amadey | bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b

Analysis

max time kernel
136s
max time network
140s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-12-2021 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
Size

787KB
MD5

a048419bbecd8baf3e9620c51a19dcb0
SHA1

468c3e429b559aebb2046a8f3367ea4e52e4d30a
SHA256

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b
SHA512

32facaca25a760af3ecdfabf561e50f8631a079ea7411484bd7565c64ea1f0b3f87060c05ff1d8535d77b726658f62ae098d622e7318b7d76929f67cc268f7a6

Score

10^/10

amadey redline discovery evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.01

exxxodusdomen.hk/f83jd823S/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2340-115-0x0000000000240000-0x00000000002E5000-memory.dmp	family_redline
behavioral1/memory/2340-116-0x0000000000240000-0x00000000002E5000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

am.exeet.exek.exetkools.exeservices32.exesihost32.exek.exetkools.exeet.exeservices32.exesihost32.exetkools.exe

pid	process
2836	am.exe
3988	et.exe
1316	k.exe
504	tkools.exe
1272	services32.exe
2800	sihost32.exe
644	k.exe
788	tkools.exe
2944	et.exe
908	services32.exe
2968	sihost32.exe
4016	tkools.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

k.exetkools.exek.exetkools.exeam.exetkools.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tkools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	k.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tkools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tkools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	am.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	am.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tkools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tkools.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tkools.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\am.exe	themida
C:\Users\Admin\AppData\Local\Temp\am.exe	themida
C:\Users\Admin\AppData\Local\Temp\k.exe	themida
C:\Users\Admin\AppData\Local\Temp\k.exe	themida
behavioral1/memory/1316-157-0x0000000001350000-0x0000000001351000-memory.dmp	themida
behavioral1/memory/2836-167-0x00000000010B0000-0x0000000001974000-memory.dmp	themida
behavioral1/memory/2836-170-0x00000000010B0000-0x0000000001974000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe	themida
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe	themida
behavioral1/memory/504-202-0x0000000001310000-0x0000000001BD4000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe	themida
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe	themida
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tkools.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	tkools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\k.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\k.exe"	tkools.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\et.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000009001\\et.exe"	tkools.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

k.exetkools.exetkools.exeam.exek.exetkools.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tkools.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tkools.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	am.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	k.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tkools.exe

Drops file in System32 directory 5 IoCs

Processes:

et.exeservices32.exeet.exeservices32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services32.exe	et.exe
File opened for modification	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	services32.exe
File created	C:\Windows\system32\services32.exe	et.exe
File opened for modification	C:\Windows\system32\services32.exe	et.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	services32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exeam.exek.exetkools.exek.exetkools.exetkools.exe

pid	process
2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
2836	am.exe
1316	k.exe
504	tkools.exe
644	k.exe
788	tkools.exe
4016	tkools.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4084 schtasks.exe
3848 schtasks.exe
2452 schtasks.exe

pid	process
4084	schtasks.exe
3848	schtasks.exe
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exeet.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exeet.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exe

pid	process
2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
3988	et.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
584	powershell.exe
584	powershell.exe
584	powershell.exe
1272	services32.exe
1272	services32.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
2944	et.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe
908	services32.exe
908	services32.exe
2372	powershell.exe
2372	powershell.exe
2372	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

