Analysis Overview
SHA256
ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a
Threat Level: Known bad
The file ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Manipulates Digital Signatures
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Enumerates physical storage devices
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-18 02:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-18 02:29
Reported
2024-10-18 02:31
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2988 created 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| File created | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
"C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe"
C:\Users\Admin\AppData\Local\Temp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Program Files (x86)\Power-user Premium\Power-user.exe
"C:\Program Files (x86)\Power-user Premium\Power-user.exe"
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\Power-user.exe
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91FC1549DCC0C1B7B127851743CE4EB6 C
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
"C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filecloudvv235.life | udp |
| US | 104.21.54.168:443 | filecloudvv235.life | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst8882.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\nst8882.tmp\nsExec.dll
| MD5 | 2746f5b49ef1a2d17a1d4a290dc45615 |
| SHA1 | 26e98eea903b5f34812885ec289e82bcdaeaac07 |
| SHA256 | 24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd |
| SHA512 | 2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3 |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 0b24892597dcb0257cdb78b5ed165218 |
| SHA1 | 5fe5d446406ff1e34d2fe3ee347769941636e323 |
| SHA256 | 707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71 |
| SHA512 | 24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 1143c4905bba16d8cc02c6ba8f37f365 |
| SHA1 | db38ac221275acd087cf87ebad393ef7f6e04656 |
| SHA256 | e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812 |
| SHA512 | b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894 |
C:\Users\Admin\AppData\Local\Temp\files925.zip
| MD5 | ea79b672e19fb5eecf77291b0a3014fe |
| SHA1 | 5e90a7e7e7d53c408352390cef6870ddfdd2acae |
| SHA256 | 9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9 |
| SHA512 | c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e |
memory/1016-41-0x00000000085A0000-0x0000000008F27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
| MD5 | a0fab21c52fb92a79bc492d2eb91d1d6 |
| SHA1 | 03d14da347c554669916d60e24bee1b540c2822e |
| SHA256 | e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863 |
| SHA512 | e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e |
memory/2740-44-0x0000000000CC0000-0x0000000001647000-memory.dmp
C:\Program Files (x86)\Power-user Premium\Power-user.exe
| MD5 | c95da98a5c79298bdde4c4a6f41405c5 |
| SHA1 | 73492ba3c4c3f006b6578a54749cd4d41df24cc8 |
| SHA256 | 85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8 |
| SHA512 | fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee |
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\_ISMSIDEL.INI
| MD5 | 7ace7ccaa2f304d1fd2d0de95f04d941 |
| SHA1 | de6db63a0f039555f93c6e90761f2507eb50bc25 |
| SHA256 | 7ca504d711c392a5f89c793b1d74fd39c5577df1caeec84437d7b0969376c982 |
| SHA512 | a14e93349a3e87d441c7e62d86584a889ad2710c19162e465c1efab1d68613d61db72f6f32c6e65900e151d3091db13ebf56e05e6a892c465728383fab76be55 |
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\Setup.INI
| MD5 | 0cc03f97e3ab616b381d0065bec36ec6 |
| SHA1 | 135e8779fefdf224e5fa53badb92dc7934b6acc0 |
| SHA256 | 3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7 |
| SHA512 | 7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4 |
