Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 22:12
Static task
static1
Behavioral task
behavioral1
Sample
4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe
Resource
win10v2004-en-20220112
General
-
Target
4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe
-
Size
357KB
-
MD5
a5a3552609dd9aeb0333271b7480433f
-
SHA1
4f1f224748911e46d835eaf2f3ed30db739861c4
-
SHA256
4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a
-
SHA512
499f4111a3370f8eaa8dcc56df71d25546b5960ea3d0b3eaae2667ec58aa84b16e8a91090c250c14234930dc59b61fe169dd0dfb2344ebdb64a09303726bc07a
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3136 created 816 3136 WerFault.exe explorer.exe PID 960 created 2740 960 WerFault.exe DllHost.exe PID 1204 created 360 1204 WerFault.exe DllHost.exe PID 3940 created 1812 3940 WerFault.exe DllHost.exe PID 3476 created 4064 3476 WerFault.exe DllHost.exe PID 2784 created 2764 2784 WerFault.exe DllHost.exe -
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
AD16.exepid process 3216 AD16.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1028 816 WerFault.exe explorer.exe 4092 2740 WerFault.exe DllHost.exe 1768 360 WerFault.exe DllHost.exe 3492 1812 WerFault.exe DllHost.exe 4056 4064 WerFault.exe DllHost.exe 4072 2764 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AD16.exe4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AD16.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AD16.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AD16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exepid process 2600 ipconfig.exe 4012 NETSTAT.EXE 1356 NETSTAT.EXE 652 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30937866" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1918888049" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda0000000002000000000010660000000100002000000003333ca8f3d638aeba81cc9c30db412bbb9dded0b209a9bc1b51f441937f3bea000000000e80000000020000200000002e00aea99c85b30e88cee8d32d192bc54408803442e9e9febd57684eaea07436200000000fa17f95142267b2131661e4285ed3196d5446d5a672fe919aa18a62ee24a14940000000065fdf62b59d7f424b448ce3e065347fac45852687b4f09f416bea6e115e9063158bb48b6e3a70d4f3adce44cf9db0f53dab80fb5e1ca5b4c863ccb1fd4cd1b9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1918888049" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1953733309" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cce5a29beacafa47833fc2d72883fdda00000000020000000000106600000001000020000000de9154f99a1a1db8939f4f49f4d0fb49e549a153a687d0df687af76ab667fc1a000000000e8000000002000020000000257e50d3f070094ee5fc758ed1997f72c233b9a6b4c920a71c03f94f7911e50520000000ee674b9e499c39fb44b73bca3d5db3e44b90ad34022e21b892a3c2f616fa44f0400000004603bac8e8ea5836cfced83813aaf3f19465b179fdf3c21f643b23c4a1c07fe4add35f26d0e0acb40644add2f9901c5834ea3b8205e46b184443f1885e13299a iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D7CC843-7EFD-11EC-82D0-6233295FD4AC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937866" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608479780a13d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fa82780a13d801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30937866" IEXPLORE.EXE -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exepid process 3920 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe 3920 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 2444 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2444 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exeAD16.