k.exe

pid process

644 k.exe

pid	process
644	k.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exeet.exepowershell.exepowershell.exeservices32.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
Token: SeDebugPrivilege	3988	et.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeIncreaseQuotaPrivilege	644	powershell.exe
Token: SeSecurityPrivilege	644	powershell.exe
Token: SeTakeOwnershipPrivilege	644	powershell.exe
Token: SeLoadDriverPrivilege	644	powershell.exe
Token: SeSystemProfilePrivilege	644	powershell.exe
Token: SeSystemtimePrivilege	644	powershell.exe
Token: SeProfSingleProcessPrivilege	644	powershell.exe
Token: SeIncBasePriorityPrivilege	644	powershell.exe
Token: SeCreatePagefilePrivilege	644	powershell.exe
Token: SeBackupPrivilege	644	powershell.exe
Token: SeRestorePrivilege	644	powershell.exe
Token: SeShutdownPrivilege	644	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeSystemEnvironmentPrivilege	644	powershell.exe
Token: SeRemoteShutdownPrivilege	644	powershell.exe
Token: SeUndockPrivilege	644	powershell.exe
Token: SeManageVolumePrivilege	644	powershell.exe
Token: 33	644	powershell.exe
Token: 34	644	powershell.exe
Token: 35	644	powershell.exe
Token: 36	644	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeIncreaseQuotaPrivilege	584	powershell.exe
Token: SeSecurityPrivilege	584	powershell.exe
Token: SeTakeOwnershipPrivilege	584	powershell.exe
Token: SeLoadDriverPrivilege	584	powershell.exe
Token: SeSystemProfilePrivilege	584	powershell.exe
Token: SeSystemtimePrivilege	584	powershell.exe
Token: SeProfSingleProcessPrivilege	584	powershell.exe
Token: SeIncBasePriorityPrivilege	584	powershell.exe
Token: SeCreatePagefilePrivilege	584	powershell.exe
Token: SeBackupPrivilege	584	powershell.exe
Token: SeRestorePrivilege	584	powershell.exe
Token: SeShutdownPrivilege	584	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeSystemEnvironmentPrivilege	584	powershell.exe
Token: SeRemoteShutdownPrivilege	584	powershell.exe
Token: SeUndockPrivilege	584	powershell.exe
Token: SeManageVolumePrivilege	584	powershell.exe
Token: 33	584	powershell.exe
Token: 34	584	powershell.exe
Token: 35	584	powershell.exe
Token: 36	584	powershell.exe
Token: SeDebugPrivilege	1272	services32.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exeet.execmd.execmd.exeam.exetkools.execmd.execmd.exeservices32.execmd.exeet.execmd.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 2340 wrote to memory of 2836	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	am.exe
PID 2340 wrote to memory of 2836	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	am.exe
PID 2340 wrote to memory of 2836	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	am.exe
PID 2340 wrote to memory of 3988	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	et.exe
PID 2340 wrote to memory of 3988	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	et.exe
PID 2340 wrote to memory of 1316	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	k.exe
PID 2340 wrote to memory of 1316	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	k.exe
PID 2340 wrote to memory of 1316	2340	bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe	k.exe
PID 3988 wrote to memory of 3252	3988	et.exe	cmd.exe
PID 3988 wrote to memory of 3252	3988	et.exe	cmd.exe
PID 3252 wrote to memory of 644	3252	cmd.exe	powershell.exe
PID 3252 wrote to memory of 644	3252	cmd.exe	powershell.exe
PID 3988 wrote to memory of 860	3988	et.exe	cmd.exe
PID 3988 wrote to memory of 860	3988	et.exe	cmd.exe
PID 860 wrote to memory of 4084	860	cmd.exe	schtasks.exe
PID 860 wrote to memory of 4084	860	cmd.exe	schtasks.exe
PID 2836 wrote to memory of 504	2836	am.exe	tkools.exe
PID 2836 wrote to memory of 504	2836	am.exe	tkools.exe
PID 2836 wrote to memory of 504	2836	am.exe	tkools.exe
PID 504 wrote to memory of 2876	504	tkools.exe	cmd.exe
PID 504 wrote to memory of 2876	504	tkools.exe	cmd.exe
PID 504 wrote to memory of 2876	504	tkools.exe	cmd.exe
PID 504 wrote to memory of 3848	504	tkools.exe	schtasks.exe
PID 504 wrote to memory of 3848	504	tkools.exe	schtasks.exe
PID 504 wrote to memory of 3848	504	tkools.exe	schtasks.exe
PID 2876 wrote to memory of 1064	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 1064	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 1064	2876	cmd.exe	reg.exe
PID 3252 wrote to memory of 584	3252	cmd.exe	powershell.exe
PID 3252 wrote to memory of 584	3252	cmd.exe	powershell.exe
PID 3988 wrote to memory of 1592	3988	et.exe	cmd.exe
PID 3988 wrote to memory of 1592	3988	et.exe	cmd.exe
PID 1592 wrote to memory of 1272	1592	cmd.exe	services32.exe
PID 1592 wrote to memory of 1272	1592	cmd.exe	services32.exe
PID 1272 wrote to memory of 984	1272	services32.exe	cmd.exe
PID 1272 wrote to memory of 984	1272	services32.exe	cmd.exe
PID 984 wrote to memory of 3080	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 3080	984	cmd.exe	powershell.exe
PID 1272 wrote to memory of 2800	1272	services32.exe	sihost32.exe
PID 1272 wrote to memory of 2800	1272	services32.exe	sihost32.exe
PID 984 wrote to memory of 3380	984	cmd.exe	powershell.exe
PID 984 wrote to memory of 3380	984	cmd.exe	powershell.exe
PID 504 wrote to memory of 644	504	tkools.exe	k.exe
PID 504 wrote to memory of 644	504	tkools.exe	k.exe
PID 504 wrote to memory of 644	504	tkools.exe	k.exe
PID 504 wrote to memory of 2944	504	tkools.exe	et.exe
PID 504 wrote to memory of 2944	504	tkools.exe	et.exe
PID 2944 wrote to memory of 3652	2944	et.exe	cmd.exe
PID 2944 wrote to memory of 3652	2944	et.exe	cmd.exe
PID 3652 wrote to memory of 1120	3652	cmd.exe	powershell.exe
PID 3652 wrote to memory of 1120	3652	cmd.exe	powershell.exe
PID 2944 wrote to memory of 2752	2944	et.exe	cmd.exe
PID 2944 wrote to memory of 2752	2944	et.exe	cmd.exe
PID 2752 wrote to memory of 2452	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2452	2752	cmd.exe	schtasks.exe
PID 3652 wrote to memory of 1344	3652	cmd.exe	powershell.exe
PID 3652 wrote to memory of 1344	3652	cmd.exe	powershell.exe
PID 2944 wrote to memory of 3452	2944	et.exe	cmd.exe
PID 2944 wrote to memory of 3452	2944	et.exe	cmd.exe
PID 3452 wrote to memory of 908	3452	cmd.exe	services32.exe
PID 3452 wrote to memory of 908	3452	cmd.exe	services32.exe
PID 908 wrote to memory of 2276	908	services32.exe	cmd.exe
PID 908 wrote to memory of 2276	908	services32.exe	cmd.exe
PID 2276 wrote to memory of 2372	2276	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe
"C:\Users\Admin\AppData\Local\Temp\bc568026a968ebfed5e7fc53d59e57f36925ee31670480b466bdc4f9dc38c39b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\
4⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\91a0189a82\
5⤵
PID:1064

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe" /F
4⤵
- Creates scheduled task(s)
PID:3848

C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: SetClipboardViewer
PID:644

C:\Users\Admin\AppData\Local\Temp\1000009001\et.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\et.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
6⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
7⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Temp\et.exe
"C:\Users\Admin\AppData\Local\Temp\et.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
4⤵
- Creates scheduled task(s)
PID:4084

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
5⤵
- Executes dropped EXE
PID:2800

C:\Users\Admin\AppData\Local\Temp\k.exe
"C:\Users\Admin\AppData\Local\Temp\k.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1316

C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:788

C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\et.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services32.exe.log
MD5
1340455a637fc44dc74dcda441d71018

SHA1
84277aa9596ccaacd2b7d72a3fbcef70de91dbd3

SHA256
a3fe2fec3d432df98c211861dddffe114eae9905d7324a806e0258e11f03628e

SHA512
087cf3f690ece24bc3fdb971c372b6f86a89e90ea0c6ac1498e8ce09b6e34b0aa7557a74f753f8ea61805199e2c19497b71a93cd25b56d33ca5806c14bdecd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
973bb7c53c57bdf354f0209d6d5e64f1

SHA1
bdc852287798f03a6cfe75a8cb93fbbf6c70ed02

SHA256
158e90e929e569152c6959d88cf91c5d9d3e636eef79dffd1a5084e1397b38fd

SHA512
beca005320adbfe1849fc76e87bb88ede1d57210e613b432a0b1911e217a88da69af68d9a9572ba7849a0be88e4ec49bb20a2fc87b77e2eee1c79964f5484198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b6f65894a8cd634594abb4f039263490

SHA1
3517613692d288c9a4918bb1f3b1d73a7fe48b40

SHA256
b43895425b42e58fc977fb963e7687c909b13825a3dbb4a5be7f449b6e9a577e

SHA512
ebd25e866192b8a7f9f9a75549ffb720dee94b7aa21b84914f250a1efcfdf45cc3ccf0836ede5fd355a0535b937b86f9e2d4be3ba8d5414a2c9495c9e4f15789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
12b841bd2ec38ed54bffb7ef77389aac

