Analysis Overview
SHA256
ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a
Threat Level: Known bad
The file 4247605d401ed13d7584377852052793.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Manipulates Digital Signatures
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 08:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 08:07
Reported
2024-10-17 08:09
Platform
win7-20241010-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2176 created 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe
"C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe"
C:\Users\Admin\AppData\Local\Temp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Program Files (x86)\Power-user Premium\Power-user.exe
"C:\Program Files (x86)\Power-user Premium\Power-user.exe"
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\Power-user.exe
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DF147D9E91771220F29DFDB818C0E81 C
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
"C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filecloudvv235.life | udp |
| US | 104.21.54.168:443 | filecloudvv235.life | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsy4A2B.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\nsy4A2B.tmp\nsExec.dll
| MD5 | 2746f5b49ef1a2d17a1d4a290dc45615 |
| SHA1 | 26e98eea903b5f34812885ec289e82bcdaeaac07 |
| SHA256 | 24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd |
| SHA512 | 2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3 |
\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 0b24892597dcb0257cdb78b5ed165218 |
| SHA1 | 5fe5d446406ff1e34d2fe3ee347769941636e323 |
| SHA256 | 707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71 |
| SHA512 | 24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 1143c4905bba16d8cc02c6ba8f37f365 |
| SHA1 | db38ac221275acd087cf87ebad393ef7f6e04656 |
| SHA256 | e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812 |
| SHA512 | b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894 |
C:\Users\Admin\AppData\Local\Temp\files925.zip
| MD5 | ea79b672e19fb5eecf77291b0a3014fe |
| SHA1 | 5e90a7e7e7d53c408352390cef6870ddfdd2acae |
| SHA256 | 9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9 |
| SHA512 | c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e |
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
| MD5 | a0fab21c52fb92a79bc492d2eb91d1d6 |
| SHA1 | 03d14da347c554669916d60e24bee1b540c2822e |
| SHA256 | e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863 |
| SHA512 | e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e |
memory/3068-44-0x0000000000F30000-0x00000000018B7000-memory.dmp
memory/2256-43-0x0000000008570000-0x0000000008EF7000-memory.dmp
\Program Files (x86)\Power-user Premium\Power-user.exe
| MD5 | c95da98a5c79298bdde4c4a6f41405c5 |
| SHA1 | 73492ba3c4c3f006b6578a54749cd4d41df24cc8 |
| SHA256 | 85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8 |
| SHA512 | fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee |
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\_ISMSIDEL.INI
| MD5 | ea52bf41c39233608a1fbfe784fa1e6e |
| SHA1 | 4a5fa45cbd33ea7f8a7e4f448eaaf494c1000a04 |
| SHA256 | c5ece4f186494f8d18cc4b41f95ef0e9299489c5c4a58fa06eafea9adeead5e9 |
| SHA512 | a7d7fea0f34d6df77667ba0ec2a0a3ba3484a697c6fd1832b88125b10cb097276afb65faedf6b143797d946fade7ee444977a9b2ea98f5f9ef173b5749a50838 |
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\Setup.INI
| MD5 | 0cc03f97e3ab616b381d0065bec36ec6 |
| SHA1 | 135e8779fefdf224e5fa53badb92dc7934b6acc0 |
| SHA256 | 3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7 |
| SHA512 | 7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4 |
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi
| MD5 | 2f2e55b11f9543755eab88de9bb1b28d |
| SHA1 | 8c53204d31b6ea02a9de45ad3be0362bc3c77b7e |
| SHA256 | 42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9 |
| SHA512 | cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef |
memory/3068-113-0x0000000000F30000-0x00000000018B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI896B.tmp
| MD5 | 1780f8e73ba9c7c976938655ca67ede1 |
| SHA1 | 52ea389894f1444e58bba86984c5697a592a6365 |
| SHA256 | 11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28 |
| SHA512 | d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5 |