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3920 4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe 3216 AD16.exe 2444 2444 2444 2444 2444 2444 1180 explorer.exe 1180 explorer.exe 2444 2444 2308 explorer.exe 2308 explorer.exe 2444 2444 2944 explorer.exe 2944 explorer.exe 2444 2444 3352 explorer.exe 3352 explorer.exe 2444 2444 1960 explorer.exe 1960 explorer.exe 1960 explorer.exe 1960 explorer.exe 2444 2444 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe 3928 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2156 WMIC.exe Token: SeSecurityPrivilege 2156 WMIC.exe Token: SeTakeOwnershipPrivilege 2156 WMIC.exe Token: SeLoadDriverPrivilege 2156 WMIC.exe Token: SeSystemProfilePrivilege 2156 WMIC.exe Token: SeSystemtimePrivilege 2156 WMIC.exe Token: SeProfSingleProcessPrivilege 2156 WMIC.exe Token: SeIncBasePriorityPrivilege 2156 WMIC.exe Token: SeCreatePagefilePrivilege 2156 WMIC.exe Token: SeBackupPrivilege 2156 WMIC.exe Token: SeRestorePrivilege 2156 WMIC.exe Token: SeShutdownPrivilege 2156 WMIC.exe Token: SeDebugPrivilege 2156 WMIC.exe Token: SeSystemEnvironmentPrivilege 2156 WMIC.exe Token: SeRemoteShutdownPrivilege 2156 WMIC.exe Token: SeUndockPrivilege 2156 WMIC.exe Token: SeManageVolumePrivilege 2156 WMIC.exe Token: 33 2156 WMIC.exe Token: 34 2156 WMIC.exe Token: 35 2156 WMIC.exe Token: 36 2156 WMIC.exe Token: SeIncreaseQuotaPrivilege 2156 WMIC.exe Token: SeSecurityPrivilege 2156 WMIC.exe Token: SeTakeOwnershipPrivilege 2156 WMIC.exe Token: SeLoadDriverPrivilege 2156 WMIC.exe Token: SeSystemProfilePrivilege 2156 WMIC.exe Token: SeSystemtimePrivilege 2156 WMIC.exe Token: SeProfSingleProcessPrivilege 2156 WMIC.exe Token: SeIncBasePriorityPrivilege 2156 WMIC.exe Token: SeCreatePagefilePrivilege 2156 WMIC.exe Token: SeBackupPrivilege 2156 WMIC.exe Token: SeRestorePrivilege 2156 WMIC.exe Token: SeShutdownPrivilege 2156 WMIC.exe Token: SeDebugPrivilege 2156 WMIC.exe Token: SeSystemEnvironmentPrivilege 2156 WMIC.exe Token: SeRemoteShutdownPrivilege 2156 WMIC.exe Token: SeUndockPrivilege 2156 WMIC.exe Token: SeManageVolumePrivilege 2156 WMIC.exe Token: 33 2156 WMIC.exe Token: 34 2156 WMIC.exe Token: 35 2156 WMIC.exe Token: 36 2156 WMIC.exe Token: SeIncreaseQuotaPrivilege 3952 WMIC.exe Token: SeSecurityPrivilege 3952 WMIC.exe Token: SeTakeOwnershipPrivilege 3952 WMIC.exe Token: SeLoadDriverPrivilege 3952 WMIC.exe Token: SeSystemProfilePrivilege 3952 WMIC.exe Token: SeSystemtimePrivilege 3952 WMIC.exe Token: SeProfSingleProcessPrivilege 3952 WMIC.exe Token: SeIncBasePriorityPrivilege 3952 WMIC.exe Token: SeCreatePagefilePrivilege 3952 WMIC.exe Token: SeBackupPrivilege 3952 WMIC.exe Token: SeRestorePrivilege 3952 WMIC.exe Token: SeShutdownPrivilege 3952 WMIC.exe Token: SeDebugPrivilege 3952 WMIC.exe Token: SeSystemEnvironmentPrivilege 3952 WMIC.exe Token: SeRemoteShutdownPrivilege 3952 WMIC.exe Token: SeUndockPrivilege 3952 WMIC.exe Token: SeManageVolumePrivilege 3952 WMIC.exe Token: 33 3952 WMIC.exe Token: 34 3952 WMIC.exe Token: 35 3952 WMIC.exe Token: 36 3952 WMIC.exe Token: SeIncreaseQuotaPrivilege 3952 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2572 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2572 iexplore.exe 2572 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2444 wrote to memory of 3216 2444 AD16.exe PID 2444 wrote to memory of 3216 2444 AD16.exe PID 2444 wrote to memory of 3216 2444 AD16.exe PID 2444 wrote to memory of 2520 2444 cmd.exe PID 2444 wrote to memory of 2520 2444 cmd.exe PID 2520 wrote to memory of 2156 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2156 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3952 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3952 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2504 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2504 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1352 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1352 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 636 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 636 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1540 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1540 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1112 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1112 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3244 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3244 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2884 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2884 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3288 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 3288 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 968 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 968 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1272 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 1272 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2136 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2136 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2692 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2692 2520 cmd.exe WMIC.exe PID 2520 wrote to memory of 2600 2520 cmd.exe ipconfig.exe PID 2520 wrote to memory of 2600 2520 cmd.exe ipconfig.exe PID 2520 wrote to memory of 1600 2520 cmd.exe ROUTE.EXE PID 2520 wrote to memory of 1600 2520 cmd.exe ROUTE.EXE PID 2520 wrote to memory of 3464 2520 cmd.exe netsh.exe PID 2520 wrote to memory of 3464 2520 cmd.exe netsh.exe PID 2520 wrote to memory of 1180 2520 cmd.exe systeminfo.exe PID 2520 wrote to memory of 1180 2520 cmd.exe systeminfo.exe PID 2520 wrote to memory of 3620 2520 cmd.exe tasklist.exe PID 2520 wrote to memory of 3620 2520 cmd.exe tasklist.exe PID 2520 wrote to memory of 3780 2520 cmd.exe net.exe PID 2520 wrote to memory of 3780 2520 cmd.exe net.exe PID 3780 wrote to memory of 2852 3780 net.exe net1.exe PID 3780 wrote to memory of 2852 3780 net.exe net1.exe PID 2520 wrote to memory of 216 2520 cmd.exe net.exe PID 2520 wrote to memory of 216 2520 cmd.exe net.exe PID 216 wrote to memory of 3472 216 net.exe net1.exe PID 216 wrote to memory of 3472 216 net.exe net1.exe PID 2520 wrote to memory of 3372 2520 cmd.exe net.exe PID 2520 wrote to memory of 3372 2520 cmd.exe net.exe PID 3372 wrote to memory of 3496 3372 net.exe net1.exe PID 3372 wrote to memory of 3496 3372 net.exe net1.exe PID 2520 wrote to memory of 736 2520 cmd.exe net.exe PID 2520 wrote to memory of 736 2520 cmd.exe net.exe PID 736 wrote to memory of 2752 736 net.exe net1.exe PID 736 wrote to memory of 2752 736 net.exe net1.exe PID 2520 wrote to memory of 3440 2520 cmd.exe net.exe PID 2520 wrote to memory of 3440 2520 cmd.exe net.exe PID 2520 wrote to memory of 1784 2520 cmd.exe net.exe PID 2520 wrote to memory of 1784 2520 cmd.exe net.exe PID 1784 wrote to memory of 3908 1784 net.exe net1.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2740 -s 9762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe"C:\Users\Admin\AppData\Local\Temp\4da9e075945487af345cd21b7d72c39e1143c606f05943572002d2bc8839335a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 55a19c0c14f19b891d5d33cbd6dac82e mXXzQROENkiGuBKPD0WKJg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\AD16.exeC:\Users\Admin\AppData\Local\Temp\AD16.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 8962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 816 -ip 8161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 2740 -ip 27401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 360 -s 8282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 360 -ip 3601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1812 -s 7602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1812 -ip 18121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4064 -s 8122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 4064 -ip 40641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2764 -s 8082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 2764 -ip 27641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AD16.exeMD5
594a5d0869620855f89487ba04420a6e
SHA10694e7e225cae7c8039e1feb20fe1784acd52061
SHA256a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101
SHA5122f7715a4bd64d8f45eb5e47b6edff1f6f6fa403659badbfd08528a6a95d4e7f152412e084de7fd5ba8ada2da22a2539c9cc6e23e6e620b3748b5beef11d0f5dc
-
C:\Users\Admin\AppData\Local\Temp\AD16.exeMD5
594a5d0869620855f89487ba04420a6e
SHA10694e7e225cae7c8039e1feb20fe1784acd52061
SHA256a91b47dd04b0e0239d087f40e153971719cb9b386d73cc80c6b2feaa368bf101
SHA5122f7715a4bd64d8f45eb5e47b6edff1f6f6fa403659badbfd08528a6a95d4e7f152412e084de7fd5ba8ada2da22a2539c9cc6e23e6e620b3748b5beef11d0f5dc
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/816-171-0x00000000003B0000-0x000000000041B000-memory.dmpFilesize
428KB
-
memory/816-170-0x0000000000420000-0x0000000000495000-memory.dmpFilesize
468KB
-
memory/1180-174-0x0000000002B80000-0x0000000002B8B000-memory.dmpFilesize
44KB
-
memory/1180-173-0x0000000002B90000-0x0000000002B97000-memory.dmpFilesize
28KB
-
memory/1300-193-0x0000018230100000-0x0000018230101000-memory.dmpFilesize
4KB
-
memory/1576-184-0x0000000004B50000-0x0000000004B5B000-memory.dmpFilesize
44KB
-
memory/1576-183-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/1812-196-0x0000017CCD490000-0x0000017CCD498000-memory.dmpFilesize
32KB
-
memory/1812-197-0x0000017CCD480000-0x0000017CCD481000-memory.dmpFilesize
4KB
-
memory/1812-198-0x0000017CCD470000-0x0000017CCD478000-memory.dmpFilesize
32KB
-
memory/1812-200-0x0000017CCD420000-0x0000017CCD428000-memory.dmpFilesize
32KB
-
memory/1960-181-0x00000000029F0000-0x00000000029F6000-memory.dmpFilesize
24KB
-
memory/1960-182-0x00000000029E0000-0x00000000029EB000-memory.dmpFilesize
44KB
-
memory/2228-187-0x000001A06C320000-0x000001A06C321000-memory.dmpFilesize
4KB
-
memory/2240-188-0x00000208654D0000-0x00000208654D1000-memory.dmpFilesize
4KB
-
memory/2288-189-0x0000018D29EB0000-0x0000018D29EB1000-memory.dmpFilesize
4KB
-
memory/2308-175-0x0000000000410000-0x0000000000419000-memory.dmpFilesize
36KB
-
memory/2308-176-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2444-140-0x0000000008640000-0x000000000864F000-memory.dmpFilesize
60KB
-
memory/2444-139-0x0000000002F80000-0x0000000002F96000-memory.dmpFilesize
88KB
-
memory/2444-133-0x0000000001090000-0x00000000010A6000-memory.dmpFilesize
88KB
-
memory/2540-190-0x000001CEFECD0000-0x000001CEFECD1000-memory.dmpFilesize
4KB
-
memory/2748-172-0x00000000012E0000-0x00000000012EC000-memory.dmpFilesize
48KB
-
memory/2836-191-0x00000287903F0000-0x00000287903F1000-memory.dmpFilesize
4KB
-
memory/2900-192-0x000001ACEEC50000-0x000001ACEEC51000-memory.dmpFilesize
4KB
-
memory/2944-178-0x00000000029E0000-0x00000000029E9000-memory.dmpFilesize
36KB
-
memory/2944-177-0x00000000029F0000-0x00000000029F5000-memory.dmpFilesize
20KB
-
memory/3216-136-0x00000000004A0000-0x00000000004CB000-memory.dmpFilesize
172KB
-
memory/3216-138-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3216-137-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/3352-179-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB
-
memory/3352-180-0x0000000000130000-0x000000000013C000-memory.dmpFilesize
48KB
-
memory/3668-194-0x0000020FE0670000-0x0000020FE0671000-memory.dmpFilesize
4KB
-
memory/3888-195-0x0000020352110000-0x0000020352111000-memory.dmpFilesize
4KB
-
memory/3920-130-0x00000000005C0000-0x00000000005EB000-memory.dmpFilesize
172KB
-
memory/3920-132-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/3920-131-0x0000000000550000-0x0000000000559000-memory.dmpFilesize
36KB
-
memory/3928-186-0x0000000000BF0000-0x0000000000BFD000-memory.dmpFilesize
52KB
-
memory/3928-185-0x0000000000E80000-0x0000000000E87000-memory.dmpFilesize
28KB
-
memory/4072-667-0x0000028F75840000-0x0000028F7584D000-memory.dmpFilesize
52KB