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi
| MD5 | 2f2e55b11f9543755eab88de9bb1b28d |
| SHA1 | 8c53204d31b6ea02a9de45ad3be0362bc3c77b7e |
| SHA256 | 42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9 |
| SHA512 | cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef |
\Users\Admin\AppData\Local\Temp\MSIC65B.tmp
| MD5 | 1780f8e73ba9c7c976938655ca67ede1 |
| SHA1 | 52ea389894f1444e58bba86984c5697a592a6365 |
| SHA256 | 11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28 |
| SHA512 | d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5 |
memory/1788-117-0x0000000000260000-0x0000000000262000-memory.dmp
memory/2740-119-0x0000000000CC0000-0x0000000001647000-memory.dmp
memory/2740-121-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2740-123-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2740-122-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2740-120-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2988-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2740-134-0x0000000002A50000-0x00000000033D7000-memory.dmp
memory/2988-133-0x0000000000090000-0x000000000010E000-memory.dmp
memory/2740-130-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2740-129-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/2988-125-0x0000000000090000-0x000000000010E000-memory.dmp
memory/2988-135-0x0000000000CC0000-0x0000000001647000-memory.dmp
memory/2988-128-0x0000000000090000-0x000000000010E000-memory.dmp
memory/2988-137-0x0000000003B20000-0x0000000003F20000-memory.dmp
memory/2988-136-0x0000000003B20000-0x0000000003F20000-memory.dmp
memory/2988-138-0x00000000770B0000-0x0000000077259000-memory.dmp
memory/2988-140-0x0000000076D10000-0x0000000076D57000-memory.dmp
memory/288-141-0x0000000000080000-0x0000000000089000-memory.dmp
memory/288-143-0x0000000001C20000-0x0000000002020000-memory.dmp
memory/288-144-0x00000000770B0000-0x0000000077259000-memory.dmp
memory/288-146-0x0000000076D10000-0x0000000076D57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{372B1078-530E-482F-B93D-FCA4807B1634}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-18 02:29
Reported
2024-10-18 02:31
Platform
win10v2004-20241007-en
Max time kernel
113s
Max time network
129s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1392 created 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | C:\Windows\system32\sihost.exe |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F35FD2B58CEAAC0D48B00914094C5D6C3E3E2164\Blob = 030000000100000014000000f35fd2b58ceaac0d48b00914094c5d6c3e3e21642000000001000000de060000308206da30820542a00302010202103e94afbaa7fddde1a3f9cb164bef725a300d06092a864886f70d01010b05003057310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312e302c060355040313255365637469676f205075626c696320436f6465205369676e696e6720434120455620523336301e170d3233303832343030303030305a170d3236303832333233353935395a30819a311a301806035504051311383133203632332037333320303030333331133011060b2b0601040182373c02010313024652311d301b060355040f131450726976617465204f7267616e697a6174696f6e310b30090603550406130246523111300f06035504080c084272657461676e6531133011060355040a0c0a506f7765722d757365723113301106035504030c0a506f7765722d7573657230820222300d06092a864886f70d01010105000382020f003082020a0282020100cae1440dedfea9629f012d3e0f2380016585bece7940f2af8c91297d7c788ffc2d103676f377b856d80d89dfb0de959837cfb2cba3f60f0d4d27ade4b42038551fc3225a4565012cd6b7f7c719bf43cb123990fe0ac2b910e657baa30736696fc0e98f534c1183b7b4acec8d9426bf21f22f703fade6d133db5398c0e12f9046d820fcf2bfdddfb7de3a75b156d0a3f6fed4dcaeb20cdef8c3a27d1445a60901f51adc6ad37242cedcee7bcfb1796631f54dff0024e1105f406e95fd77c51a9fb77b5ce8db11414acaebf0b26193c6f4ca1addae9ef334a603d9f392075dfb8c5f9bb86f9f14440768aae8fe5206cfa1db1546faf192e