memory/2296-120-0x00000000002B0000-0x00000000002B2000-memory.dmp
memory/3068-133-0x0000000002CC0000-0x0000000003647000-memory.dmp
memory/3068-131-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/3068-124-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/3068-123-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/3068-122-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2176-135-0x00000000001D0000-0x000000000024E000-memory.dmp
memory/3068-121-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2176-129-0x00000000001D0000-0x000000000024E000-memory.dmp
memory/2176-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2176-126-0x00000000001D0000-0x000000000024E000-memory.dmp
memory/3068-130-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2176-136-0x0000000003EB0000-0x00000000042B0000-memory.dmp
memory/2176-140-0x00000000752D0000-0x0000000075317000-memory.dmp
memory/612-141-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2176-138-0x0000000077210000-0x00000000773B9000-memory.dmp
memory/2176-137-0x0000000003EB0000-0x00000000042B0000-memory.dmp
memory/612-143-0x0000000001BD0000-0x0000000001FD0000-memory.dmp
memory/612-146-0x00000000752D0000-0x0000000075317000-memory.dmp
memory/612-144-0x0000000077210000-0x00000000773B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{8D8421FD-8AAB-4F64-8F15-315DADB617C0}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |
memory/3068-174-0x0000000002CC0000-0x0000000003647000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 08:07
Reported
2024-10-17 08:09
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4448 created 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | C:\Windows\system32\sihost.exe |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F35FD2B58CEAAC0D48B00914094C5D6C3E3E2164\Blob = 030000000100000014000000f35fd2b58ceaac0d48b00914094c5d6c3e3e21642000000001000000de060000308206da30820542a00302010202103e94afbaa7fddde1a3f9cb164bef725a300d06092a864886f70d01010b05003057310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312e302c060355040313255365637469676f205075626c696320436f6465205369676e696e6720434120455620523336301e170d3233303832343030303030305a170d3236303832333233353935395a30819a311a301806035504051311383133203632332037333320303030333331133011060b2b0601040182373c02010313024652311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b30090603550406130246523111300f06035504080c084272657461676e6531133011060355040a0c0a506f7765722d757365723113301106035504030c0a506f7765722d7573657230820222300d06092a864886f70d01010105000382020f003082020a0282020100cae1440dedfea9629f012d3e0f2380016585bece7940f2af8c91297d7c788ffc2d103676f377b856d80d89dfb0de959837cfb2cba3f60f0d4d27ade4b42038551fc3225a4565012cd6b7f7c719bf43cb123990fe0ac2b910e657baa30736696fc0e98f534c1183b7b4acec8d9426bf21f22f703fade6d133db5398c0e12f9046d820fcf2bfdddfb7de3a75b156d0a3f6fed4dcaeb20cdef8c3a27d1445a60901f51adc6ad37242cedcee7bcfb1796631f54dff0024e1105f406e95fd77c51a9fb77b5ce8db11414acaebf0b26193c6f4ca1addae9ef334a603d9f392075dfb8c5f9bb86f9f14440768aae8fe5206cfa1db1546faf192e85af1f60e0954d7661cd58e87a5e3e68e592d0876f64ee27597cc87d5da265c05239b8ed9b1977da7cc1553776acd35e52635e29c92423e5cf32069669c481be5d5ba6d016e7ee132b7a458e14c81e3604c4184c88db4266a40be67f3f62c8fc4a5d521c04cd193d07147bcd67d3b8de77e2586fa1fed555cbd73bf82792612efe2e0a79d2080e9c65749889f6248eae338651f7468d16e23c6ff7a4375cf490a79e845877308eb9d35270246ad3d125f07365cdf31f0bf029d0532e40526657b0f437b9cf5925dd6a23d0c1bcb708bfe2b7ac211f4e7409277e3624eb441bd118eac17d71adede2fcd20909e76f17f8b4002d8dfcb32fa01f4146bcaf43a002bb0796d1d45ff8256f90203010001a38201dc308201d8301f0603551d23041830168014813292412b28cd46c8c4a2c62a3912ec48a93f14301d0603551d0e04160414bf78f22103150a78fa27cb52096ece4e39ba23d6300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b0601050507030330490603551d20044230403035060c2b06010401b23101020106013025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533007060567810c0103304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d304e0603551d1104473045a02406082b06010505070803a01830160c1446522d3831332036323320373333203030303333811d6f6c697669657240706f77657275736572736f6674776172652e636f6d300d06092a864886f70d01010b0500038201810004942aaf9b3ebb785e8cf63d72b07114a2b2f530c66708ffc0e74b