SHA1
118f89a72308f845ed4fb5ec835e7648e3b3ee21

SHA256
c7f5d30a81dcbe1f002abdd50ef5a6d34c67ca4cf47f578ce7ea1708a68aeb45

SHA512
b6d483cefad6bf9fd27d02166f98ec33871004014f8bee1d96d3f0083a25f903cf5cd938f69b10e3a14c152e3c452179f55c215b3ec8888d9701b327dd3612ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
285253c631f0d33b69956df32e68de01

SHA1
6ecf608ec06d7ba87e5ffcd55e20a604a6d1bab0

SHA256
aee16e423069d235f1ff0d6f009eb5d3224aaf8f765decfef37553913156c30f

SHA512
03702d02db924487c90babbd0924de04026cbd84a2b98b5312733db2e1fce442a6bba9766c082d2229f7eff4b1afd20ca5882263c6478c4dda5233e174b02c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ca4633095e2a85f7670a5abc81918327

SHA1
8fdfa3b0d8df662fdb45613a6ba16b2a000692a3

SHA256
523935b4b5cf4a3e240447289c7a9a62e6f4385aa840f360b142573c2da736ca

SHA512
1d816e8ef8686b1994babbe66fd3ee84897790b197a8e0b171be793a050652de913110f4cecb32b58a3d13f343c8c23f9958163d512e5cd598fbbe144afa3e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f880eb70a2cbe69c97a7a21a9cdd158d

SHA1
66d2475abf3a3d73db7be95dcf13d8c91364b02f

SHA256
7275878f8711b7c5d603793c3a2e8f7b94e8831862364a0745f1d297224a0b10

SHA512
7e7a82cdbc56a429c3a9395572bf0fff1ef62e9dff149e63b238f6f0d5c5a8277a2c3ebc8b5d07379fa46e899f8fbfb1735241eb848474a276dcb9ee720e3b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b1c932e7570ed97db56babca7aa3d0cd

SHA1
189f0e02bd8ddf6a5c71fc44a86c564dd1784fe6

SHA256
d753b882767dd879a1058d26752a39fbfd00e20855a303de4464a4dbb3b72e20

SHA512
8d49063c293132a6ab1a5dbd6351d70672c130636111bfa1e301d0104a081e69a183c463d704c3d920f8bbeee5b67d1c7197d1ee78240b79fd9bb00519ab797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe
MD5
fd73f81aa14d9ac2bed06703ddb406fc

SHA1
71201a58ed4a950b3b5fb1f01c2a4826f9e98180

SHA256
f84d2af6ba8cf7bacc684fac666335b963632ce17775fa0bd7d25de9282cde01

SHA512
b0474899f93aa9d46090fb02c6ef1a8ce283a19be29f13eec70b32059752c50fed05aa507da83c20a9a580f941d9987bb9c93518fac8210c3bd6a0cf815bf407

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\k.exe
MD5
fd73f81aa14d9ac2bed06703ddb406fc

SHA1
71201a58ed4a950b3b5fb1f01c2a4826f9e98180

SHA256
f84d2af6ba8cf7bacc684fac666335b963632ce17775fa0bd7d25de9282cde01

SHA512
b0474899f93aa9d46090fb02c6ef1a8ce283a19be29f13eec70b32059752c50fed05aa507da83c20a9a580f941d9987bb9c93518fac8210c3bd6a0cf815bf407

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\et.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\et.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\91a0189a82\tkools.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\am.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\am.exe
MD5
fe10a4f29bdb19294e5d23e946f2b41c

SHA1
a20942b2f605342a95a23849195c8974b70ae273

SHA256
01e1569c9614d44f66b8f493e36ce90a45da47c0007f6f2d9a36eadf79cc0851

SHA512
32da7bd6d0dedd540f67818a19efe709fe508ccf282be1c65263589c64162ec9ebb9fdfd9026c24ec1e81e9b48ab533a4d2cf249eb07452ea624427e0fbc4add

Download Submit
C:\Users\Admin\AppData\Local\Temp\et.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\et.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\k.exe
MD5
fd73f81aa14d9ac2bed06703ddb406fc

