Analysis
-
max time kernel
86s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
containerServerNet.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
containerServerNet.exe
Resource
win10v2004-20240426-en
General
-
Target
containerServerNet.exe
-
Size
1.8MB
-
MD5
890b5cd71949526257d1497549da82ef
-
SHA1
1054441b6b2ec4b87a9e749ba7f2df20d58baa54
-
SHA256
e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57
-
SHA512
5f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143
-
SSDEEP
24576:/99RO+iS+lV3yh3+hCXPa+uI04j7xXKIOUm4JWCQlWlEKgplLTRkIREfdJ76h/jR:1MR8UC/XuIJIrt4JW7WlULlkI6L7C9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
containerServerNet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\", \"C:\\Windows\\uk-UA\\dllhost.exe\"" containerServerNet.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 520 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 384 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3784 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 688 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2992 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 2992 schtasks.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
containerServerNet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation containerServerNet.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 3440 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
containerServerNet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\uk-UA\\dllhost.exe\"" containerServerNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" containerServerNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" containerServerNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\uk-UA\\dllhost.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" containerServerNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" containerServerNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerServerNet = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerServerNet = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\containerServerNet.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" containerServerNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\dllhost.exe\"" containerServerNet.exe -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMP csc.exe File created \??\c:\Windows\System32\pb7nq5.exe csc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
containerServerNet.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe containerServerNet.exe File created C:\Program Files\Windows NT\Accessories\en-US\5940a34987c991 containerServerNet.exe -
Drops file in Windows directory 2 IoCs
Processes:
containerServerNet.exedescription ioc process File created C:\Windows\uk-UA\dllhost.exe containerServerNet.exe File created C:\Windows\uk-UA\5940a34987c991 containerServerNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4368 schtasks.exe 3784 schtasks.exe 4832 schtasks.exe 2392 schtasks.exe 2952 schtasks.exe 4692 schtasks.exe 688 schtasks.exe 1200 schtasks.exe 4504 schtasks.exe 4736 schtasks.exe 520 schtasks.exe 384 schtasks.exe 4812 schtasks.exe 2172 schtasks.exe 3560 schtasks.exe 4884 schtasks.exe 4376 schtasks.exe 896 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
containerServerNet.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings containerServerNet.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
containerServerNet.exepid process 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe 1216 containerServerNet.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
containerServerNet.exedllhost.exedescription pid process Token: SeDebugPrivilege 1216 containerServerNet.exe Token: SeDebugPrivilege 3440 dllhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
containerServerNet.execsc.execmd.exedescription pid process target process PID 1216 wrote to memory of 4144 1216 containerServerNet.exe csc.exe PID 1216 wrote to memory of 4144 1216 containerServerNet.exe csc.exe PID 4144 wrote to memory of 2848 4144 csc.exe cvtres.exe PID 4144 wrote to memory of 2848 4144 csc.exe cvtres.exe PID 1216 wrote to memory of 2020 1216 containerServerNet.exe cmd.exe PID 1216 wrote to memory of 2020 1216 containerServerNet.exe cmd.exe PID 2020 wrote to memory of 2972 2020 cmd.exe chcp.com PID 2020 wrote to memory of 2972 2020 cmd.exe chcp.com PID 2020 wrote to memory of 1512 2020 cmd.exe w32tm.exe PID 2020 wrote to memory of 1512 2020 cmd.exe w32tm.exe PID 2020 wrote to memory of 3440 2020 cmd.exe dllhost.exe PID 2020 wrote to memory of 3440 2020 cmd.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe"C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BE0.tmp" "c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMP"3⤵PID:2848