59c22921dac58e24084b2ecd9a933b46e914425f9063f1c60814e4fafeeb6d5cbeb2bbc417c3a638c5c193c2cb286aafc10ef6532c1e364b17c65b44e21aa1f2d42e32e64350721e2c3b9adfe73f8f1a7c0ffd17c38e9c5060f36111d6ace67a6c24d6327e3deca05d8a50e64d9068842860e19731d2973fc26fed6f06cdc12afdc5f23d11d5fbd72a3ddb83e20bfeaafa373bde823db17a2c9f79dc5bb7f6991aeea8f3d97a85e84a83ea8f1f7dc66819f5312268bf0f9748f6e789ba0ce4d133d35e14879f23e6c02bf6a4003d6879d219a2d34074dd953bb824c685ce834e475b74a8dfa03f1f563892b8e31a410c8f045fbeef884d8a8f4f04413dc2408c3702496dc4f4ba1415e09022da7a7544ffe96324cab03356ba9740552f8a4b0d94621d8d672b215b90b293c7b3f14525e1ce6c6aa2b6d801474204e683f72488d27ec43a5e54f74a7ea6ba6f9aaf83f94fb4ad45eecfc52ba7331ec7ee5aa7800414085427 | C:\Windows\SysWOW64\certutil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e584870.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4A44.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58486e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58486e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{5DB13158-EC76-489E-B122-1AE35DB2CA74} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4958.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe
"C:\Users\Admin\AppData\Local\Temp\4247605d401ed13d7584377852052793.exe"
C:\Users\Admin\AppData\Local\Temp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Program Files (x86)\Power-user Premium\Power-user.exe
"C:\Program Files (x86)\Power-user Premium\Power-user.exe"
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 73E6A50220E77FE9A74BB1C7EAB26A78 C
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
"C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 488
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8104AA22234C309DAF5ABCD14E2B0A20
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -addstore -user TrustedPublisher "C:\Users\Admin\AppData\Local\Power-user\power_user.cer"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filecloudvv235.life | udp |
| US | 172.67.140.173:443 | filecloudvv235.life | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.140.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.205.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsvAEDE.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsvAEDE.tmp\nsExec.dll
| MD5 | 2746f5b49ef1a2d17a1d4a290dc45615 |
| SHA1 | 26e98eea903b5f34812885ec289e82bcdaeaac07 |
| SHA256 | 24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd |
| SHA512 | 2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3 |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 0b24892597dcb0257cdb78b5ed165218 |
| SHA1 | 5fe5d446406ff1e34d2fe3ee347769941636e323 |
| SHA256 | 707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71 |
| SHA512 | 24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 1143c4905bba16d8cc02c6ba8f37f365 |
| SHA1 | db38ac221275acd087cf87ebad393ef7f6e04656 |
| SHA256 | e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812 |
| SHA512 | b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894 |
C:\Users\Admin\AppData\Local\Temp\files925.zip
| MD5 | ea79b672e19fb5eecf77291b0a3014fe |
| SHA1 | 5e90a7e7e7d53c408352390cef6870ddfdd2acae |
| SHA256 | 9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9 |
| SHA512 | c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e |
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
| MD5 | a0fab21c52fb92a79bc492d2eb91d1d6 |
| SHA1 | 03d14da347c554669916d60e24bee1b540c2822e |
| SHA256 | e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863 |
| SHA512 | e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e |
memory/4304-30-0x00000000000E0000-0x0000000000A67000-memory.dmp
C:\Program Files (x86)\Power-user Premium\Power-user.exe
| MD5 | c95da98a5c79298bdde4c4a6f41405c5 |
| SHA1 | 73492ba3c4c3f006b6578a54749cd4d41df24cc8 |
| SHA256 | 85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8 |
| SHA512 | fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI
| MD5 | 6d7d0b7039ed35dd064c3319121c5d30 |
| SHA1 | aaead414c59db3e26fcc35c3e6691a760d4bd383 |
| SHA256 | a168e5084baaa1e72cdb891bc851260e83a6c54493bb15d2ae1d246f9ff6e832 |
| SHA512 | b57e72c0c644628442448fb2a711c9e789fee684df9b9ffea116369bd775991d0c2fd8991425ed73535ac9e94fc78b1b45d0cc809e5fc6c97ffe37213974fccc |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI
| MD5 | 53f4c36ee01ea8a8be9dd6f6fcc2a84e |
| SHA1 | d98ef3c0466d5055c5e3df8e3dd3a330e03fe7b9 |
| SHA256 | f7f2366e62a18b52b384ee382a38f63df3225bbf6ce3d4ba76c26f26e3e8065e |
| SHA512 | 063c0751d4c9173e6e822c264b9e3ae6df6407b22cf36237fbcaef66731e5981843ee0e8a705200b1847770a0b8b9fc575ea0ff2caa1e1edf420fff216b90e33 |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\Setup.INI
| MD5 | 0cc03f97e3ab616b381d0065bec36ec6 |
| SHA1 | 135e8779fefdf224e5fa53badb92dc7934b6acc0 |
| SHA256 | 3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7 |
| SHA512 | 7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4 |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi
| MD5 | 2f2e55b11f9543755eab88de9bb1b28d |
| SHA1 | 8c53204d31b6ea02a9de45ad3be0362bc3c77b7e |
| SHA256 | 42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9 |
| SHA512 | cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef |
C:\Users\Admin\AppData\Local\Temp\MSIE37A.tmp
| MD5 | 1780f8e73ba9c7c976938655ca67ede1 |
| SHA1 | 52ea389894f1444e58bba86984c5697a592a6365 |
| SHA256 | 11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28 |
| SHA512 | d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5 |
memory/4304-101-0x00000000000E0000-0x0000000000A67000-memory.dmp
memory/4304-102-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4304-104-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4304-109-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4304-108-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4448-107-0x0000000001370000-0x00000000013EE000-memory.dmp
memory/4304-103-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4304-105-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4448-111-0x0000000001370000-0x00000000013EE000-memory.dmp
memory/4448-113-0x0000000004110000-0x0000000004510000-memory.dmp
memory/4448-114-0x0000000004110000-0x0000000004510000-memory.dmp
memory/4448-115-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/4448-117-0x00000000756F0000-0x0000000075905000-memory.dmp
memory/3064-118-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3064-120-0x00000000021B0000-0x00000000025B0000-memory.dmp
memory/3064-121-0x00007FFD28FF0000-0x00007FFD291E5000-memory.dmp
memory/3064-123-0x00000000756F0000-0x0000000075905000-memory.dmp
C:\Windows\Installer\MSI4958.tmp
| MD5 | b7aebfb0e4e94cfa1db8343ae40c482d |
| SHA1 | 06b2cbac0dd310123b33a3bea48ca7c432870a93 |
| SHA256 | 41872842b9ac520ee003e0fa31a4671659d54e1510fcd9c568358425f4630e2b |
| SHA512 | 4352e89d9dab0f17bfac8eb3c8e1391cb0577a6167d3f5423213a1e8f0da2255981ecea24e4c5875cc6e9a446ec06dbf6fb32a2261a3322a8c76796483d5a5a8 |
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f66e9346-2c1b-4c1d-b3af-339e5fa4e121}_OnDiskSnapshotProp
| MD5 | 0544b3c647a8abf7431a61814a5c51f1 |
| SHA1 | decce2a4cd57f68f7b728669f8fe463dd9380465 |
| SHA256 | 128dc8e9f6780fe705d4d5492af3fbaf91a3e5395232fd1c3d0754ffcf721e26 |
| SHA512 | 4b31559bc83e0db4b7ec35a0453c63ddec4b07f67b492126b01b98d730319bc9bd1b74368599f3539faa0c95ec7160dcfcef9c78bf52dd11d4059ee5e306382a |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | f195280fe7865fedadc4861c03fe65dc |
| SHA1 | 0cc71e5d07316fd9548eb82f7e32293782db7c46 |
| SHA256 | 26b762ed685b6fe0219ebfc010104d259218eff9e7b52dc04b56564fb4976ceb |
| SHA512 | 05f078f3f68af043701bfe04f150c4dfe8842961b8339626f8b48492c0994ec73a51492cc14b08604b0e90ca2be599794fbe43faaeffa2fce53ec3dd7f38b9c0 |
C:\Config.Msi\e58486f.rbs
| MD5 | 1eb3f2056f873edb4fc7b55c4baa2cf8 |
| SHA1 | 56f242f245d9a31326113735d744f0e8e0a705fc |
| SHA256 | a13662db6b859d2a6a464771cdfd4da8dfdd32bb1bdde3294ac50e64ffdf97b6 |
| SHA512 | 61448ebc952dd9210dc551d2a32b1cb307ae17c979556de3864972384b32e50ff7140ffbb00b2226fef8066323a9f8bce5a51538c714a42a4f74cee224211126 |
C:\Users\Admin\AppData\Local\Power-user\power_user.cer
| MD5 | d857b21dd3e5f5557486ea92ac5cbf7c |
| SHA1 | a413305b2d36c51687a4ad66fb72c91fe7c2bb98 |
| SHA256 | 59bd1f089730b07d8683df99ca812eb15f8188cc6d82c0eef6f6480fea7d8368 |
| SHA512 | 3b96ad68e39494f345b363bc8ea32d0c2857421d5e577dfb78d3ac2ca046eb29f168c14a5d2af9894dc1f6214add118ad1e8ba26f8991115676c89469424308b |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\{146F569D-E3C0-47C3-A328-472C7B94DAD4}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |