Analysis Overview
SHA256
b3688db852d9a57834ef758cd54a9507fad2de1854a2faed23bda53411000383
Threat Level: Likely malicious
The file MAGIX VEGAS Pro v22.0 patch.exe was found to be: Likely malicious.
Malicious Activity Summary
Detected Nirsoft tools
Event Triggered Execution: Image File Execution Options Injection
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 08:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 08:30
Reported
2024-11-13 08:30
Platform
win7-20240903-en
Max time kernel
13s
Max time network
14s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable = "1" | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe | N/A |
Loads dropped DLL
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File created | C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\is-VT7VH.tmp | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File created | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\is-UECDC.tmp | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\Protein_x64.4.2.dll | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp" /SL5="$400F8,4046882,1178624,C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.cmd""
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "Serial" "string" "P3-64979-27462-07906-32757-21318-38872"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-77020-98979-63411-51090-66867-08191"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2496-0-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2496-2-0x0000000000401000-0x00000000004C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7727U.tmp\MAGIX VEGAS Pro v22.0 patch.tmp
| MD5 | cd0e5319f235a458802e284c1d7fb7c7 |
| SHA1 | 716d6347b01df04b96c32db414361ae828dec3d9 |
| SHA256 | 7a8924b753dbbd168b822d7c483f0150697c6bb31d19cfd1fd872f1090254fcf |
| SHA512 | 5d3873d79783e7f123f618e41087c59b59ac4e5e932057bc649415d34b4465b29ba84d6390ca2cbea9de2a33f5b7f60300fd722e5ca78d0a9b8d83a804a68406 |
\Users\Admin\AppData\Local\Temp\is-844P7.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2508-12-0x0000000000400000-0x000000000078B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.cmd
| MD5 | 14d3f2a3efbfe535fa0958da17d565fa |
| SHA1 | 958c79de8f3dc821d4c9c89e1f3b92bc7c48637a |
| SHA256 | 915357dfb71b907b64b18a198160e8962ffaaed4d5278d5ac4ee0208b6f089c0 |
| SHA512 | 79ae0e1c73558546d7f61ae5ff0576ddb303e15f3a2be549a0bf32b54f0336bb20357203796341646a53b6c8a6449ccbd9c63174db16b5310ebdbe976aadae75 |
\Users\Admin\AppData\Local\Temp\is-844P7.tmp\nircmd.exe
| MD5 | b417238213efb0d2a23562674406cdf9 |
| SHA1 | 04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8 |
| SHA256 | 5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333 |
| SHA512 | 881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3 |
memory/2508-55-0x0000000000400000-0x000000000078B000-memory.dmp
memory/2496-54-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2508-58-0x0000000000400000-0x000000000078B000-memory.dmp
memory/2496-60-0x0000000000400000-0x0000000000531000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 08:30
Reported
2024-11-13 08:33
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable = "1" | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\Protein_x64.4.2.dll | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\wintrust.dll | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File opened for modification | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File created | C:\Program Files\VEGAS\VEGAS Pro 22.0\Protein\is-9DEDI.tmp | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| File created | C:\Program Files\VEGAS\VEGAS Pro 22.0\vegas220.exe.local\is-N12OI.tmp | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe
"C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp" /SL5="$701DC,4046882,1178624,C:\Users\Admin\AppData\Local\Temp\MAGIX VEGAS Pro v22.0 patch.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.cmd""
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "Serial" "string" "P3-64979-27462-07906-32757-21318-38872"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\VEGAS_Pro_22\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "Serial" "string" "P3-77020-98979-63411-51090-66867-08191"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "NumberOfStarts" "0"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "DontShowNagBox" "1"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "IsRegisteredUser" "1"
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
nircmd inisetval "c:\ProgramData\VEGAS\DVD_Architect_Pro_7\installation.ini" "VersionUnlock" "UserEMail" "uBusHTShXjdIakxgck01PRO5nuh8YfF4BDS17GWS/So3BnxxO66uwQ3meU0PEMwM"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/636-1-0x0000000000400000-0x0000000000531000-memory.dmp
memory/636-2-0x0000000000401000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9B2HL.tmp\MAGIX VEGAS Pro v22.0 patch.tmp
| MD5 | cd0e5319f235a458802e284c1d7fb7c7 |
| SHA1 | 716d6347b01df04b96c32db414361ae828dec3d9 |
| SHA256 | 7a8924b753dbbd168b822d7c483f0150697c6bb31d19cfd1fd872f1090254fcf |
| SHA512 | 5d3873d79783e7f123f618e41087c59b59ac4e5e932057bc649415d34b4465b29ba84d6390ca2cbea9de2a33f5b7f60300fd722e5ca78d0a9b8d83a804a68406 |
memory/1756-6-0x0000000000400000-0x000000000078B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.cmd
| MD5 | 14d3f2a3efbfe535fa0958da17d565fa |
| SHA1 | 958c79de8f3dc821d4c9c89e1f3b92bc7c48637a |
| SHA256 | 915357dfb71b907b64b18a198160e8962ffaaed4d5278d5ac4ee0208b6f089c0 |
| SHA512 | 79ae0e1c73558546d7f61ae5ff0576ddb303e15f3a2be549a0bf32b54f0336bb20357203796341646a53b6c8a6449ccbd9c63174db16b5310ebdbe976aadae75 |
C:\Users\Admin\AppData\Local\Temp\is-BHJ8K.tmp\nircmd.exe
| MD5 | b417238213efb0d2a23562674406cdf9 |
| SHA1 | 04bf7acc7d0aa74fa750f7c32fdebbbe1daf46f8 |
| SHA256 | 5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333 |
| SHA512 | 881b420af6e7104ac1f2edf03fc905f30af8ee264d8279f7eeb18e6178e210e063ac3c3d9a47f0c7c36ad04b51773e28595f965b037b0a0305d6c9fdf18e96a3 |
memory/636-41-0x0000000000400000-0x0000000000531000-memory.dmp
memory/1756-43-0x0000000000400000-0x000000000078B000-memory.dmp
memory/1756-47-0x0000000000400000-0x000000000078B000-memory.dmp
memory/636-49-0x0000000000400000-0x0000000000531000-memory.dmp