c929a

\Users\Default\Desktop\UaCVWFATNNPN\yybob\libcurl.dll

MD5 ec9483f4b8c3910b09caab0f6cb7cd1b
SHA1 9931aaa8e626df273ee42f98e2fc91c2078fdc07
SHA256 4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f
SHA512 84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

memory/2320-755-0x0000000000690000-0x00000000007B3000-memory.dmp

\Users\Default\Desktop\UaCVWFATNNPN\yybob\UPSDK.dll

MD5 d75e14313fc8a0850f3190ce67509475
SHA1 74474830bc0706e5c0a8b455a4e1b47d9f1de741
SHA256 e5c711bdb99ab55ebd96b3636c7396566c98acffd03df735a15f1e18936a718a
SHA512 a4260f1a9a77bc41fc54532bdbf51f831004767e08150bff95374663930bbe4fca81790aa4578c062674557a02a698ea798cfc00f2355f6b8fa71bf2915cbaaa

\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPINFO.dll

MD5 63f6d9fecb240388d69cb668cfe50c00
SHA1 2b67bb8aa45a9d0383e76f15e631c1131b28bb1e
SHA256 678d6ed15f6150bfd5ba8e823cf877c32bb492e8557e107fac77143dad3724f1
SHA512 176b096493206d2dadb17d778e959855deef0ec8d5343c09790ca6c067a338ece44138fa9081888caa2228a041d2a8c71b085ad8fefafe479505f667f6d2b7e6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_left.bmp

MD5 d4757da90bf3a96d5ca1b7d8fedf0a1f
SHA1 c4be7503191c6926ad33853b05cc43ad87a6b1e8
SHA256 0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168
SHA512 b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

\Users\Default\Desktop\UaCVWFATNNPN\yybob\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Default\Desktop\UaCVWFATNNPN\yybob\HipsdiaMain.dll

MD5 56867eecc2042a0fd681f3b90d365a16
SHA1 021dac119f8e115e6df308db85bc8760078d9719
SHA256 48f8313380bc6fa33172888b8fd9874a6ed5465213bacb9f8d5c2bb3ab37baee
SHA512 ebb40d1e1a7f6b9e9480e544a67c9383d53a708547acba787bfd7c5699e491ead7faf714c5d84407b3d9a1dd2051205e0a299eaeeceb44422e3874c5e55cc65a

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_left_inactive.bmp

MD5 df94017171d579959895edc072d39120
SHA1 0c0facceafac06c603f125cc170973851796d961
SHA256 706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8
SHA512 2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_mid.bmp

MD5 440363d27344241cf3574cdc43cca3d5
SHA1 cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2
SHA256 358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b
SHA512 4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_mid_inactive.bmp

MD5 fc284f137a181d626cbfb9b980265a14
SHA1 af1dc42b8706f65e80b5aa021da38e7c48bf5ac5
SHA256 ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c
SHA512 aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_caption.bmp

MD5 a8a4420fbe5dbe8fff5a4457fbdc0923
SHA1 4475046bf4a5b7af62099521d2a28df47eb14fc8
SHA256 4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582
SHA512 dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_caption_inactive.bmp

MD5 3d8494dd57ae17b57726e6530fc60237
SHA1 09b19ee5fc72b2a07452ed242983c464e2ed5eb0
SHA256 196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c
SHA512 3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_right.bmp

MD5 50656c6f33cb1490eee92cfcf2f4fa80
SHA1 ca5a3fe9b1f6130e6452cedf5d3734781f6e150b
SHA256 ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9
SHA512 b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_top_right_inactive.bmp

MD5 4178d84d2cd986063d2a7c91c57295d2
SHA1 fc5ea9402cd9c325716a2b79d070ac3e756c9f2f
SHA256 5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e
SHA512 aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_left.bmp

MD5 78e5adef0e9078c2a76ddea85c1c4dc4
SHA1 8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18
SHA256 84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe
SHA512 a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_left_inactive.bmp

MD5 39cbd0b2cf89509c50ee74963f89f70d
SHA1 777755cb3e7eac9f8377552820dec7bf9d48fbfb
SHA256 a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f
SHA512 8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_right.bmp

MD5 2e805b0982cda361e322e201df8cceff
SHA1 a199d51aac3ac44c62b7cf9afae22eea7932c63b
SHA256 c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22
SHA512 dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_right_inactive.bmp

MD5 171e23cd227d985b89098c5cc632c144
SHA1 2349eca4f92e1d4dcc2d47bc3d166a7081a5485b
SHA256 c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924
SHA512 d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_left.bmp

MD5 0edd17e9905d463ce23fbae64563c8da
SHA1 2c26d30e1b7a5761f5048d9494349cafe40979d9
SHA256 237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467
SHA512 fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_left_inactive.bmp

MD5 1b38ef93df0c5d4c6c2a10ca0115a28d
SHA1 17fa1779a66696f9ee1406da73133745eb4429dd
SHA256 4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d
SHA512 1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_mid.bmp

MD5 445b2b911b105ced9b1a3a5caaa594dd
SHA1 c326010a040a6d19837360907745a7a05982254f
SHA256 ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63
SHA512 1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_mid_inactive.bmp

MD5 7610648b8e31404e1621a7a5b510b86d
SHA1 d51d517a8472bfe40c469afa8869385d5a0e9783
SHA256 48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3
SHA512 24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_right.bmp

MD5 c288357164d52b2cfd695c792074323b
SHA1 c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3
SHA256 709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674
SHA512 8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\frame_bottom_right_inactive.bmp

MD5 2c84c848bbcd7bd57579d3431e8a363a
SHA1 5dc73f68798e73318d03979810bc00a4e94956d9
SHA256 f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3
SHA512 5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_min_normal.bmp

MD5 eeda62be091f6ef68d9ba7d76c9cfd84
SHA1 822372b556a550dd93f931b1d115c888d611fd20
SHA256 3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8
SHA512 ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_min_inactive.bmp

MD5 216e32733b99d128ba7b1de8748a5d12
SHA1 2b857cb52ce605e9b8470683468bf331a86a042d
SHA256 f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3
SHA512 3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_min_down.bmp

MD5 ba8de1a4fb2e3ca280cd7a3f72d28bcd
SHA1 4bcb1fbe1390eb0101df72725b34e364ec0cc551
SHA256 a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8
SHA512 dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_close_normal.bmp

MD5 8d5e21a5aabb3581d5e5a2e5907ef7fb
SHA1 f810a458cc0a28e72e65887a744ccd5be07f4b82
SHA256 5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda
SHA512 86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_close_inactive.bmp

MD5 e7952db81da0e938aae851a1927682bd
SHA1 52d937797974c2a285a1456b133024107eea351d
SHA256 834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f
SHA512 0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1988\sys_close_down.bmp

MD5 4e21b56ffc64f5bc7c4248e33801b011
SHA1 39c05ba5b899f37d90b3722e7edc02149eeb365d
SHA256 ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac
SHA512 1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

memory/2320-767-0x0000000010000000-0x0000000010021000-memory.dmp

memory/1988-766-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2320-763-0x0000000000240000-0x00000000002A5000-memory.dmp

\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPSTAT.dll

MD5 b8253f0dd523bc1e2480f11a9702411d
SHA1 61a4c65eb5d4176b00a1ff73621521c1e60d28ea
SHA256 01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c
SHA512 4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

memory/2320-760-0x00000000007C0000-0x00000000008CA000-memory.dmp

\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPCONTROL.dll

MD5 4ff45827ec92e40935f9939142cd40dc
SHA1 cad74928f3387e6bf28c3625803706061e956b34
SHA256 012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434
SHA512 a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

memory/2320-841-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/2320-843-0x000000006B240000-0x000000006B29A000-memory.dmp

memory/2320-846-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2320-845-0x0000000000240000-0x00000000002A5000-memory.dmp

memory/2320-844-0x00000000007C0000-0x00000000008CA000-memory.dmp

memory/2320-842-0x0000000000690000-0x00000000007B3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 04:17

Reported

2024-06-20 04:21

Platform

win10v2004-20240611-en

Max time kernel

151s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3312 created 3456 N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\syswow64\MsiExec.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\XSecurite.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A
File created C:\Windows\SysWOW64\XSecurite.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\FFLOADER.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostP C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp140_1.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\version C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\isolinux.bin C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\pp_helper.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\TOFNC C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\OTGContainer.exe C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\lco.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\mfc90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcr120.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\NULL.bin C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\NVIDIA_GeForce_Experience_json C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ovfenv-vmware.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CharMainoV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\zlib1.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\version C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lastname C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp120.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\isolinux.bin C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\PSpendZ.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\qvlnk.bro C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\ATellPhon C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\intchar64 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostP C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcr100.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\RX.EXE C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CharMainoV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\qvlnkbroV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp140_2.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\qvlnk.bro C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\DataTransform.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\intchar32 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\1.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\bfcipc.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Bseziof C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\LICENSE.libdt C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\slist.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\ca.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\es-419.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\et.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\rar.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\settingV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\zip.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\madDisAsm_.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\el.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\Microsoft.VC80.ATL.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\KwLayoutMgr.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostHe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMRtpDLL.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\SysP2.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Browser_2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\eE3myMsQE5fMQEaGfWHcwmTjYnsA1RTfNJe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\hipslog.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\common.xsd C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcr90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\settingss C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140_1.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\VNL.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\XLGameUpdate-autostart.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\APXhttp.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\ebHost.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\WindowsInstallerMB\holder0.aiph C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\Installer\e57d532.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID59F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID63D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID69B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS11.cab C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\Installer\e57d532.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID70A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EAF3B236-F7BE-48D9-920D-2C3CD1BCB37B} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS1.msi C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\Installer\MSIE0AF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE5A2.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 4044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2880 wrote to memory of 4044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2880 wrote to memory of 4044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 8 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 8 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 8 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 2880 wrote to memory of 2764 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2880 wrote to memory of 2764 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2880 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2880 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2880 wrote to memory of 2616 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 3732 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 3732 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 3732 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 5932 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 5932 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 5932 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 4080 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 4080 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 2616 wrote to memory of 4080 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 3856 wrote to memory of 3312 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe
PID 3856 wrote to memory of 3312 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe
PID 3856 wrote to memory of 3312 N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B16A6695DFAFDB14646E10062CB7608B C

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" /i C:\Windows\Fonts\WindowsInstallerMB\TS1.msi AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\UaCVWFATNNPN" SECONDSEQUENCE="1" CLIENTPROCESSID="8" CHAINERUIPROCESSID="8Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718616496 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 77BD6C15DBEB761600F8952E38D0E539

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC -o"C:\Program Files (x86)\Common Files\microsoft shared" -pf1d3ff8443297732HIF -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX -oC:\Users\Default\Desktop\UaCVWFATNNPN\ -pf1d3ff8443297732NGH -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.KXF -oC:\Users\Admin\AppData\Roaming\ -pf1d3ff8443297732MUT -aos

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

"C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe"

C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe

"C:\Program Files (x86)\Common Files\microsoft shared\VGX\Haloonoroff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 ws9pnb42v0r6ip2vzo.oss-cn-hongkong.aliyuncs.com udp
HK 47.79.64.206:80 ws9pnb42v0r6ip2vzo.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 upuoup99999jigtewrngldf.oss-cn-hongkong.aliyuncs.com udp
HK 202.162.99.6:63531 tcp
HK 47.79.64.175:80 upuoup99999jigtewrngldf.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 206.64.79.47.in-addr.arpa udp
US 8.8.8.8:53 175.64.79.47.in-addr.arpa udp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp
HK 202.162.99.6:63531 tcp

Files

C:\Windows\Fonts\WindowsInstallerMB\TS1.msi

MD5 1351753a06e2e6571648e8bb973eed38
SHA1 2eda221eb389c428505a0dfeed4c8b0e424af1c6
SHA256 489d14a2058a380f9f47df51a4da684f3fa088772ec1a606b6cce3fc73804864
SHA512 6d5bcc71f4b0621f12641de32acce9e4a26c0916c27d3e3ffec7d0043c2e9634809d2e5a6b29bd0d6c46296b0de99d5953610e0961ba9173a3481f89f49b42ce

C:\Users\Admin\AppData\Local\Temp\MSI7252.tmp

MD5 0dd1f1ff906c4d1fc7ad962e994cad7f
SHA1 4d1549cf7ef6a63baf83280143d7797d4df4fa2d
SHA256 140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588
SHA512 8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_close_hot.bmp

MD5 2b4492d6f63f5c41aa26de798f68b982
SHA1 2840f9587b63f203639a88731df67c22796155a9
SHA256 be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624
SHA512 fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_min_hot.bmp

MD5 02f22afae35430f2092e77bf1ca577b0
SHA1 91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8
SHA256 d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542
SHA512 fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

C:\Users\Admin\AppData\Local\Temp\MSI73EA.tmp

MD5 9b4b4ea6509e4db1e2a8f09a7c6f8f04
SHA1 512880abe3c9696edb042599bd199f1d05210aa2
SHA256 3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94
SHA512 63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

C:\Users\Admin\AppData\Local\Temp\shi974E.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