85af1f60e0954d7661cd58e87a5e3e68e592d0876f64ee27597cc87d5da265c05239b8ed9b1977da7cc1553776acd35e52635e29c92423e5cf32069669c481be5d5ba6d016e7ee132b7a458e14c81e3604c4184c88db4266a40be67f3f62c8fc4a5d521c04cd193d07147bcd67d3b8de77e2586fa1fed555cbd73bf82792612efe2e0a79d2080e9c65749889f6248eae338651f7468d16e23c6ff7a4375cf490a79e845877308eb9d35270246ad3d125f07365cdf31f0bf029d0532e40526657b0f437b9cf5925dd6a23d0c1bcb708bfe2b7ac211f4e7409277e3624eb441bd118eac17d71adede2fcd20909e76f17f8b4002d8dfcb32fa01f4146bcaf43a002bb0796d1d45ff8256f90203010001a38201dc308201d8301f0603551d23041830168014813292412b28cd46c8c4a2c62a3912ec48a93f14301d0603551d0e04160414bf78f22103150a78fa27cb52096ece4e39ba23d6300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b0601050507030330490603551d20044230403035060c2b06010401b23101020106013025302306082b06010505070201161768747470733a2f2f7365637469676f2e636f6d2f4350533007060567810c0103304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67434145565233362e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d304e0603551d1104473045a02406082b06010505070803a01830160c1446522d3831332036323320373333203030303333811d6f6c697669657240706f77657275736572736f6674776172652e636f6d300d06092a864886f70d01010b0500038201810004942aaf9b3ebb785e8cf63d72b07114a2b2f530c66708ffc0e74b59c22921dac58e24084b2ecd9a933b46e914425f9063f1c60814e4fafeeb6d5cbeb2bbc417c3a638c5c193c2cb286aafc10ef6532c1e364b17c65b44e21aa1f2d42e32e64350721e2c3b9adfe73f8f1a7c0ffd17c38e9c5060f36111d6ace67a6c24d6327e3deca05d8a50e64d9068842860e19731d2973fc26fed6f06cdc12afdc5f23d11d5fbd72a3ddb83e20bfeaafa373bde823db17a2c9f79dc5bb7f6991aeea8f3d97a85e84a83ea8f1f7dc66819f5312268bf0f9748f6e789ba0ce4d133d35e14879f23e6c02bf6a4003d6879d219a2d34074dd953bb824c685ce834e475b74a8dfa03f1f563892b8e31a410c8f045fbeef884d8a8f4f04413dc2408c3702496dc4f4ba1415e09022da7a7544ffe96324cab03356ba9740552f8a4b0d94621d8d672b215b90b293c7b3f14525e1ce6c6aa2b6d801474204e683f72488d27ec43a5e54f74a7ea6ba6f9aaf83f94fb4ad45eecfc52ba7331ec7ee5aa7800414085427 | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Power-user Premium\Power-user.exe | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e582102.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e582100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{5DB13158-EC76-489E-B122-1AE35DB2CA74} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI22E6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e582100.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2239.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\certutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Power-user Premium\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\openwith.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\openwith.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe
"C:\Users\Admin\AppData\Local\Temp\ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a.exe"
C:\Users\Admin\AppData\Local\Temp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\files925.zip" -o"C:\Users\Admin\AppData\Local\Temp\extracted" -y
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
C:\Program Files (x86)\Power-user Premium\Power-user.exe
"C:\Program Files (x86)\Power-user Premium\Power-user.exe"
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Power-user.exe /q"C:\Program Files (x86)\Power-user Premium\Power-user.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi" SETUPEXEDIR="C:\Program Files (x86)\Power-user Premium" SETUPEXENAME="Power-user.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C95FDFDF6CEABFBA91F458FB272AB87E C
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
"C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe"
C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 196