SHA1
71201a58ed4a950b3b5fb1f01c2a4826f9e98180

SHA256
f84d2af6ba8cf7bacc684fac666335b963632ce17775fa0bd7d25de9282cde01

SHA512
b0474899f93aa9d46090fb02c6ef1a8ce283a19be29f13eec70b32059752c50fed05aa507da83c20a9a580f941d9987bb9c93518fac8210c3bd6a0cf815bf407

Download Submit
C:\Users\Admin\AppData\Local\Temp\k.exe
MD5
fd73f81aa14d9ac2bed06703ddb406fc

SHA1
71201a58ed4a950b3b5fb1f01c2a4826f9e98180

SHA256
f84d2af6ba8cf7bacc684fac666335b963632ce17775fa0bd7d25de9282cde01

SHA512
b0474899f93aa9d46090fb02c6ef1a8ce283a19be29f13eec70b32059752c50fed05aa507da83c20a9a580f941d9987bb9c93518fac8210c3bd6a0cf815bf407

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
ad6711a4f144a46e1e744f0186385bd2

SHA1
88e6b0201ddaf8e9254f3fd0e840cdeada159fa3

SHA256
7f4877c825f9ab42dd7f8376985f8059c4d605cc3d72ac22490211bbaedee660

SHA512
2d52a8ad918ac95a853ea62a2a1d745e1510b4104c7cabbe7ab127d64fcdd1d619fe66a6fb83600abf0504d3f5c0855e63eeaa4d7c8a31c967e6f29d61c7dfa4

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
ad6711a4f144a46e1e744f0186385bd2

SHA1
88e6b0201ddaf8e9254f3fd0e840cdeada159fa3

SHA256
7f4877c825f9ab42dd7f8376985f8059c4d605cc3d72ac22490211bbaedee660

SHA512
2d52a8ad918ac95a853ea62a2a1d745e1510b4104c7cabbe7ab127d64fcdd1d619fe66a6fb83600abf0504d3f5c0855e63eeaa4d7c8a31c967e6f29d61c7dfa4

Download Submit
C:\Windows\System32\services32.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Windows\System32\services32.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
ad6711a4f144a46e1e744f0186385bd2

SHA1
88e6b0201ddaf8e9254f3fd0e840cdeada159fa3

SHA256
7f4877c825f9ab42dd7f8376985f8059c4d605cc3d72ac22490211bbaedee660

SHA512
2d52a8ad918ac95a853ea62a2a1d745e1510b4104c7cabbe7ab127d64fcdd1d619fe66a6fb83600abf0504d3f5c0855e63eeaa4d7c8a31c967e6f29d61c7dfa4

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
ad6711a4f144a46e1e744f0186385bd2

SHA1
88e6b0201ddaf8e9254f3fd0e840cdeada159fa3

SHA256
7f4877c825f9ab42dd7f8376985f8059c4d605cc3d72ac22490211bbaedee660

SHA512
2d52a8ad918ac95a853ea62a2a1d745e1510b4104c7cabbe7ab127d64fcdd1d619fe66a6fb83600abf0504d3f5c0855e63eeaa4d7c8a31c967e6f29d61c7dfa4

Download Submit
C:\Windows\system32\services32.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
C:\Windows\system32\services32.exe
MD5
cd06b2114626a7ac7829f440a08f6995

SHA1
80c87ec2f3b6dda5dc7bad8a97f021a751befb18

SHA256
4a291c7b3e0aef77dc7c17163536722d9df1bc025744fde659fd7c14c9e6ece2

SHA512
19aa3b9877a12cdaf3b94007e9cf115553768e816b309533ef437eea1b44b1332520e11be414fced3a4d95556dc842c5ef62fbd9d1bafb1f7e77ced9c245f4d7

Download Submit
memory/504-202-0x0000000001310000-0x0000000001BD4000-memory.dmp

Filesize
8.8MB

Download
memory/504-179-0x0000000000000000-mapping.dmp

Download
memory/504-185-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/584-220-0x0000000000000000-mapping.dmp

Download
memory/584-263-0x000001BD50788000-0x000001BD50789000-memory.dmp

Filesize
4KB

Download
memory/584-260-0x000001BD50786000-0x000001BD50788000-memory.dmp

Filesize
8KB

Download
memory/584-259-0x000001BD50783000-0x000001BD50785000-memory.dmp

Filesize
8KB

Download
memory/584-258-0x000001BD50780000-0x000001BD50782000-memory.dmp

Filesize
8KB

Download
memory/644-169-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-174-0x000001D8B9883000-0x000001D8B9885000-memory.dmp