C:\Users\Default\Desktop\UaCVWFATNNPN\WHelp.dll

MD5 ac682bdb71c4193c99741e7a1be901ab
SHA1 9e61d347344decc056ff8a6980716a34c71a7617
SHA256 cc490a1d0203e350809cab3b3d6c9ce88173fb273a445168fab6fe0e2ff02329
SHA512 6fd9970e23115e38a0b5047d2064abe8fd4214cf1b8acca29746590091565e4c2d42da5685f7b7f0e0c8924aaa96029cb1d52bdb763d69b48bff559771f140de

C:\Windows\Installer\MSIE5A2.tmp

MD5 56ab5899ad5803f38145ea2a9ac5f80d
SHA1 c1b899b3caedae7d4ffc393e1a673c90a042cc6e
SHA256 da8d91e2c7c89bc9493c3db0b85f6f1934a86e1d360e12ae351ab5f8a47def0e
SHA512 78d04910f66450b04b62761efb7605a52d32a26c64f37057e5f3137665f01067b0da3aaf2d123bb94e060ac5e05ed8ac479958729c99d8792b9ecca2b1c87d78

C:\Users\Default\Desktop\UaCVWFATNNPN\QKFJSGCGWGRQ

MD5 7ad0ae80da103fe4b8274b7aaa3c0561
SHA1 d539a22a49015b1e6a098ea204ca50d84bd50b39
SHA256 cb776e5b3a087666ab840bbb4859222e2c92c86c65426ff93c3d91c03e05dd1c
SHA512 1c80122516eaff3728a5a6bf1252d65fe5ade07af47317cfe813a778042b78e9d80143308feb87c6a19e9e78d3ec4b571a397bad767f5558d877b48731719ee8

C:\Users\Default\Desktop\UaCVWFATNNPN\4352d88a78aa3975HHI.exe

MD5 fae7d0a530279838c8a5731b086a081b
SHA1 6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b
SHA256 eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439
SHA512 e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

C:\Users\Default\Desktop\UaCVWFATNNPN\7z.dll

MD5 292575b19c7e7db6f1dbc8e4d6fdfedb
SHA1 7dbcd6d0483adb804ade8b2d23748a3e69197a5b
SHA256 9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590
SHA512 d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC

MD5 a79c83162c432d885aa1e9ebaa4aee8b
SHA1 9e089545fb77b80b1be8c851af2f5629f08f705d
SHA256 788da5d96874e015ad464383738e39fe4bda9152f9aad79b683a3c9c97156402
SHA512 b2c5366dca80c608a52d27d32de7ea6b4aaf93f9d5998c57156f50f1e5e9eb609a9f2df8ce66bccf23e0399cd3362819fee43aaa08c602dc7b34d1e2ec83b66f

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.CRT.manifest

MD5 710c54c37d7ec902a5d3cdd5a4cf6ab5
SHA1 9e291d80a8707c81e644354a1e378aeca295d4c7
SHA256 ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80
SHA512 4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\version

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.ATL.manifest

MD5 0bc6649277383985213ae31dbf1f031c
SHA1 7095f33dd568291d75284f1f8e48c45c14974588
SHA256 c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158
SHA512 6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX

MD5 7e7b2ecfaa0a1789892c3dae390ef3d6
SHA1 7f4531e0bd06060fabc2833b0a290efefb21a37e
SHA256 8cd53e015579257510501f6865a03308e7a66279b63326a39bb7b3bf5d25dd29
SHA512 4375848534a7afe3cc1d97eceaac63b09f49afd8236f1ea16afbd94d389957fbacca72f6412cfc978120d3427059c6fc27dd6e51c5209b164873df0a30ad218a

C:\Config.Msi\e57d533.rbs

MD5 ca2a1090c2952731df1137fa52a30c7f
SHA1 5954e90575d2907888fab380c377464a201cfcf7
SHA256 504620392587063119aa46489326a7a164712f87bb04bbf8c5f8a60a661fa6b6
SHA512 ef4cd718024bc2e7cdb8ce9b99df67a71e4980352b5ad6e573f77370285a88bc28f2e23635b9b686690114542395442cfc51b91802fa8108c01ebd32234aad63

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

MD5 938c33c54819d6ce8d731b68d9c37e38
SHA1 5debc5aecea887d17e342e3651006e1db351034f
SHA256 e705895392acd9768f413e35545c6581b3bac8c05dce97bc9af6a37be7cb7de3
SHA512 16deaf3b8c9a29b73d6530474f2a0bf5ac756d44a04d2468464fb78c9048ca9f1e1ebbcc91adfc74963b7083b0381a47f76c70baddeb44026c969125ea1c929a

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPCONTROL.DLL

MD5 4ff45827ec92e40935f9939142cd40dc
SHA1 cad74928f3387e6bf28c3625803706061e956b34
SHA256 012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434
SHA512 a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\libcurl.dll

MD5 ec9483f4b8c3910b09caab0f6cb7cd1b
SHA1 9931aaa8e626df273ee42f98e2fc91c2078fdc07
SHA256 4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f
SHA512 84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPSTAT.dll

MD5 b8253f0dd523bc1e2480f11a9702411d
SHA1 61a4c65eb5d4176b00a1ff73621521c1e60d28ea
SHA256 01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c
SHA512 4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\UPSDK.dll

MD5 d75e14313fc8a0850f3190ce67509475
SHA1 74474830bc0706e5c0a8b455a4e1b47d9f1de741
SHA256 e5c711bdb99ab55ebd96b3636c7396566c98acffd03df735a15f1e18936a718a
SHA512 a4260f1a9a77bc41fc54532bdbf51f831004767e08150bff95374663930bbe4fca81790aa4578c062674557a02a698ea798cfc00f2355f6b8fa71bf2915cbaaa

memory/3856-786-0x0000000010000000-0x0000000010021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_left.bmp

MD5 d4757da90bf3a96d5ca1b7d8fedf0a1f
SHA1 c4be7503191c6926ad33853b05cc43ad87a6b1e8
SHA256 0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168
SHA512 b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_left_inactive.bmp

MD5 df94017171d579959895edc072d39120
SHA1 0c0facceafac06c603f125cc170973851796d961
SHA256 706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8
SHA512 2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_mid.bmp

MD5 440363d27344241cf3574cdc43cca3d5
SHA1 cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2
SHA256 358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b
SHA512 4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_mid_inactive.bmp

MD5 fc284f137a181d626cbfb9b980265a14
SHA1 af1dc42b8706f65e80b5aa021da38e7c48bf5ac5
SHA256 ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c
SHA512 aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_caption.bmp

MD5 a8a4420fbe5dbe8fff5a4457fbdc0923
SHA1 4475046bf4a5b7af62099521d2a28df47eb14fc8
SHA256 4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582
SHA512 dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_caption_inactive.bmp

MD5 3d8494dd57ae17b57726e6530fc60237
SHA1 09b19ee5fc72b2a07452ed242983c464e2ed5eb0
SHA256 196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c
SHA512 3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_right.bmp

MD5 50656c6f33cb1490eee92cfcf2f4fa80
SHA1 ca5a3fe9b1f6130e6452cedf5d3734781f6e150b
SHA256 ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9
SHA512 b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_top_right_inactive.bmp

MD5 4178d84d2cd986063d2a7c91c57295d2
SHA1 fc5ea9402cd9c325716a2b79d070ac3e756c9f2f
SHA256 5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e
SHA512 aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_left.bmp

MD5 78e5adef0e9078c2a76ddea85c1c4dc4
SHA1 8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18
SHA256 84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe
SHA512 a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_left_inactive.bmp

MD5 39cbd0b2cf89509c50ee74963f89f70d
SHA1 777755cb3e7eac9f8377552820dec7bf9d48fbfb
SHA256 a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f
SHA512 8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_right.bmp

MD5 2e805b0982cda361e322e201df8cceff
SHA1 a199d51aac3ac44c62b7cf9afae22eea7932c63b
SHA256 c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22
SHA512 dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_right_inactive.bmp

MD5 171e23cd227d985b89098c5cc632c144
SHA1 2349eca4f92e1d4dcc2d47bc3d166a7081a5485b
SHA256 c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924
SHA512 d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_left.bmp

MD5 0edd17e9905d463ce23fbae64563c8da
SHA1 2c26d30e1b7a5761f5048d9494349cafe40979d9
SHA256 237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467
SHA512 fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_left_inactive.bmp

MD5 1b38ef93df0c5d4c6c2a10ca0115a28d
SHA1 17fa1779a66696f9ee1406da73133745eb4429dd
SHA256 4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d
SHA512 1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_mid.bmp

MD5 445b2b911b105ced9b1a3a5caaa594dd
SHA1 c326010a040a6d19837360907745a7a05982254f
SHA256 ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63
SHA512 1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_mid_inactive.bmp

MD5 7610648b8e31404e1621a7a5b510b86d
SHA1 d51d517a8472bfe40c469afa8869385d5a0e9783
SHA256 48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3
SHA512 24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_right.bmp

MD5 c288357164d52b2cfd695c792074323b
SHA1 c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3
SHA256 709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674
SHA512 8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\frame_bottom_right_inactive.bmp

MD5 2c84c848bbcd7bd57579d3431e8a363a
SHA1 5dc73f68798e73318d03979810bc00a4e94956d9
SHA256 f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3
SHA512 5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_min_normal.bmp

MD5 eeda62be091f6ef68d9ba7d76c9cfd84
SHA1 822372b556a550dd93f931b1d115c888d611fd20
SHA256 3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8
SHA512 ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_min_inactive.bmp

MD5 216e32733b99d128ba7b1de8748a5d12
SHA1 2b857cb52ce605e9b8470683468bf331a86a042d
SHA256 f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3
SHA512 3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_min_down.bmp

MD5 ba8de1a4fb2e3ca280cd7a3f72d28bcd
SHA1 4bcb1fbe1390eb0101df72725b34e364ec0cc551
SHA256 a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8
SHA512 dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_close_normal.bmp

MD5 8d5e21a5aabb3581d5e5a2e5907ef7fb
SHA1 f810a458cc0a28e72e65887a744ccd5be07f4b82
SHA256 5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda
SHA512 86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_close_inactive.bmp

MD5 e7952db81da0e938aae851a1927682bd
SHA1 52d937797974c2a285a1456b133024107eea351d
SHA256 834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f
SHA512 0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_8\sys_close_down.bmp

MD5 4e21b56ffc64f5bc7c4248e33801b011
SHA1 39c05ba5b899f37d90b3722e7edc02149eeb365d
SHA256 ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac
SHA512 1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPINFO.dll

MD5 63f6d9fecb240388d69cb668cfe50c00
SHA1 2b67bb8aa45a9d0383e76f15e631c1131b28bb1e
SHA256 678d6ed15f6150bfd5ba8e823cf877c32bb492e8557e107fac77143dad3724f1
SHA512 176b096493206d2dadb17d778e959855deef0ec8d5343c09790ca6c067a338ece44138fa9081888caa2228a041d2a8c71b085ad8fefafe479505f667f6d2b7e6

memory/3856-783-0x0000000000C40000-0x0000000000D4A000-memory.dmp

memory/3856-781-0x0000000000BD0000-0x0000000000C35000-memory.dmp

memory/3856-779-0x0000000000AA0000-0x0000000000BC3000-memory.dmp

memory/3856-857-0x000000006B240000-0x000000006B29A000-memory.dmp

memory/3856-861-0x0000000010000000-0x0000000010021000-memory.dmp

memory/3856-860-0x0000000000C40000-0x0000000000D4A000-memory.dmp

memory/3856-859-0x0000000000BD0000-0x0000000000C35000-memory.dmp

memory/3856-858-0x0000000000AA0000-0x0000000000BC3000-memory.dmp

memory/3856-856-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/3856-895-0x0000000002E70000-0x0000000003455000-memory.dmp

memory/3856-898-0x00000000005B0000-0x00000000005BB000-memory.dmp

memory/3312-910-0x0000000010000000-0x0000000010055000-memory.dmp

memory/3856-909-0x0000000010000000-0x0000000010021000-memory.dmp

memory/3856-908-0x0000000072310000-0x0000000072322000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4NMOWK91\AuLibV1[1]

MD5 50fc2f13624f2282b862184d2cfdeae4
SHA1 438724fc5a189d12406b495d70d8618acec3f38b
SHA256 858d43377075140dd6061aa919c06aec2f950207500e314546031b99cbaab21e
SHA512 a4c0bd9905ce3593eb5d4d213eceb038226efa9c5f1b0a96e427e0a25b21f32baf5f1f970b42155dc21a9b261397564262bfd7aa5eb73f371938df01f37a8437

memory/3312-946-0x00000000007A0000-0x00000000007CA000-memory.dmp

memory/3312-948-0x0000000074D40000-0x0000000074D4A000-memory.dmp

memory/3312-947-0x0000000074E10000-0x0000000074E18000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 04:17

Reported

2024-06-20 04:20

Platform

win11-20240611-en

Max time kernel

143s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\syswow64\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A
N/A N/A C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\WinCall C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\XLGameUpdate-autostart.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\livehis.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\MemDefrag.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\PSpendZ.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AARV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AARV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMAVProxy.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\qvlnk.bro C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\settingss C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Browser_1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\libtemp.bat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\madExcept_.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.CRT\msvcr90.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\PSpendZ.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CjLibV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Win.rbg C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\themes\cs.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\RunHours\et.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp120.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\ntvbld.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\pp_helper.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\4352d88a78aa3975HHI.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\hr.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\libmini.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\libmini.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\QMDns.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140_1.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\VNL.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\ar.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vcruntime140.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Browser_2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\DataTransform.ini C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\Microsoft.VC80.ATL.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\iopdate.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Optimizat\plugins\am.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Agent C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lastnama C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Ntvbld64.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\zip.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Watson2.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lastnymc C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Lost C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostHe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\CharMainoV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\vmauthd.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\madDisAsm_.bpl C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\Microsoft.VC90.MFC\Microsoft.VC90.MFC.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\RX.EXE C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\AuLibV1 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\QdLibV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\dmEetfzcFeMLeUVb C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\Microsoft.VC80.ATL.manifest C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\LostShe C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\msvcp120.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\plugins\de.pak C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\version\settingV2 C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\DrawContent C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\HoursBroker\slist.dat C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\KwLogSvr.dll C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\Mellogdoc C:\Program Files (x86)\4352d88a78aa3975HHI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI6D5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAFD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF53AEF6C413CAD291.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57fe26.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFF32.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS11.cab C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\SystemTemp\~DFA69B223B63CCD1A7.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\TS1.msi C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File created C:\Windows\Installer\e57fe26.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF7A0B458C9FFDD35C.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFE74.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EAF3B236-F7BE-48D9-920D-2C3CD1BCB37B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFF62.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF3ED6C50239EBB404.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Fonts\WindowsInstallerMB\holder0.aiph C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
File opened for modification C:\Windows\Installer\MSIFEE3.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000034da22877284b450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000034da2280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900034da228000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d034da228000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000034da22800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 4212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4964 wrote to memory of 4212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4964 wrote to memory of 4212 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe
PID 4964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4964 wrote to memory of 2288 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4964 wrote to memory of 4740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4964 wrote to memory of 4740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4964 wrote to memory of 4740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4740 wrote to memory of 2140 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 2140 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 2140 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4756 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4756 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4756 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4100 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4100 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe
PID 4740 wrote to memory of 4100 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\4352d88a78aa3975HHI.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 72FA88252F2EFEC746741D60C5868FB5 C

C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe

"C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" /i C:\Windows\Fonts\WindowsInstallerMB\TS1.msi AI_EUIMSI=1 APPDIR="C:\Users\Default\Desktop\UaCVWFATNNPN" SECONDSEQUENCE="1" CLIENTPROCESSID="4648" CHAINERUIPROCESSID="4648Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1718616483 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Taxsex.com.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AE368145F53ED5DEBE8E11B3050C81A0

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC -o"C:\Program Files (x86)\Common Files\microsoft shared" -pf1d3ff8443297732HIF -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX -oC:\Users\Default\Desktop\UaCVWFATNNPN\ -pf1d3ff8443297732NGH -aos

C:\Program Files (x86)\4352d88a78aa3975HHI.exe

"C:\Program Files (x86)\4352d88a78aa3975HHI.exe" x C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.KXF -oC:\Users\Admin\AppData\Roaming\ -pf1d3ff8443297732MUT -aos

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

"C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe"

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
SE 192.229.221.95:80 tcp

Files

C:\Windows\Fonts\WindowsInstallerMB\TS1.msi

MD5 1351753a06e2e6571648e8bb973eed38
SHA1 2eda221eb389c428505a0dfeed4c8b0e424af1c6
SHA256 489d14a2058a380f9f47df51a4da684f3fa088772ec1a606b6cce3fc73804864
SHA512 6d5bcc71f4b0621f12641de32acce9e4a26c0916c27d3e3ffec7d0043c2e9634809d2e5a6b29bd0d6c46296b0de99d5953610e0961ba9173a3481f89f49b42ce

C:\Users\Admin\AppData\Local\Temp\MSI9BE3.tmp

MD5 0dd1f1ff906c4d1fc7ad962e994cad7f
SHA1 4d1549cf7ef6a63baf83280143d7797d4df4fa2d
SHA256 140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588
SHA512 8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_close_hot.bmp

MD5 2b4492d6f63f5c41aa26de798f68b982
SHA1 2840f9587b63f203639a88731df67c22796155a9
SHA256 be759b55afdd188282204a5fb650ae8903d534a5d296278e225768415b8b8624
SHA512 fef57068682df050e5694b5fa10fc914830f9fc419c414ad156fb7fa155220d61088d1bebfe1829d95a2af3ee0d46867ecc2bc1fe78b3aeee3e648c127625f4b

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_min_hot.bmp

MD5 02f22afae35430f2092e77bf1ca577b0
SHA1 91f97b9e65a972da62fa1f1254b6d1ef1f0e80b8
SHA256 d36ecf7b57c82496e41f7f5f36fcf21be7f0c061b999c5662f18530909ab6542
SHA512 fae0d6e818c987ef1c7829301b39da098e4766b4a33bac04a7b4d42e68a3b6df3d3a6b4c3e29d31bc0cb48b541c8316d4ecc3216f6c2aa7827e2df5aa1a57786

C:\Users\Admin\AppData\Local\Temp\MSI9CCE.tmp

MD5 9b4b4ea6509e4db1e2a8f09a7c6f8f04
SHA1 512880abe3c9696edb042599bd199f1d05210aa2
SHA256 3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94
SHA512 63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

C:\Users\Admin\AppData\Local\Temp\shiE455.tmp

MD5 b40e4304f279119d9345be970babce41
SHA1 f76f5b30e7c333efcba1d4e19215ef1fd21d6943
SHA256 06285446d57089fe85b3b6127bbc92508773af458ad5cf20abf4570d41c0fee7
SHA512 ad7e6b30b3ba32d641737f499874f23ccda7c4539def0465d1723d579c79c5e3e981df8526d31f2eb79dc0fe572eb4b71a780eb63df11170d4b6a0786f588299

\??\Volume{28a24d03-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6b61cd2d-079d-431b-9325-2d91a3e640dd}_OnDiskSnapshotProp

MD5 f607378b30516ffea60265356f2a6d23
SHA1 a45d634a9b18714d393938173b946c18278515ef
SHA256 69dd96c87d7c6bf41b4e5f704f32b740ade39ae0ba5c55a6b8642dafc93fd9ea
SHA512 2e12296fb9849dbe0492ef17cc06aca8540527e3e6af8012d668cb9cb3546a30f0250c4a382f7321c205f2ed6d0f4b1ceb99f767d32c4ffa75c22c40e1c67bdf

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 f505906e32721519193a480f23ee83f8
SHA1 d66d5207fd2c6e55e121705965818198f62628e8
SHA256 8e84d589dfd73e5ffeb664ee47c73d776282770dcf861255c03b3e463bfcbacf
SHA512 49ca0b727c4150ea3616e63fab86e6e322708a0c10e9b63d8caeff74ec4d1bd53dc93cc99319fd0d29606e9ce21b7268a38f0060cd652c42e6144fbca180c0cf

C:\Windows\Installer\MSIAFD.tmp

MD5 56ab5899ad5803f38145ea2a9ac5f80d
SHA1 c1b899b3caedae7d4ffc393e1a673c90a042cc6e
SHA256 da8d91e2c7c89bc9493c3db0b85f6f1934a86e1d360e12ae351ab5f8a47def0e
SHA512 78d04910f66450b04b62761efb7605a52d32a26c64f37057e5f3137665f01067b0da3aaf2d123bb94e060ac5e05ed8ac479958729c99d8792b9ecca2b1c87d78

C:\Users\Default\Desktop\UaCVWFATNNPN\WHelp.dll

MD5 ac682bdb71c4193c99741e7a1be901ab
SHA1 9e61d347344decc056ff8a6980716a34c71a7617
SHA256 cc490a1d0203e350809cab3b3d6c9ce88173fb273a445168fab6fe0e2ff02329
SHA512 6fd9970e23115e38a0b5047d2064abe8fd4214cf1b8acca29746590091565e4c2d42da5685f7b7f0e0c8924aaa96029cb1d52bdb763d69b48bff559771f140de

C:\Users\Default\Desktop\UaCVWFATNNPN\7z.dll

MD5 292575b19c7e7db6f1dbc8e4d6fdfedb
SHA1 7dbcd6d0483adb804ade8b2d23748a3e69197a5b
SHA256 9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590
SHA512 d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

C:\Users\Default\Desktop\UaCVWFATNNPN\4352d88a78aa3975HHI.exe

MD5 fae7d0a530279838c8a5731b086a081b
SHA1 6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b
SHA256 eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439
SHA512 e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

C:\Users\Default\Desktop\UaCVWFATNNPN\QKFJSGCGWGRQ

MD5 7ad0ae80da103fe4b8274b7aaa3c0561
SHA1 d539a22a49015b1e6a098ea204ca50d84bd50b39
SHA256 cb776e5b3a087666ab840bbb4859222e2c92c86c65426ff93c3d91c03e05dd1c
SHA512 1c80122516eaff3728a5a6bf1252d65fe5ade07af47317cfe813a778042b78e9d80143308feb87c6a19e9e78d3ec4b571a397bad767f5558d877b48731719ee8

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.HHC

MD5 a79c83162c432d885aa1e9ebaa4aee8b
SHA1 9e089545fb77b80b1be8c851af2f5629f08f705d
SHA256 788da5d96874e015ad464383738e39fe4bda9152f9aad79b683a3c9c97156402
SHA512 b2c5366dca80c608a52d27d32de7ea6b4aaf93f9d5998c57156f50f1e5e9eb609a9f2df8ce66bccf23e0399cd3362819fee43aaa08c602dc7b34d1e2ec83b66f

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\version

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.CRT.manifest

MD5 710c54c37d7ec902a5d3cdd5a4cf6ab5
SHA1 9e291d80a8707c81e644354a1e378aeca295d4c7
SHA256 ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80
SHA512 4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\plugins\Microsoft.VC80.ATL.manifest

MD5 0bc6649277383985213ae31dbf1f031c
SHA1 7095f33dd568291d75284f1f8e48c45c14974588
SHA256 c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158
SHA512 6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

C:\Users\Default\Desktop\UaCVWFATNNPN\f1d3ff844329.AAX

MD5 7e7b2ecfaa0a1789892c3dae390ef3d6
SHA1 7f4531e0bd06060fabc2833b0a290efefb21a37e
SHA256 8cd53e015579257510501f6865a03308e7a66279b63326a39bb7b3bf5d25dd29
SHA512 4375848534a7afe3cc1d97eceaac63b09f49afd8236f1ea16afbd94d389957fbacca72f6412cfc978120d3427059c6fc27dd6e51c5209b164873df0a30ad218a

C:\Config.Msi\e57fe27.rbs

MD5 9f3826248af13774d2611e35f7b0a7a5
SHA1 a941d060b431286442f9443e1e91bfc4eec40735
SHA256 133d950cc82e6f12bad245dbee95bdcf62721c08ebab3a78b0b059c70e6eec78
SHA512 7fef16fd239b9b69a39d640895fc7c0b2f1bb4147d601573b58313ddc4d55d1b052a0a1db6b25a9e4995e030a4758e984b8c7afbdbab775435914ec5088fa30e

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\Bor32-update-flase.exe

MD5 938c33c54819d6ce8d731b68d9c37e38
SHA1 5debc5aecea887d17e342e3651006e1db351034f
SHA256 e705895392acd9768f413e35545c6581b3bac8c05dce97bc9af6a37be7cb7de3
SHA512 16deaf3b8c9a29b73d6530474f2a0bf5ac756d44a04d2468464fb78c9048ca9f1e1ebbcc91adfc74963b7083b0381a47f76c70baddeb44026c969125ea1c929a

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_min_down.bmp

MD5 ba8de1a4fb2e3ca280cd7a3f72d28bcd
SHA1 4bcb1fbe1390eb0101df72725b34e364ec0cc551
SHA256 a3f47f44ad19a5e5b42204da311a883025f4f7d951bbd427edb3a20d759fc5e8
SHA512 dfc97335a12e1b33209e2dac7f222dbea7f71b93bcd6e4689dd409cbab6096c78210527f1abe0c3bb00bbe5cb38b3691b9355aa04d92975c3348b2096c141407

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_mid.bmp

MD5 445b2b911b105ced9b1a3a5caaa594dd
SHA1 c326010a040a6d19837360907745a7a05982254f
SHA256 ecfc46e3ba63cc8d7de04134a271b171d9efd714e4ce9611115836a5b4518e63
SHA512 1ded63a90006bd2bfddb1de399d0cb483e52a94113e43b3099b6bf3dc7a9a0c7ae74249ebaa600d0d184615661f2ff557b62ed65f073bfaefc4f84e0cb420360

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_left.bmp

MD5 d4757da90bf3a96d5ca1b7d8fedf0a1f
SHA1 c4be7503191c6926ad33853b05cc43ad87a6b1e8
SHA256 0e8b86d175526133e239a0a4dc6308c6b529d9b2db2e469ce5098a39f3432168
SHA512 b0fa9ac1b48e4c2d9e4289a65a4f8d46edeaaa5d43309089d67778ce72c72f2e352a792b10c24146c75e604f83158e5b0e665fc70df9886dfd4128f4b1fb2471

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPSTAT.dll

MD5 b8253f0dd523bc1e2480f11a9702411d
SHA1 61a4c65eb5d4176b00a1ff73621521c1e60d28ea
SHA256 01cee5c4a2e80cb3fdad50e2009f51ca18c787bf486ce31321899cccedc72e0c
SHA512 4c578003e31f08e403f4290970bc900d9f42caa57c5b4c0aca035d92edc9921bf4034fc216c9860da69054b05f98dade5f6e218ac4bee991bc37a3ef572fe9a0

memory/5060-813-0x0000000000C60000-0x0000000000CC5000-memory.dmp

memory/5060-811-0x0000000000B50000-0x0000000000C5A000-memory.dmp

memory/5060-814-0x0000000010000000-0x0000000010021000-memory.dmp

memory/5060-809-0x0000000000A20000-0x0000000000B43000-memory.dmp

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\UPSDK.dll

MD5 d75e14313fc8a0850f3190ce67509475
SHA1 74474830bc0706e5c0a8b455a4e1b47d9f1de741
SHA256 e5c711bdb99ab55ebd96b3636c7396566c98acffd03df735a15f1e18936a718a
SHA512 a4260f1a9a77bc41fc54532bdbf51f831004767e08150bff95374663930bbe4fca81790aa4578c062674557a02a698ea798cfc00f2355f6b8fa71bf2915cbaaa

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\libcurl.dll

MD5 ec9483f4b8c3910b09caab0f6cb7cd1b
SHA1 9931aaa8e626df273ee42f98e2fc91c2078fdc07
SHA256 4d9cae6e2e52270150542084af949d7b68300e378868165ff601378a38f7048f
SHA512 84b60fe3cd0ede19933b37ae0eaeba1f87174a21bc8086857e57c8729cec88f9fef4b50a2b870f55c858dd43b070fd22ffec5cb6f4fd5b950d6451b05eb65565

C:\Users\Default\Desktop\UaCVWFATNNPN\yybob\TDPCONTROL.dll

MD5 4ff45827ec92e40935f9939142cd40dc
SHA1 cad74928f3387e6bf28c3625803706061e956b34
SHA256 012ed8d16e9f7586fe44c0affe5bea6ff68f27231a6526d439643869a103e434
SHA512 a3dfe7976e5ffb4ba0c68e218c0924568d343e7937abb50785107de5e0adc11ad58a86e02fabb455845fbe8e545e48b57a67eb647c664390ed521d255ff3befe

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_left_inactive.bmp

MD5 df94017171d579959895edc072d39120
SHA1 0c0facceafac06c603f125cc170973851796d961
SHA256 706d0ec93ab304f05f6d3b8b9da613ca404943e9dbff9061984b5417f15711f8
SHA512 2576993c63b702ee9c6428a7d2698f94d6b7afb5277b60a0f51979ab7494651ea68ed46c0448a6f7d6954455aec9dcf17755cf20e666a7267197adfd4d162a74

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_mid.bmp

MD5 440363d27344241cf3574cdc43cca3d5
SHA1 cdeb4f94ae64c5bbe4740c3773e9ea8c8502cac2
SHA256 358fe1e6b51dd850c2463506d20d341b6ac09194ce0844734cd5386a4d82692b
SHA512 4f7edee0f1e294995785f792ed03b74991c8cf8a750e996477fc8590e0645187fe9201bc4847cb4fcb790bdaff0ba29c4fdc7f7a088180514583eb3fda29c58d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_mid_inactive.bmp

MD5 fc284f137a181d626cbfb9b980265a14
SHA1 af1dc42b8706f65e80b5aa021da38e7c48bf5ac5
SHA256 ebf14004abb9171efb791d5ed78d6f028f09775ec047bfe2bd9a3ad4dc431a0c
SHA512 aab8700806a42877b1b09379a606d49426cd0fa62c0856cc64bccfec6ed1e67130a908fb8d4feba6c6d1b8d530a5acb380fad9d6ed1a170103d3a90a35a788fd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_caption.bmp

MD5 a8a4420fbe5dbe8fff5a4457fbdc0923
SHA1 4475046bf4a5b7af62099521d2a28df47eb14fc8
SHA256 4e504366b5a0b48020ee2e29beb17092010cedb50caa9a901bd6b2e921803582
SHA512 dac1a4fce6a95b965259eb7b92fa73bf532f3f2af929d5930538e16a2bab40d58384ea924ce63dac9235cb6e5585171a21b835ec2b2e359091bb2c7861263bc4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_caption_inactive.bmp

MD5 3d8494dd57ae17b57726e6530fc60237
SHA1 09b19ee5fc72b2a07452ed242983c464e2ed5eb0
SHA256 196bf30cc41139ccaecb41584fcdc4a61842c246f81a3c7c4a6ba2a5bea4038c
SHA512 3e02e2c06c922ff58c7a6bb9e6b320e7e9a1dc70cd283986657b02ececf41219454a1d64b5fc02733744f1a2d31b507691b6854e362639ff943ad5e719238343

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_right.bmp

MD5 50656c6f33cb1490eee92cfcf2f4fa80
SHA1 ca5a3fe9b1f6130e6452cedf5d3734781f6e150b
SHA256 ef8fc7a18af77fed42bf20fd640543b0cfaf312a4c9dfc0c2f35ce1af9ae58e9
SHA512 b8e2e2945fcb5699e063bfdad3fc6ae72be96bf342883dc60b8ac81c4143888aa23ccf237b935f56b5f586afe4772eda39b443e0797385ed358638cb7052eec6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_top_right_inactive.bmp

MD5 4178d84d2cd986063d2a7c91c57295d2
SHA1 fc5ea9402cd9c325716a2b79d070ac3e756c9f2f
SHA256 5365b988c102e46f73418ec36e0de5b1749c2080c3d2da660c507a9c505f333e
SHA512 aca1ca7e16049adf1b26dc8d26e99461069fd133587e748012347e66eef9bdb90fda0d197c86334667cc04b0289cfbe8fe8727eabf3bde9827a1066a71133a32

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_left.bmp

MD5 78e5adef0e9078c2a76ddea85c1c4dc4
SHA1 8da1ed8372eea6f5ce10154a52b5bd9bcbf1cc18
SHA256 84cf7696e5b73513bcf78b1611de3fac76e9f99cf9112dd9ea963850441b62fe
SHA512 a1f6ee057ad820ee4fe4bb9b9c7703da8bb9e47109ee384e828e6cb16cab7fc9a258e39d413ffdf40ca51e2275737f0b68acd32cf7c6577ee9d7740069a3da07

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_left_inactive.bmp

MD5 39cbd0b2cf89509c50ee74963f89f70d
SHA1 777755cb3e7eac9f8377552820dec7bf9d48fbfb
SHA256 a46d900fb1d3ba41e6f608587f4a4a414314f48a56cdca10716491415d38a07f
SHA512 8d4486150f12cf144d242735c9940c296deafffa4fd92029909f7b402c4f26f7b3e8ae9f2dfa5518edf5c8bfb6b622b6cbe3cd6ef39c4ec40eb601f3c51b310d

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_right.bmp

MD5 2e805b0982cda361e322e201df8cceff
SHA1 a199d51aac3ac44c62b7cf9afae22eea7932c63b
SHA256 c3f2a56930697c4db1ea99bad9f20d7b750f5795181a63eb608c57b7643edd22
SHA512 dade5a2dec58631d4f88129012ae941465397fb498ea52010b2c3abd1e7130d73d47c78bbea0a600b868bd655c2e2b1a141d683b20c7c01099f8e8f116659785

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_right_inactive.bmp

MD5 171e23cd227d985b89098c5cc632c144
SHA1 2349eca4f92e1d4dcc2d47bc3d166a7081a5485b
SHA256 c9d87fc1e021caf801e31e1359d3a13e1da0c484e3a21ea173d352f924e1a924
SHA512 d9ae5802b331b6b8f38e129bd1e4e07270b7469df2ddd627ef0d6dc7f1cf33f87c334de00ba35c3033108876291c67aefbf7b34b9434faa42c79a2aae6b4f036

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_left.bmp

MD5 0edd17e9905d463ce23fbae64563c8da
SHA1 2c26d30e1b7a5761f5048d9494349cafe40979d9
SHA256 237e098ed029198e9f7cfe71babd6bf9ff3962ed78a263dc7426ea663e601467
SHA512 fc358ad0f2e482ad51af201f2883259dfcf0d577db1be8cff2b9048f22827278cf0cb8a3f76475222d86be7e945ce9b34aa9b86fc625c908ffaea0ad6b1ea2c2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_left_inactive.bmp

MD5 1b38ef93df0c5d4c6c2a10ca0115a28d
SHA1 17fa1779a66696f9ee1406da73133745eb4429dd
SHA256 4292ea3565b63946777d999352a1986e8f5950f1e8e51f030443f05dbdbde57d
SHA512 1b0b3c6fe0f359ae383d3d5b069341a900aff610e91d7752d4290fafe11ac73dff3ca349deb6599a6d358add4c769ae6cb05c2b751dbbce738bae4082167e8e4

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_mid_inactive.bmp

MD5 7610648b8e31404e1621a7a5b510b86d
SHA1 d51d517a8472bfe40c469afa8869385d5a0e9783
SHA256 48837b62a6a6bc71359ff74bbe8a672d6b23cc30344c12e006698f069890a2b3
SHA512 24b03969fd28de9919d86609bec03e6ed732ed78b8e0de3f2fe5253180817d1471e3ed004abb5ecd91885b6281cef1b8e508e38e6f76fdcfb88a29e308ac78dd

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_right.bmp

MD5 c288357164d52b2cfd695c792074323b
SHA1 c8b7b1ddb78c929ad56d8bbd57ff5449afa04be3
SHA256 709d6fdbe00694f7dc115e923188f62cdc72d39e739280a1aff072d1a49d2674
SHA512 8d07e5c163c9e4b0d04a861e00be1f578d7a77c2f3eba80deb3895b2b354d4015ff1905a2dfcdccc1b8ec839359dcc302e09f753623aa7f0df212540ce8a56b2

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\frame_bottom_right_inactive.bmp

MD5 2c84c848bbcd7bd57579d3431e8a363a
SHA1 5dc73f68798e73318d03979810bc00a4e94956d9
SHA256 f212b152d4647edcd36d2218713296afbf9ac5e86965c309df8f245fb89a06e3
SHA512 5af2bff30850458ef08340fe4ef9ae9e78d5ae1124c3a9dd365b6dd0e97a30ba079e466ec7f127485f5a89be7350d27371fee665b9d6214cd94532ed346effa3

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_min_normal.bmp

MD5 eeda62be091f6ef68d9ba7d76c9cfd84
SHA1 822372b556a550dd93f931b1d115c888d611fd20
SHA256 3c746ad942bdd0a9b95414f80cd0e20c32251601a9d579bbdfdab6c9ad7414f8
SHA512 ee394717a1191ed3556ff9359d35861a475a96a14e4026f304d42156e357ec564522333ea745e90bfdcd2ee1a85a01316999ef9b601bdac47b6ed7015f0c8e14

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_min_inactive.bmp

MD5 216e32733b99d128ba7b1de8748a5d12
SHA1 2b857cb52ce605e9b8470683468bf331a86a042d
SHA256 f856a6e498ef981476b85590200b3cba06b04c80329b434c1a3f89ba7c7240a3
SHA512 3ce39384e4e0138fcf1048819543ba6c6353ae32b597d64c06024f7bf63901d69d23ecf07fd6f754c56e5115a4dcabdb680bd98df86db5d8c729552f80be9d37

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_close_down.bmp

MD5 4e21b56ffc64f5bc7c4248e33801b011
SHA1 39c05ba5b899f37d90b3722e7edc02149eeb365d
SHA256 ac4eeb5c037deab4e210ad8e6c3afd1816c27a64a92dea633fe982b912e680ac
SHA512 1464a774a4e4f27a1a739f8c7b721aeb47e17b4981a3f5496f9265b996677bbb98dc3310a34a5e56eb851225fa3bcbbc233a44a0751763beb095ef23e878cbff

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_close_normal.bmp

MD5 8d5e21a5aabb3581d5e5a2e5907ef7fb
SHA1 f810a458cc0a28e72e65887a744ccd5be07f4b82
SHA256 5d70323dc723f965dfc29cf36e0ebafeafcf5e520d2beb905fec086ce22eefda
SHA512 86ee08e28a275d4051236dea338d5394cda2a0bb6b4fb9e7bfcc8e0403b9816221b554805fd53f7b5dfdd6eda4a8eedca23f435a510894e70e051c905953e197

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4648\sys_close_inactive.bmp

MD5 e7952db81da0e938aae851a1927682bd
SHA1 52d937797974c2a285a1456b133024107eea351d
SHA256 834c911f88c6a063e34f29060a3fbcc95afe267d868a57625e74e76c9ff1108f
SHA512 0e7facc4181e46cc748c0a6a47df02f0a459c06440409d366c8b0fc29218d05a3c1685f071aca4e58017e7e08449a3a02a5e6ba2e06ab68e6e3234e3766ef310

memory/5060-856-0x0000000000400000-0x00000000004AF000-memory.dmp

memory/5060-858-0x0000000000A20000-0x0000000000B43000-memory.dmp

memory/5060-861-0x0000000010000000-0x0000000010021000-memory.dmp

memory/5060-860-0x0000000000C60000-0x0000000000CC5000-memory.dmp

memory/5060-859-0x0000000000B50000-0x0000000000C5A000-memory.dmp

memory/5060-857-0x000000006B240000-0x000000006B29A000-memory.dmp