139c45fee905d4cb0d38140d76d4e954cde6ca22e78735cf996ad1eb45d0d4db

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aicoin-latestx64.exe
Size

156.8MB
MD5

45933925afe12e9bc47661200085818b
SHA1

29d1c227b3a30fc7b3a9d6d5a8fc249b2c1d4094
SHA256

139c45fee905d4cb0d38140d76d4e954cde6ca22e78735cf996ad1eb45d0d4db
SHA512

e179a59c0f3ff3ac89dfbf8fd62deb660067dcb794a64ad101296c3eb59309b0ba4776c223a6d1747de218bbe16ae97a7c8d6c69b3bbcd33361c074ac4817c7e
SSDEEP

3145728:MblbdMCCtZIoxx0aC7Gum+p6rLsVr2yBDLJhzqjD4g/BbvL/SxDvBbjp:6lZCYov0aC7nzsr4VvOP4ub7SxDvpp

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WdsUnattend.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	AICoin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	AICoin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	aicoin-latestx64.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WdsUnattend.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	AICoin.exe

Executes dropped EXE 11 IoCs

pid	Process
3484	aicoin-latestx64.tmp
2304	WdsUnattend.exe
4392	AICoin.exe
3920	AICoin.exe
3052	AICoin.exe
4684	AICoin.exe
4532	AICoin.exe
2180	AICoin.exe
5084	AICoin.exe
1708	AICoin.exe
5028	AICoin.exe

Loads dropped DLL 37 IoCs

pid	Process
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
2304	WdsUnattend.exe
2304	WdsUnattend.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
3920	AICoin.exe
4392	AICoin.exe
3052	AICoin.exe
3052	AICoin.exe
3052	AICoin.exe
3052	AICoin.exe
4684	AICoin.exe
3052	AICoin.exe
4532	AICoin.exe
2180	AICoin.exe
5084	AICoin.exe
5084	AICoin.exe
5084	AICoin.exe
5084	AICoin.exe
5084	AICoin.exe
1708	AICoin.exe
1708	AICoin.exe
1708	AICoin.exe
1708	AICoin.exe
1708	AICoin.exe
5028	AICoin.exe
5028	AICoin.exe
5028	AICoin.exe
5028	AICoin.exe
5028	AICoin.exe
5028	AICoin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WdsUnattend = "C:\\AICoin2.11.2.3 a1T\\aicoin\\WdsUnattend.exe"	WdsUnattend.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aicoin-latestx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aicoin-latestx64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AICoin.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	WdsUnattend.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AICoin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AICoin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AICoin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AICoin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AICoin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AICoin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AICoin.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	WdsUnattend.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	WdsUnattend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WdsUnattend.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\shell\open	AICoin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\shell\open\command\ = "\"C:\\AICoin2.11.2.3 a1T\\AICoin.exe\" \"--protocol-launcher\" \"%1\""	AICoin.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin	AICoin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\URL Protocol	AICoin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\ = "URL:aicoin"	AICoin.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\shell\open\command	AICoin.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\aicoin\shell	AICoin.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AICoin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AICoin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AICoin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AICoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	AICoin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AICoin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	AICoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AICoin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3484	aicoin-latestx64.tmp
3484	aicoin-latestx64.tmp
3920	AICoin.exe
3920	AICoin.exe
3920	AICoin.exe
3920	AICoin.exe
3920	AICoin.exe
3920	AICoin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe
Token: SeShutdownPrivilege	4392	AICoin.exe
Token: SeCreatePagefilePrivilege	4392	AICoin.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3484	aicoin-latestx64.tmp
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe
4392	AICoin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 3484	208	aicoin-latestx64.exe	87
PID 208 wrote to memory of 3484	208	aicoin-latestx64.exe	87
PID 208 wrote to memory of 3484	208	aicoin-latestx64.exe	87
PID 3484 wrote to memory of 2304	3484	aicoin-latestx64.tmp	100
PID 3484 wrote to memory of 2304	3484	aicoin-latestx64.tmp	100
PID 3484 wrote to memory of 2304	3484	aicoin-latestx64.tmp	100
PID 2304 wrote to memory of 4392	2304	WdsUnattend.exe	101
PID 2304 wrote to memory of 4392	2304	WdsUnattend.exe	101
PID 2304 wrote to memory of 4392	2304	WdsUnattend.exe	101
PID 4392 wrote to memory of 3920	4392	AICoin.exe	102
PID 4392 wrote to memory of 3920	4392	AICoin.exe	102
PID 4392 wrote to memory of 3920	4392	AICoin.exe	102
PID 4392 wrote to memory of 1560	4392	AICoin.exe	103
PID 4392 wrote to memory of 1560	4392	AICoin.exe	103
PID 4392 wrote to memory of 1560	4392	AICoin.exe	103
PID 1560 wrote to memory of 1132	1560	cmd.exe	106
PID 1560 wrote to memory of 1132	1560	cmd.exe	106
PID 1132 wrote to memory of 1624	1132	cmd.exe	107
PID 1132 wrote to memory of 1624	1132	cmd.exe	107
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 3052	4392	AICoin.exe	108
PID 4392 wrote to memory of 4684	4392	AICoin.exe	109
PID 4392 wrote to memory of 4684	4392	AICoin.exe	109
PID 4392 wrote to memory of 4684	4392	AICoin.exe	109
PID 4392 wrote to memory of 4532	4392	AICoin.exe	110
PID 4392 wrote to memory of 4532	4392	AICoin.exe	110

C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe
"C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Local\Temp\is-OBT09.tmp\aicoin-latestx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OBT09.tmp\aicoin-latestx64.tmp" /SL5="$902A0,163510429,737280,C:\Users\Admin\AppData\Local\Temp\aicoin-latestx64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\AICoin2.11.2.3 a1T\aicoin\WdsUnattend.exe
    "C:\AICoin2.11.2.3 a1T\aicoin\WdsUnattend.exe" zsOazeq
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\AICoin2.11.2.3 a1T\AICoin.exe
      "C:\AICoin2.11.2.3 a1T\AICoin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies registry class
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\aicoin /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\aicoin\Crashpad --url=https://f.a.k/e --annotation=_productName=aicoin --annotation=_version=2.10.5 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=22.3.27 --initial-client-data=0x494,0x49c,0x4a0,0x470,0x4a4,0x86fed38,0x86fed48,0x86fed54
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        7⤵
        
        PID:1624
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2028 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4684
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=com.aicoin.desktop --app-path="C:\AICoin2.11.2.3 a1T\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2416 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4532
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-user-model-id=com.aicoin.desktop --app-path="C:\AICoin2.11.2.3 a1T\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2180
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
    - - C:\AICoin2.11.2.3 a1T\AICoin.exe
        
        "C:\AICoin2.11.2.3 a1T\AICoin.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\aicoin" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1860 --field-trial-handle=1804,i,17710363074787744089,15244809639006156437,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AICoin2.11.2.3 a1T\aicoin\CKeyboardH.dll

Filesize
5.4MB

MD5
7a8d9d83a7974b83a3ef0c86ecb47bed

SHA1
ecbc53e0244e86fab58cd902ea9321f929a9ab8e

SHA256
39600f06373a6878422f1cc97a4c054c404dafca9466a7dc4b7104f00bd7e80b

SHA512
465b2b5aefe1b9940b6e12350bca00fc864955e01e1791309e0fee4d5e0f04b3aa04f4b833ee578df6eed32fe8eca744614e3833dbf3e2dc59da4f8e19a2ebdc

Download Submit
C:\AICoin2.11.2.3 a1T\aicoin\WdsUnattend.5hd

Filesize
4.0MB

MD5
1dbdcad4390f6c3ca5865590ff835732

SHA1
49dbfe6140b43c89a3db46d59298cdd8d44b35ad

SHA256
580e2a6ef26b4bfaeb1dbe8ab14020f2cfe4c882bf7c006c7e5bcdbbc4476497

SHA512
e81cb299894fa93fd88184b2536257f0903941f1a281c90ebaef68ead7a712b6a4902fc1c53809a23ca79fd006f2362534661ae17b6c7474b9e1e8363fa5dcc3

Download Submit
C:\AICoin2.11.2.3 a1T\aicoin\WdsUnattend.exe

Filesize
34KB

MD5
dde4e4e601e8b0e7d1621167b709adb4

SHA1
cf152fff93d8bfc7bcde44e41954a36600c4c599

SHA256
53a5ebfe5356da897d550be1017f0c7334d8d9971288abf1398661e288cd983a

SHA512
f9b561ea64f374fa3548a09e26a00ea07baa2fd2d328ebc3668e793c4ebd6c44e8f66f04634a8e3f87b6888f60cc4eb663d073f4384a49b8a435dcc56a6ac8a4

Download Submit
C:\AICoin2.11.2.3 a1T\aicoin\WdsUnattend.txt

Filesize
22B

MD5
104d578bfd3365d7c17687edd70bd37b

SHA1
91016b94d4b9e86aa1f7c377c05f266ccf863d30

SHA256
26426645008f8ce48092ad735aa0f8ed40cf411196b0b425fb5fcef58db20560

SHA512
7a87e7d98edc2559dabf206d22e539f50e624e48150e07474208bfe24dff4c80c9071f2f415dc1eb56928357da2a598291bdd0abccb4d3b22bb0ae84c93e340f

Download Submit
C:\AICoin2.11.2.3 a1T\chrome_100_percent.pak

Filesize
126KB

MD5
d31f3439e2a3f7bee4ddd26f46a2b83f

SHA1
c5a26f86eb119ae364c5bf707bebed7e871fc214

SHA256
9f79f46ca911543ead096a5ee28a34bf1fbe56ec9ba956032a6a2892b254857e

SHA512
aa27c97bf5581eb3f5e88f112df8bfb6a5283ce44eb13fbc41855008f84fb5b111dfe0616c310c3642b7f8ac99623d7c217aecc353f54f4d8f7042840099abc5

Download Submit
C:\AICoin2.11.2.3 a1T\chrome_200_percent.pak

Filesize
175KB

MD5
5604b67e3f03ab2741f910a250c91137

SHA1
a4bb15ac7914c22575f1051a29c448f215fe027f

SHA256
1408387e87cb5308530def6ce57bdc4e0abbbaa9e70f687fd6c3a02a56a0536c

SHA512
5e6f875068792e862b1fc8bb7b340ac0f1f4c51e53e50be81a5af8575ca3591f4e7eb9239890178b17c5a8ff4ebb23719190d7db0bd8a9aa6dcb4308ffa9a34d

Download Submit
C:\AICoin2.11.2.3 a1T\d3dcompiler_47.dll

Filesize
3.9MB

MD5
ab3be0c427c6e405fad496db1545bd61

SHA1
76012f31db8618624bc8b563698b2669365e49cb

SHA256
827d12e4ed62520b663078bbf26f95dfd106526e66048cf75b5c9612b2fb7ce6

SHA512
d1dc2ec77c770c5da99e688d799f88b1e585f8dcf63e6876e237fe7fce6e23b528e6a5ef94ffc68283c60ae4e465ff19d3fd6f2fae5de4504b5479d68cbc4dba

Download Submit
C:\AICoin2.11.2.3 a1T\ffmpeg.dll

Filesize
2.4MB

MD5
c921230b4bbe802f0d797db79d0009b9

SHA1
dd852ce1f82b2daadfb85efa9c53e3264e1d401e

SHA256
02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225

SHA512
6acdda7d638609ffa1989e50dde5a51436ae3d98e036b24ffc2c3f08bc0d39e91a5a2ea427063645f3141f06e7c272ca45fd41333d6770f8402651489a0f6da7