Filesize
8KB

Download
memory/644-189-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-163-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-164-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-188-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-369-0x0000000000000000-mapping.dmp

Download
memory/644-378-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/644-217-0x000001D8B9888000-0x000001D8B9889000-memory.dmp

Filesize
4KB

Download
memory/644-165-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-171-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-183-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-173-0x000001D8B9880000-0x000001D8B9882000-memory.dmp

Filesize
8KB

Download
memory/644-161-0x0000000000000000-mapping.dmp

Download
memory/644-207-0x000001D8B9886000-0x000001D8B9888000-memory.dmp

Filesize
8KB

Download
memory/644-175-0x000001D8B9840000-0x000001D8B9841000-memory.dmp

Filesize
4KB

Download
memory/644-176-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-178-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-177-0x000001D89F920000-0x000001D89F922000-memory.dmp

Filesize
8KB

Download
memory/644-372-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/644-180-0x000001D8BB9E0000-0x000001D8BB9E1000-memory.dmp

Filesize
4KB

Download
memory/788-380-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/860-162-0x0000000000000000-mapping.dmp

Download
memory/908-513-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download
memory/908-484-0x0000000000000000-mapping.dmp

Download
memory/984-272-0x0000000000000000-mapping.dmp

Download
memory/1064-214-0x0000000000000000-mapping.dmp

Download
memory/1120-391-0x0000000000000000-mapping.dmp

Download
memory/1120-432-0x000002D9CA633000-0x000002D9CA635000-memory.dmp

Filesize
8KB

Download
memory/1120-431-0x000002D9CA630000-0x000002D9CA632000-memory.dmp

Filesize
8KB

Download
memory/1120-433-0x000002D9CA636000-0x000002D9CA638000-memory.dmp

Filesize
8KB

Download
memory/1120-471-0x000002D9CA638000-0x000002D9CA639000-memory.dmp

Filesize
4KB

Download
memory/1272-266-0x0000000000000000-mapping.dmp

Download
memory/1272-273-0x0000000003030000-0x0000000003032000-memory.dmp

Filesize
8KB

Download
memory/1316-172-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1316-168-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1316-157-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1316-156-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/1316-150-0x0000000000000000-mapping.dmp

Download
memory/1344-475-0x000002646C276000-0x000002646C278000-memory.dmp

Filesize
8KB

Download
memory/1344-438-0x0000000000000000-mapping.dmp

Download
memory/1344-472-0x000002646C270000-0x000002646C272000-memory.dmp

Filesize
8KB

Download
memory/1344-473-0x000002646C273000-0x000002646C275000-memory.dmp

Filesize
8KB

Download
memory/1344-481-0x000002646C278000-0x000002646C279000-memory.dmp

Filesize
4KB

Download
memory/1592-264-0x0000000000000000-mapping.dmp

Download
memory/2276-491-0x0000000000000000-mapping.dmp

Download
memory/2340-125-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2340-130-0x0000000073DF0000-0x0000000075138000-memory.dmp

Filesize
19.3MB

Download
memory/2340-116-0x0000000000240000-0x00000000002E5000-memory.dmp

Filesize
660KB

Download
memory/2340-117-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2340-140-0x0000000006950000-0x0000000006951000-memory.dmp

Filesize
4KB

Download
memory/2340-118-0x00000000769D0000-0x0000000076B92000-memory.dmp

Filesize
1.8MB

Download
memory/2340-119-0x0000000002A40000-0x0000000002A85000-memory.dmp

Filesize
276KB

Download
memory/2340-120-0x0000000075B20000-0x0000000075C11000-memory.dmp

Filesize
964KB

Download
memory/2340-121-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2340-123-0x0000000071EF0000-0x0000000071F70000-memory.dmp

Filesize
512KB

Download
memory/2340-139-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2340-124-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2340-126-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2340-127-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2340-128-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2340-115-0x0000000000240000-0x00000000002E5000-memory.dmp

Filesize
660KB

Download
memory/2340-138-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/2340-137-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2340-136-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/2340-135-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/2340-134-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/2340-133-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/2340-132-0x0000000070920000-0x000000007096B000-memory.dmp