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9LGG0EQHLJ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2972
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1512
-
C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe"C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\uk-UA\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNet" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "containerServerNetc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\containerServerNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9LGG0EQHLJ.batFilesize
233B
MD58f474c92f7d5dead6a63f4cd72d07c98
SHA1a42cc601fe832ff90b779c8a95e2fd0a17aa94a3
SHA256f11ef3f21e67e3a6d4c42039d442be7db1365e92a36fecc8408279cb2e4ed25f
SHA512d743df5a98ea87fe584c86db0342c45b18dd7cbe4ab1ef47238e4cb933dbd2836933dcfd09b52ccac38f597479e9e105fc1c2fdb694b14a5ae62d37cf5825e4f
-
C:\Users\Admin\AppData\Local\Temp\RES3BE0.tmpFilesize
1KB
MD584b6a4b7c58984a10b2398eec71c33b2
SHA146885f272abde146974d323f499a77440e0d2013
SHA25665e33ea05c3644c5b0049bc9a8b53f52e3d19b42ade01c62ebac4664c3d7bca1
SHA512b5b987b72313df3b9b919f1a469c300f1e45c9200d6352f3efd26748dc3f7355e1d64834bc62484294b576259b8a2714eac97162b3481a5c6a6f42bf005fc50a
-
C:\Users\Default\sppsvc.exeFilesize
1.8MB
MD5890b5cd71949526257d1497549da82ef
SHA11054441b6b2ec4b87a9e749ba7f2df20d58baa54
SHA256e01bf187051ab20ecf85a9cea1c4c9072fd05658e7a9109e9c080161d9ad2e57
SHA5125f65d1802332ead2af69dab9dcffbb8d2b70638c7f78babc72e35007fce09e6472dacb38c7b309490ccbd8cf848d0e365a211571d57b4912e52a5802e2bb0143
-
\??\c:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.0.csFilesize
364B
MD550dee94df58e1ffdb9a31b006ac12612
SHA1b06867671732b20487e320dd5ead935fc510c6eb
SHA256e640fbde58016f9a943646dfe881899477ebfd447ea0d679341786895f30daf6
SHA512baf18f91670bac3a57a77a4679dec77eeda7a1f5dfc5b650be6bdd0c6b4bd47be324ac27c78681bfb0c99a653d940701c18aff8984e84880cf57f6ad7e6ea3d4
-
\??\c:\Users\Admin\AppData\Local\Temp\amu4125i\amu4125i.cmdlineFilesize
235B
MD56ef0035e074c2d52cb76b3eb2e1b2933
SHA1c1fd2f3f456d39e33c7fed53fefbcba6b6fd8a2e
SHA256646245e2a42e3eb9f84828d0c9efc92f828aa3ec45508791e5cea25d9c97d17d
SHA512d9dc8133ebbd9f0263331f38500a194085d1d0e7596b7e91e6297c96192995b829e92b069572008b19cdba354247673a3e2676e60ad56d2657d9978d3482d2d3
-
\??\c:\Windows\System32\CSC1BD3B6607B1244D9A1FF5939AD55BC43.TMPFilesize
1KB
MD51698af2b79b4ffd499309c965169ae30
SHA1e54beb6e91f1272ec2989800895d6e1d8a6332b4
SHA25698b74452ccce9477030c647d3a662619a85f9160e1a2b35e7ad9c08021035d9e
SHA512b52057d6526f676e61ab07f7c25d2ff4fe969e7462d037fdc757a62ac6e91ed55df485cc28c135799378c90f257aec1767b43e3bf328a0340c63e678d781a8f0
-
memory/1216-6-0x0000000003270000-0x000000000327E000-memory.dmpFilesize
56KB
-
memory/1216-7-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-10-0x000000001BD80000-0x000000001BD9C000-memory.dmpFilesize
112KB
-
memory/1216-11-0x000000001C020000-0x000000001C070000-memory.dmpFilesize
320KB
-
memory/1216-13-0x000000001BDA0000-0x000000001BDB8000-memory.dmpFilesize
96KB
-
memory/1216-15-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-16-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-27-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-28-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-8-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-1-0x00007FFF63EE3000-0x00007FFF63EE5000-memory.dmpFilesize
8KB
-
memory/1216-4-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-34-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-3-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-2-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB
-
memory/1216-0-0x0000000000E70000-0x0000000001042000-memory.dmpFilesize
1.8MB
-
memory/1216-48-0x00007FFF63EE0000-0x00007FFF649A1000-memory.dmpFilesize
10.8MB