Download Submit
C:\AICoin2.11.2.3 a1T\icudtl.dat

Filesize
10.0MB

MD5
76bef9b8bb32e1e54fe1054c97b84a10

SHA1
05dfea2a3afeda799ab01bb7fbce628cacd596f4

SHA256
97b978a19edd4746e9a44d9a44bb4bc519e127a203c247837ec0922f573449e3

SHA512
7330df8129e7a0b7b3655498b2593321595ec29445ea193c8f473c593590f5701eb7125ff6e5cde970c54765f9565fa51c2c54af6e2127f582ab45efa7a3a0f6

Download Submit
C:\AICoin2.11.2.3 a1T\libEGL.dll

Filesize
375KB

MD5
51cc9f3891cfe33e095f901c8e5f121d

SHA1
03ac95d250969e65a3ede7a29c3e5425ccdd9fe1

SHA256
961aff31cab097ebb973a32140c4f87c415734412771cf1fdfe24ddc675b54c2

SHA512
3351898af8c75afa8df3f300416bc9d40f4ead90ea947876140ec54a015fafd149427a9dfb5b7c8239ae229839edd786561a5a73ffe37f29758946fd18730039

Download Submit
C:\AICoin2.11.2.3 a1T\libGLESv2.dll

Filesize
6.4MB

MD5
fb74e837a2ebbf59afeb09106644a9ab

SHA1
55225fcc692aa332f698960c3dc1140d791d1fa1

SHA256
e6ab5fc601d0d230c989d2f481b37c259a0a1fffb7fb841b7099a5e966f0088a

SHA512
585e464de076d6d2560288fe9430004430effb0599134bfb30fabb7bad3cdccff9458d21d17f580823a308cd6472f36d1f1ce6a04e568ba6dcca2e68fd39d63f

Download Submit
C:\AICoin2.11.2.3 a1T\locales\en-US.pak

Filesize
313KB

MD5
3f6f4b2c2f24e3893882cdaa1ccfe1a3

SHA1
b021cca30e774e0b91ee21b5beb030fea646098f

SHA256
bb165eaa51456b52fcbdf7639ee727280e335a1f6b4cfb91afc45222895b564f

SHA512
bd80ddaa87f41cde20527ff34817d98605f11b30a291e129478712ebebe47956dbd49a317d3eeb223adf736c34750b59b68ad9d646c661474ad69866d5a53c5c

Download Submit
C:\AICoin2.11.2.3 a1T\resources.pak

Filesize
5.1MB

MD5
f5ab76d2b17459b5288b6269b0925890

SHA1
75be4046f33919340014a88815f415beb454a641

SHA256
4f29587bcd952de1dbc0b98df0aa506bd9fcf447e6a7258c5eb7e9eb780e6d6c

SHA512
6ec6a08418743adb5e20218b73169be4f45f5458592219497c3718e620e37871876788937418f1341e0023c1137f9cac715e6bb941f4690febdda993b072feab

Download Submit
C:\AICoin2.11.2.3 a1T\resources\app.asar.unpacked\node_modules\@aicoin\cryptaddon\build\Release\Aicoin_Crypt_Addon.node

Filesize
584KB

MD5
f382df566c4c39c7009f5a6c71ba1046

SHA1
26744f7c85bca2a66de0e6782c09acb46ad20adf

SHA256
24d7fa23ca538107059ca988688c27e174122c24cceb3f9f45731b3a193fb2c8

SHA512
aa4ca433f48c5d414a6db450c46d6faa48d59194505a6abfa4eeb7f85122bb35956874ba0c6c67d59b20d2b84fdeacaa9c7226894b19568273fb03c0a4b52d05

Download Submit
C:\AICoin2.11.2.3 a1T\resources\app.asar.unpacked\node_modules\better-sqlite3-multiple-ciphers\build\Release\better_sqlite3.node

Filesize
2.3MB

MD5
ced6ee32a2c8932815eb81d59b3d7590

SHA1
f624f13f0a049d5f989ad7205fa8586527185381

SHA256
b15ad765f47986cdc3a020707f4ec8c24e2c741c9f5913770251c3678ffde180

SHA512
a44705c3709aae38cdcc7255cf21fde3eba272c2355ab6447b5823bc0a7467b14ea2a88b29d680e8880a333016f6a8fc698e41890255d7aed4f4a44f4362c39b

Download Submit
C:\AICoin2.11.2.3 a1T\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

Filesize
528KB

MD5
12ec9fff67594ce2b3611ee2ae43cfe0

SHA1
e35352fd4fd46a8591d9dd41a163f4b2aa0b5bc4

SHA256
c19fa9a13590e85b15db5bfab4b31505027eac5eaa4a1d1a10c8e8ed3e5849b4

SHA512
bd4410a5f86a24bee3262fcd504b1b55276bdf4d3c4663a26d9e5406968a7ef4152547e4e645055ae7c9bfd224270953cf1e0f84a6be6b541e18d3db1c197a30

Download Submit
C:\AICoin2.11.2.3 a1T\v8_context_snapshot.bin

Filesize
585KB

MD5
b32cbc4a5ff34f441e8e0c264aa61849

SHA1
435d88a3e50ff85b6030c4c6e8918161fa340201

SHA256
4f72c7b625b64d38f819a970cfff5921ff4080e27de84b00b9a7cf8be15277c5

SHA512
7c13eedfab9fba821d5a26e5ba81444a84b48aff13a7cd508c03f7ea113997c2edf7126e5547e16fb3e98a942f0070a5d597c25971afbde92b46125085b57b4e

Download Submit
C:\AICoin2.11.2.3 a1T\vk_swiftshader.dll

Filesize
4.3MB

MD5
ad00a712203b9dfb702d886e43d215e6

SHA1
1921d4d14b5ac0a669f69cd852a41eba8377a434

SHA256
01742049534047b956328b9a0ca57f720e957edb684a6a0d70acc992e2b684fc

SHA512
f4672dce073c940fe3b9f9687fc9a195b5d0a6e51bb92c91047775be244ce95a2c743947eb05299d77cb3c8b914821984bb98182bc9afdc35e3963148f5562e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8204b96-e178-4c8d-b580-efcc525b8a5d.tmp.ico

Filesize
74KB

MD5
91d440a08e8cf72938c42c7eaeb0ce2a

SHA1
43855c111c696588ca0b8c28d5d4956a58b14566

SHA256
7c8ce62bd44899ee889d025c2dda07bde3824aa1326dfdf50bdafdef7c83cbad

SHA512
2861fb0325f8c1acef0ce2328cb30b56d2d840ffd4ee68e4c00bd8ea7f4109b209e89572d201f25a8cbd97df82fb5792ad67da3c3d63cbe50527a59265047174

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\background_finish.png

Filesize
145KB

MD5
825b89655e28d2b63e79ab3c7e5149ef

SHA1
1b3785bdd7c56206f58fe2df0f0aca559294b498

SHA256
68bf9818fcd2fca56379a467815a322ebf836d98e06e432a366d4e7cedafb658

SHA512
40a2ece65eef2c2cff2c75fa280e2c41666a83bcc0e5cb8d3a04797e86b7154b9c894433823e6650b2fd0234b43ec736f9a6f7fc2ea1d94b3adb664f405176f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\background_installing.png

Filesize
176KB

MD5
d61bec7dff9508f385ad11ea6c3b83f7

SHA1
70c91c4e917842d245069dbc9843de7489b8f143

SHA256
d3a38c6f063ac100700dc65efd1b36b1730ef7f8786bc1008bd2e6d5e1ebaca4

SHA512
643addb428af5ed0beb850c381be9329cf909d10ba0495f8d1cffb444c37894808d6962baf124c1cc625ada34b23774ca7739d75d70c1a341b184d298c567aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\background_messagebox.png

Filesize
4KB

MD5
d1a4f5ba76b7e7a702f13fbd9bbb76c7

SHA1
2c8e3fbf70f0a89a833c3607fface79a9072d324

SHA256
bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724

SHA512
6afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\background_welcome.png

Filesize
150KB

MD5
cae707bd9eb5abfd065c6d5145549cee

SHA1
e47ce3d703beb58366cc3075bc858f3ba5f103e8

SHA256
2f7ba5736572a75b3ba53667e232fc28c77950cde0db5962dad8e389ace34140

SHA512
a9932287d5be67f359279f9438beb4e2e5cfde417a82c69f674e2aa82f6a08efe3cf6feeac49c0a3f20508ee3eee72350e23b999c0f1fb28576f928b993e1788

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_browse.png

Filesize
13KB

MD5
d724d25b757d8f203cd6777da8cd17a8

SHA1
51ac4866ba5550c73512a05fa4cccf36beb05a61

SHA256
78114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0

SHA512
183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_cancel.png

Filesize
6KB

MD5
fb8e04322eee99db624e395d969dbc59

SHA1
4ac99299b54c657c0d40679fc6e4f3840638ca58

SHA256
e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9

SHA512
90020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_close.png

Filesize
3KB

MD5
2b29884a02b398ef5b3d4cb2db1e5c34

SHA1
a8f7e6525378b22185a0bd3010d1b86fca1a9c2f

SHA256
789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025

SHA512
9093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_customize_setup.png

Filesize
10KB

MD5
9fd5cf39cb1d65a7dd9fc7396fc03550

SHA1
41179665031dc8031197ee7450fc49b3efba052f

SHA256
adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193

SHA512
a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_finish.png

Filesize
15KB

MD5
ad97fd4c6b284c686ad23f3212d7389c

SHA1
4e82f8151a7b58f7a9afa8d6f6db97684c78c2a9

SHA256
411caa8d2b27c64c092d0e673e4ae06fdef0d7d50e31dfb1b3b3f51d38cc2253

SHA512
cff27c4b705ac0bd44cc58d58496d54477da8bbc9ed6b4ad1ff5c05940654c1ad35be8d8ef6f136f5e9e96789b9ed62a2b0c83daef28c18f3224ea5a368ed86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_license.png

Filesize
11KB

MD5
410c7780e6700028ab373f9efe75f728

SHA1
4c6eb2e50b83e2bc8f58aa0b643a549028b16603

SHA256
16f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75

SHA512
0e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_minimize.png

Filesize
3KB

MD5
53377fd010771582b62621793237d97c

SHA1
7028bce353330e3fc2cfe0e3c94a9cb7c1f116e7

SHA256
7967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1

SHA512
a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_ok.png

Filesize
6KB

MD5
558e7219fc377b63365513c4e017cf24

SHA1
ac508857ab9657abc0f731ff09712bbafadd1f0b

SHA256
43818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466

SHA512
dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_setup_or_next.png

Filesize
16KB

MD5
f759680e272b5fc9e60738b7dbbbc623

SHA1
defcdd008ddb3a3d5e4da4824f6114649c2e2c23

SHA256
ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31

SHA512
cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\button_uncustomize_setup.png

Filesize
10KB

MD5
aa5886c0e8b173955df656efbcbc00d4

SHA1
a05b410e756d4b2b6c30a448a55777691c55b2dd

SHA256
7b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1

SHA512
15d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\checkbox_RunApp.png

Filesize
18KB

MD5
d940cc6ffe0711645658760a85fd7205

SHA1
34d0bece8d647c23cf22d736ab5d07c0514ffabe

SHA256
87ebac7c4c2120f7e12be062da1c225c7b180aabc2682a6be3ae18f3cdd5198c

SHA512
a89197a2b18bdc9955b11fe2fce449c5ff6c5cd2d6f53af75c9a0494018a6fc59ef7f1bec2c494520970967606a79072e77853d6d0c76393de50d684a54b3614

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\checkbox_license.png

Filesize
27KB

MD5
e1ca6a42984d8b7ededb48a3f7133791

SHA1
b1c13e402f939ac9f00a795482a6f4b80b27a5bd

SHA256
023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d

SHA512
80a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\progressbar_background.png

Filesize
283B

MD5
04dca3926efaa3851fd98aecb4315ef8

SHA1
8d431629c573a370df73741ad010463af635b8bd

SHA256
648c2e85e064672bb47b3750215470e1b7ea3e4217f777c6faa35446d449b4cf

SHA512
a54930c6a019236eb2ef3b38fe214f5a57645ca58c5896dd702256254279842413c9f4c7e8d60418f270a94f80ca7246a5d3a433503048ebd07ef7d5ddd774c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0K3SG.tmp\progressbar_foreground.png

Filesize
286B

MD5
2205f8b79ffdd37af080e444c424e513

SHA1
95294bf76c00cf8677119a204046182887c0ec8d

SHA256
d2ce48f668bfeee1500c9aaafba2cfbc8ee7c3c34ec2afec3140aa1d5ff22b57

SHA512
1be8de0c734e96bd81664b74c40cc1e174c9cad93ed3a6af403be3f32c227faeaee02398108e3a87a7a56cbfac963f996de2bc9495024f47715ecc3dbeca7c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBT09.tmp\aicoin-latestx64.tmp

Filesize
2.9MB

MD5
31b29a985a7707be48569762d4dbee24

SHA1
0527b91be37a258bded61820fcbcd2636ea07702

SHA256
ac7c3ff21ebbc2f4543c3d6770e84c14da42a457ee455dd982902fcf38dacae4

SHA512
79a7a76ed7687ea48f431a71e6c111e8b80b5726fc24b89ab8df5e6833b4bf8267af5f2a2fe17f0f67e8d2e42ffd1a1e39afa2285eafbb7fbb3bd93884ad057e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\0b3cd7e8-bf5d-426e-9ca4-d5ba7e7b4e56.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Crashpad\metadata

Filesize
114B

MD5
49ab4d4d329ee5d4f9ddbd7b767fbc36

SHA1
68d6921162378665927133e13ea741b711e37fda

SHA256
547edf9b9ef9cb1454a146613f2afbbb83af66f703592d1d0c4140c72b4c7d2f

SHA512
548a4f2a48fe2f05d3545c6fe3969381b781df8e7ea7ae53f5d802f6cc4fe6ded59a7b5f8cdf0521848338a9dd50f03c737261b4fb29f511f3becfa08aa6e8b8

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Crashpad\metadata

Filesize
114B

MD5
2c267322504e24a5da8d5aa0ae97ced0

SHA1
bdb4eca9361c83953aefd99ccbd043e8e95ac0e8

SHA256
4c07d5b0206b690043302bc3b1d1d25b02acadc9fde4d1881c4c9e07c59fcbca

SHA512
641d55cc5f4b7fad9390ff68ac112539a08592fd5b856d04fe0cb69fc939c771f92b330276c7ce97139202ee01128fd88918c17b403447dc9f3c515fc2145d6a

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Crashpad\reports\9f73ecc0-7749-4261-8f22-b39e7b3d91ac.dmp

Filesize
356KB

MD5
974fafa2ce103e9502106380432136db

SHA1
afc32f1af8222508964692e3e2d9c9c370bd4081

SHA256
36a021eadcbf43c463a3d31b7c17d2651b77e050d80ed616c131e3089152ef0a

SHA512
c03fba1302a50f944fe0de1be11b5919d6110721ff5361b6debd1fa35c7c1d3e8cd6485ee66806cf308709a2b35ff6364e64415cb6bd04cdffffc20a68eaf1e7

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Crashpad\reports\e4882348-0d42-4dbf-844a-8b92dc30a0b6.dmp

Filesize
207KB

MD5
2be235ece4c06e543b307201e12e58f5

SHA1
cc28a94199b68dd0c4b03940d1715528a91f1358

SHA256
c3627911cfeab473751a10f63024abd8ab91ea77f773036a882ce9d341adc489

SHA512
c064d3d1bf93962fcceeaea8b90d24fc69c3ba8a7b4ab7e3ed52521ec4e7c524543ebef04e265fb8d24dac7013f26393ec6173825f2c0a731130495b29c2ddd6

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Crashpad\settings.dat

Filesize
40B

MD5
bd2fa8774411870376834f2df0721a3f

SHA1
dea4fca6919bb3c56f941e50400a99ec8210ecad

SHA256
2d61a24c12e0643129717993e20984326c7c35822f67ce14b05e7be9eaf3f10f

SHA512
c80d734a4d3669155d0e95b395298326a0e0f6aed2ec3bfa826ec8c6e22401863b0ff6f2c265fb5f04a2d2e016e8d37fd89d6923d059dc9c605cf7fa1c1e458f

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Network\Network Persistent State

Filesize
1024B

MD5
81dbb3fc064c475355c7134b7d2ddd07

SHA1
880af1689a13e109501f4ac237f81322dae94a7d

SHA256
59f70644bcf9c7b8a04f3a5797662058153373b627520035e48bc1e1122e1c92

SHA512
338808f2425c8ff26dc5291d5481c2731f86f7977a3445a95ebc6c7f8b5af5eb785e69326fb348f888d5068dc5571783e55cfab11c918e552e6afb128e10e122

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\Network\Network Persistent State~RFe59dda4.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\common.db

Filesize
52KB

MD5
521df5bb5591701e6ad3afbe23724608

SHA1
92d7b6e466b17b363f043f99e8f754a24a251bf9

SHA256
11571a9f380b6e5e6d62db1d6239b1819622804a904e7a5be322981df98a3faf

SHA512
29af76941d7098ed161704ed4cea62fcfb3426f2c9d1f0744ad5d1c8376039a651cea9ed058a9e7dad71b49d6cdc4b94f1e585665a0ab32b4f727d20239e9b58

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\sentry\queue\queue.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\sentry\scope_v2.json

Filesize
5KB

MD5
441ef13ff884c38166143a8b90e6dd70

SHA1
117f502fe3b1edfd6e0b650c37830cc75cd1234c

SHA256
cd21b35440b928c5f9678a5f792d975062d82fefb21d3599f626f01094aec9ac

SHA512
6f3323a0c0889a7e23f591b70a3939a18f48c186593466d52b5ec67df0236642e58ee61a6050e5969a98aa04d443dd265cc83dff6570a9a3b5a369423ee9a838

Download Submit
C:\Users\Admin\AppData\Roaming\aicoin\sentry\scope_v2.json

Filesize
6KB

MD5
a3fa3d3beddd84890735532b81730cd1

SHA1
65482633fade46f48e47fb568375be07e5a1a0af

SHA256
2102aa7aefc36f092b482f781ba45bc3c3b2ceefe5b1389d35b61dea7fc5bed6

SHA512
86814cd118fd0d511282a3682dfe983e1dfccfba2fdea4cb39a9571347b2d13d4c4f4f1ab7d9e5990e17af2dba2cb319c0842e10466eaa0168896df0a7410ee6

Download Submit
memory/208-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/208-129-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/208-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/208-395-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2304-405-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-404-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-389-0x0000000002220000-0x000000000278A000-memory.dmp

Filesize
5.4MB

Download
memory/2304-495-0x0000000002220000-0x000000000278A000-memory.dmp

Filesize
5.4MB

Download
memory/2304-726-0x0000000002220000-0x000000000278A000-memory.dmp

Filesize
5.4MB

Download
memory/2304-403-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-408-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-406-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-409-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2304-420-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-417-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/2304-407-0x0000000003640000-0x0000000003A5A000-memory.dmp

Filesize
4.1MB

Download
memory/3484-131-0x00000000034E0000-0x00000000034EF000-memory.dmp

Filesize
60KB

Download
memory/3484-348-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/3484-140-0x00000000037A0000-0x00000000037B5000-memory.dmp

Filesize
84KB

Download
memory/3484-67-0x00000000037A0000-0x00000000037B5000-memory.dmp

Filesize
84KB

Download
memory/3484-161-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/3484-139-0x00000000034E0000-0x00000000034EF000-memory.dmp

Filesize
60KB

Download
memory/3484-132-0x00000000037A0000-0x00000000037B5000-memory.dmp

Filesize
84KB

Download
memory/3484-130-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/3484-58-0x00000000034E0000-0x00000000034EF000-memory.dmp

Filesize
60KB

Download
memory/3484-6-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/3484-392-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download