Filesize
300KB

Download
memory/2340-129-0x0000000076C20000-0x00000000771A4000-memory.dmp

Filesize
5.5MB

Download
memory/2340-131-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/2372-492-0x0000000000000000-mapping.dmp

Download
memory/2372-555-0x000001B06B878000-0x000001B06B879000-memory.dmp

Filesize
4KB

Download
memory/2372-554-0x000001B06B876000-0x000001B06B878000-memory.dmp

Filesize
8KB

Download
memory/2372-515-0x000001B06B870000-0x000001B06B872000-memory.dmp

Filesize
8KB

Download
memory/2372-516-0x000001B06B873000-0x000001B06B875000-memory.dmp

Filesize
8KB

Download
memory/2452-401-0x0000000000000000-mapping.dmp

Download
memory/2752-399-0x0000000000000000-mapping.dmp

Download
memory/2800-316-0x000000001CA10000-0x000000001CA12000-memory.dmp

Filesize
8KB

Download
memory/2800-280-0x0000000000000000-mapping.dmp

Download
memory/2836-141-0x0000000000000000-mapping.dmp

Download
memory/2836-154-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/2836-167-0x00000000010B0000-0x0000000001974000-memory.dmp

Filesize
8.8MB

Download
memory/2836-170-0x00000000010B0000-0x0000000001974000-memory.dmp

Filesize
8.8MB

Download
memory/2876-212-0x0000000000000000-mapping.dmp

Download
memory/2944-430-0x000000001BE30000-0x000000001BE32000-memory.dmp

Filesize
8KB

Download
memory/2944-383-0x0000000000000000-mapping.dmp

Download
memory/2968-517-0x000000001C3A0000-0x000000001C3A2000-memory.dmp

Filesize
8KB

Download
memory/2968-500-0x0000000000000000-mapping.dmp

Download
memory/3080-341-0x000001A9FDFF8000-0x000001A9FDFF9000-memory.dmp

Filesize
4KB

Download
memory/3080-312-0x000001A9FDFF0000-0x000001A9FDFF2000-memory.dmp

Filesize
8KB

Download
memory/3080-274-0x0000000000000000-mapping.dmp

Download
memory/3080-319-0x000001A9FDFF6000-0x000001A9FDFF8000-memory.dmp

Filesize
8KB

Download
memory/3080-314-0x000001A9FDFF3000-0x000001A9FDFF5000-memory.dmp

Filesize
8KB

Download
memory/3204-586-0x00000166BDC06000-0x00000166BDC08000-memory.dmp

Filesize
8KB

Download
memory/3204-587-0x00000166BDC08000-0x00000166BDC09000-memory.dmp

Filesize
4KB

Download
memory/3204-557-0x00000166BDC03000-0x00000166BDC05000-memory.dmp

Filesize
8KB

Download
memory/3204-556-0x00000166BDC00000-0x00000166BDC02000-memory.dmp

Filesize
8KB

Download
memory/3204-542-0x0000000000000000-mapping.dmp

Download
memory/3252-153-0x0000000000000000-mapping.dmp

Download
memory/3380-345-0x0000015780093000-0x0000015780095000-memory.dmp

Filesize
8KB

Download
memory/3380-368-0x0000015780098000-0x0000015780099000-memory.dmp

Filesize
4KB

Download
memory/3380-343-0x0000015780090000-0x0000015780092000-memory.dmp

Filesize
8KB

Download
memory/3380-324-0x0000000000000000-mapping.dmp

Download
memory/3380-347-0x0000015780096000-0x0000015780098000-memory.dmp

Filesize
8KB

Download
memory/3452-482-0x0000000000000000-mapping.dmp

Download
memory/3652-390-0x0000000000000000-mapping.dmp

Download
memory/3848-213-0x0000000000000000-mapping.dmp

Download
memory/3988-149-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/3988-155-0x000000001CA60000-0x000000001CA62000-memory.dmp

Filesize
8KB

Download
memory/3988-147-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3988-144-0x0000000000000000-mapping.dmp

Download
memory/4016-589-0x0000000077300000-0x000000007748E000-memory.dmp

Filesize
1.6MB

Download
memory/4084-166-0x0000000000000000-mapping.dmp

Download