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A9240E591F55C9BDC0C5BAF686D8C5EB
C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -addstore -user TrustedPublisher "C:\Users\Admin\AppData\Local\Power-user\power_user.cer"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filecloudvv235.life | udp |
| US | 104.21.54.168:443 | filecloudvv235.life | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.54.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nss7FEF.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nss7FEF.tmp\nsExec.dll
| MD5 | 2746f5b49ef1a2d17a1d4a290dc45615 |
| SHA1 | 26e98eea903b5f34812885ec289e82bcdaeaac07 |
| SHA256 | 24f6dec8eb5097fef8e6e2acdbf85fcb510f64daee5818572223b3a6a8849ebd |
| SHA512 | 2befe9ad0400c160c14ccae66932473930108624e167e53662d55f0c85a44c4e43a8213c2d9554375afc0e0d6a1c47590b8eacb944ca401c217d07bf304c44c3 |
C:\Users\Admin\AppData\Local\Temp\7z.exe
| MD5 | 0b24892597dcb0257cdb78b5ed165218 |
| SHA1 | 5fe5d446406ff1e34d2fe3ee347769941636e323 |
| SHA256 | 707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71 |
| SHA512 | 24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f |
C:\Users\Admin\AppData\Local\Temp\7z.dll
| MD5 | 1143c4905bba16d8cc02c6ba8f37f365 |
| SHA1 | db38ac221275acd087cf87ebad393ef7f6e04656 |
| SHA256 | e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812 |
| SHA512 | b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894 |
C:\Users\Admin\AppData\Local\Temp\files925.zip
| MD5 | ea79b672e19fb5eecf77291b0a3014fe |
| SHA1 | 5e90a7e7e7d53c408352390cef6870ddfdd2acae |
| SHA256 | 9c85f8b7740238e3253e1585eb6d5622bd648582a8f50ab9df62df3229b516f9 |
| SHA512 | c3588b1b0c37df4adaa4c0cad0dbd46d621499cb7e2958e303b905b6bea7e937254a295ace7a6bb027426f117672c89b94d80e6d4dd51fe599c425da9a1d359e |
C:\Users\Admin\AppData\Local\Temp\extracted\s-etup.exe
| MD5 | a0fab21c52fb92a79bc492d2eb91d1d6 |
| SHA1 | 03d14da347c554669916d60e24bee1b540c2822e |
| SHA256 | e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863 |
| SHA512 | e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e |
memory/4872-30-0x0000000000B70000-0x00000000014F7000-memory.dmp
C:\Program Files (x86)\Power-user Premium\Power-user.exe
| MD5 | c95da98a5c79298bdde4c4a6f41405c5 |
| SHA1 | 73492ba3c4c3f006b6578a54749cd4d41df24cc8 |
| SHA256 | 85d354cca17e45ede494c3d67cf83a74413290063ef3b6d1d41417fcc4565cb8 |
| SHA512 | fc09153cc637cc60336c49b91ab094887abcb390242ce79581c53fcba62e04699c049164c32f2c6c7da2e4d655e7b44b3f8e1149bd223f9d2c8475aeb1f767ee |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI
| MD5 | 7361deebe35b386e324f42f1cc05e272 |
| SHA1 | d3cb2ed1376a2c63cbb002270a69d8e7aae432f5 |
| SHA256 | 444421bd1fac2ff6fc92e6adc12efefc4a42bb11bad2e48273cbc946e549d64a |
| SHA512 | dd45ea40b5923cc98042c2fa9aa49dc34f33c0893062842f2d6cd10072f7456d4d0eb8f9d9fdde7c9996e1013e6b1013c892ea2e81661dc882881f299615047d |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI
| MD5 | 4d550dbe57355d43809f55ddd6544906 |
| SHA1 | 32c8257947ad1d8f8669cd672c88015b613578d2 |
| SHA256 | 024b3bcb11087e69d0b2126fa4c137708912de0d3cdb078298f6eb90277816ea |
| SHA512 | ec2e925ecbf72b0409eba4a8abe6d2771b97675192df0a9699b624c697684f8e1f1f96bf60cb6e59d4eb76cb23239ac32912b8ea80eb34a4fed75290a16c7229 |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\Setup.INI
| MD5 | 0cc03f97e3ab616b381d0065bec36ec6 |
| SHA1 | 135e8779fefdf224e5fa53badb92dc7934b6acc0 |
| SHA256 | 3a621c0c881ed396e2024665b1870db56ac51d08bb2ae657063f27b94ec4a2b7 |
| SHA512 | 7632806203619686cd748d2e95a4cf2b8bfbdaaaed6a83d4298e9ffa46dd0897914a3d5d294deff33715588508adecfafd86fc7e962e2b9cf09724c2f6c1e2b4 |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Downloaded Installations\{185BCD0E-D99A-4C1A-A8D4-2081A969948F}\Power-user.msi
| MD5 | 2f2e55b11f9543755eab88de9bb1b28d |
| SHA1 | 8c53204d31b6ea02a9de45ad3be0362bc3c77b7e |
| SHA256 | 42af06ffe3ee4176225fce585074201fbdeb20f8e095ff61a4bef1566c3d0ae9 |
| SHA512 | cad45e7b6108bd55754c4a103145ef6ba5cf86dde268f4c3a7ba60886e7f5743da98472613c61a76a8f4e782ad3afe259589917f30a547142c37d6f73ee3b5ef |
C:\Users\Admin\AppData\Local\Temp\MSIB46B.tmp
| MD5 | 1780f8e73ba9c7c976938655ca67ede1 |
| SHA1 | 52ea389894f1444e58bba86984c5697a592a6365 |
| SHA256 | 11bb6cd0d701907188dae252c419beca95c1f5ae15b1b4d36e265eec94c69b28 |
| SHA512 | d9dfe7b919c22f8e3882459a722162a0c021b3991eaf304cd56be80e2da56880dfaae589d051aaa4ce559859729be0a333cac2bd1178164ff0c0e1da97000cd5 |
memory/4872-101-0x0000000000B70000-0x00000000014F7000-memory.dmp
memory/4872-102-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4872-104-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4872-105-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4872-109-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/4872-108-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/1392-107-0x0000000001800000-0x000000000187E000-memory.dmp
memory/4872-103-0x0000000065000000-0x00000000656EB000-memory.dmp
memory/1392-112-0x0000000001800000-0x000000000187E000-memory.dmp
memory/1392-113-0x0000000004640000-0x0000000004A40000-memory.dmp
memory/1392-114-0x0000000004640000-0x0000000004A40000-memory.dmp
memory/1392-115-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/1392-117-0x0000000075680000-0x0000000075895000-memory.dmp
memory/724-118-0x0000000000A90000-0x0000000000A99000-memory.dmp
memory/724-121-0x00007FF81C330000-0x00007FF81C525000-memory.dmp
memory/724-123-0x0000000075680000-0x0000000075895000-memory.dmp
memory/724-120-0x00000000027E0000-0x0000000002BE0000-memory.dmp
C:\Windows\Installer\MSI2239.tmp
| MD5 | b7aebfb0e4e94cfa1db8343ae40c482d |
| SHA1 | 06b2cbac0dd310123b33a3bea48ca7c432870a93 |
| SHA256 | 41872842b9ac520ee003e0fa31a4671659d54e1510fcd9c568358425f4630e2b |
| SHA512 | 4352e89d9dab0f17bfac8eb3c8e1391cb0577a6167d3f5423213a1e8f0da2255981ecea24e4c5875cc6e9a446ec06dbf6fb32a2261a3322a8c76796483d5a5a8 |
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef56b60a-a1be-400e-88c5-eb9203546a01}_OnDiskSnapshotProp
| MD5 | 2ffb9ad2c28004d846ca8156fb667333 |
| SHA1 | a6a2d23c7c7f996841dd872be9ec774405f91a82 |
| SHA256 | e5ae6ea7302e74467b7e15d0660b230f18e381e632aa6559f1aeae47e734082f |
| SHA512 | 9a267ccb96d190bb8137dfa0a2bd583ad564168b56abff17e946dce5387dbdcd0313aeb7bd0aed19371bc2cb5462e8fa42bfe96ec877de89d19fc59cc68ee01e |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 5dbf4db6455a34df103e2dfd49b2e833 |
| SHA1 | 506ea79df9cbbb51be2098ee1fa821b632b52087 |
| SHA256 | b041d6132f5bbcb79f4ceea6d684603c208a3dd302131370c6c6a5ac8e21919f |
| SHA512 | 2977d89d5fccc14ff7e9f7f052e9cf7f650f154b88c348c3e6dee7ae8bd94cb94813dba363a6e2c3d3b3df981955ccb2806f6350697ddacbc0b21a3fb5502dc5 |
C:\Config.Msi\e582101.rbs
| MD5 | 236f17f481326f5b73d42615a374af01 |
| SHA1 | e32eac7eb841339de8fd0eef370f79f783ff660d |
| SHA256 | add339bca6541ad8711b6a9464cd392f17335609d74b4be98de1d88a50190ca5 |
| SHA512 | 2d317ae1dd938fd763840c34bf728f7abd8e5287e7e3610e1647cd3cc834e4dfbdc30e18dec7035f91a7cb7af8c6d723a226a64784f1afb562795af5dd8d84ba |
C:\Users\Admin\AppData\Local\Power-user\power_user.cer
| MD5 | d857b21dd3e5f5557486ea92ac5cbf7c |
| SHA1 | a413305b2d36c51687a4ad66fb72c91fe7c2bb98 |
| SHA256 | 59bd1f089730b07d8683df99ca812eb15f8188cc6d82c0eef6f6480fea7d8368 |
| SHA512 | 3b96ad68e39494f345b363bc8ea32d0c2857421d5e577dfb78d3ac2ca046eb29f168c14a5d2af9894dc1f6214add118ad1e8ba26f8991115676c89469424308b |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\{4F1FC004-A0A5-47C2-94BB-1C4E1B7C108A}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |