Analysis Overview
SHA256
5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631
Threat Level: Likely malicious
The file 5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Creates new service(s)
UPX packed file
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 12:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 12:45
Reported
2024-06-20 12:47
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2316.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4012.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3276.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\736.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\840.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2892.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4604.hecate | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3576 set thread context of 3704 | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 4012 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 2124 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 2316 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 3276 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 736 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 840 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 2892 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3704 set thread context of 4604 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File created | C:\Program Files\Windows Media Player\down_info | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\background.jpg | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxds | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpa | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpp | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006029c1bb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9dad1bb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052732cbc0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006916aebb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c20e68bc0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5837dbc0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000970d87bc0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d32c83bb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053706abc0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006352a9bb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0c5ddbb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b777cfbb0fc3da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe
"C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\system32\sc.exe
sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.158.146.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 229.7.75.111.in-addr.arpa | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | cl.alie3ksgff.com | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | 6.164.238.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1576-0-0x00007FF672E8E000-0x00007FF672E8F000-memory.dmp
memory/1576-3-0x000001D56E9E0000-0x000001D56EA0C000-memory.dmp
memory/1576-5-0x00007FF672E80000-0x00007FF672ECC000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
memory/2592-20-0x00000155516B0000-0x00000155516C0000-memory.dmp
memory/2592-35-0x00000155519C0000-0x00000155519D0000-memory.dmp
memory/2592-51-0x0000015555C90000-0x0000015555C98000-memory.dmp
C:\Program Files\Windows Media Player\mpsvc.dll
| MD5 | 7b207ce9f9d71dfc2eaa2e959634a54d |
| SHA1 | 8222daa0c820e50d02ffabdc55dfb7461bbaa1e5 |
| SHA256 | 757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2 |
| SHA512 | 6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a |
memory/3704-63-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-71-0x0000000140000000-0x0000000140026000-memory.dmp
memory/4012-73-0x0000000140000000-0x0000000140138000-memory.dmp
memory/4012-75-0x0000000140000000-0x0000000140138000-memory.dmp
memory/2124-78-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-83-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/4012-89-0x0000000140000000-0x0000000140138000-memory.dmp
C:\kkxqbh.bat
| MD5 | cec3f85be97b700d420a792c8f082cfd |
| SHA1 | 195e20558028a0ff62ba76b81eadb6ea6c4f5fce |
| SHA256 | deffc1f547bec1a3516dfe4026d1484791dce7dd569dcc35b730e0c6f0e0ad2d |
| SHA512 | 6aa04cf402bb019ee217479161cd4a1520d14b8be01c0da284dad6550d8fe72b4fd22aa77fff83d77d680c8bd556d69a39872380a64a8200ec326222e6cd56bd |
memory/2316-93-0x0000000140000000-0x000000014011B000-memory.dmp
memory/2316-92-0x0000000140000000-0x000000014011B000-memory.dmp
memory/4012-88-0x0000000140000000-0x0000000140138000-memory.dmp
memory/2124-85-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-82-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-81-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-80-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-79-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-77-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2124-86-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/4012-74-0x0000000140000000-0x0000000140138000-memory.dmp
memory/3704-72-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-69-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-68-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-67-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-66-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-65-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3704-64-0x0000000140000000-0x0000000140026000-memory.dmp
C:\Program Files\Windows Media Player\background.jpg
| MD5 | b37c3d3ab20f7e8a06232330122d1ed7 |
| SHA1 | 6daa977d591b1cbb1ecde9fd82e14287a284bdd2 |
| SHA256 | e796f0d6d6960af232a1b8f039cd45a703c1743dfd6f4098cdde0a46a69e33a2 |
| SHA512 | da26eee1e9f1d594f2f4604838b66dac95db29373a59e347b1cf31022eb0040f5a9ebdd50c12f4af1dbbfd7c5bae20f3937cbdd8016e441d8822f9f86d03e5bb |
C:\Program Files\Windows Media Player\down_info
| MD5 | 32f6c513b25df1c670753eb7335c4258 |
| SHA1 | bc786e95a0e11c478615ec1c93df71f3fe6da439 |
| SHA256 | 38bfb45a86fe32917bda2620107cfe7abbb455f5268d9f87df61229916233c43 |
| SHA512 | 85db6dbd68a7151a81f5623f9b162750edf0d1fd0fb1c0be009d59b1ea4a63eeefea04df68d976f207e0d8a15e201ebd042154f498d6229ab0902ff44516c866 |
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
| MD5 | 2e496cc6f14448c626fdce65b875a94a |
| SHA1 | 2983e56dede456af3f7ce49000a74eeed93ebf4d |
| SHA256 | e8fa311c582300e6cfbc9b6d34ee63a56e2a245ac45984d808a4e78396b55178 |
| SHA512 | bca1c34c0f4d7af3531c506fd97a468f4af86d33c0a0c8ef4fc47239a8441f942a1c0356073d33402d8269c7a0ae5debf5b47cf0db2f85f176631ed509ecdd6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 12:45
Reported
2024-06-20 12:47
Platform
win11-20240611-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Creates new service(s)
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\4572.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\5040.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\3788.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2460.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\1900.hecate | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Local\2852.hecate | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4100 set thread context of 3424 | N/A | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 5040 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 3964 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 4572 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 3788 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 2460 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 1900 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 3424 set thread context of 2852 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxds | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpp | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpa | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\background.jpg | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmixedwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File created | C:\Program Files\Windows Media Player\down_info | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\mpsvc.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\ppqqxpb | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3efd2e50fc3da01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b50437c60fc3da01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTS\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6c7eae50fc3da01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008303e6e50fc3da01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe
"C:\Users\Admin\AppData\Local\Temp\5e9e9feff79a516df439c031aed499e8df5337c21b1d3396ac53a5be95a89631.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Program Files\Windows Media Player\wmixedwk.exe
"C:\Program Files\Windows Media Player\wmixedwk.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "
C:\Windows\system32\sc.exe
sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 832 2644 2640 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 832 2596 2696 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sta.alie3ksgee.com | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| HK | 103.146.158.221:80 | sta.alie3ksgee.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
| CN | 111.75.7.229:6666 | myxqbh.top | udp |
| US | 104.238.164.6:6666 | cl.alie3ksgff.com | udp |
Files
memory/2488-0-0x00007FF6C38EE000-0x00007FF6C38EF000-memory.dmp
memory/2488-5-0x00007FF6C38E0000-0x00007FF6C392C000-memory.dmp
memory/2488-3-0x0000024601BB0000-0x0000024601BDC000-memory.dmp
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 90b85ffbdeead1be861d59134ea985b0 |
| SHA1 | 55e9859aa7dba87678e7c529b571fdf6b7181339 |
| SHA256 | ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2 |
| SHA512 | 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce |
memory/1804-19-0x00000258A8BE0000-0x00000258A8BF0000-memory.dmp
memory/1804-35-0x00000258A8CE0000-0x00000258A8CF0000-memory.dmp
memory/1804-51-0x00000258AD3D0000-0x00000258AD3D8000-memory.dmp
C:\Program Files\Windows Media Player\mpsvc.dll
| MD5 | 7b207ce9f9d71dfc2eaa2e959634a54d |
| SHA1 | 8222daa0c820e50d02ffabdc55dfb7461bbaa1e5 |
| SHA256 | 757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2 |
| SHA512 | 6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a |
memory/3424-69-0x0000000140000000-0x0000000140026000-memory.dmp
memory/5040-78-0x0000000140000000-0x0000000140138000-memory.dmp
memory/3964-88-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/4572-91-0x0000000140000000-0x000000014011B000-memory.dmp
C:\kkxqbh.bat
| MD5 | cec3f85be97b700d420a792c8f082cfd |
| SHA1 | 195e20558028a0ff62ba76b81eadb6ea6c4f5fce |
| SHA256 | deffc1f547bec1a3516dfe4026d1484791dce7dd569dcc35b730e0c6f0e0ad2d |
| SHA512 | 6aa04cf402bb019ee217479161cd4a1520d14b8be01c0da284dad6550d8fe72b4fd22aa77fff83d77d680c8bd556d69a39872380a64a8200ec326222e6cd56bd |
memory/4572-90-0x0000000140000000-0x000000014011B000-memory.dmp
memory/3964-84-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-83-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-82-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-81-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-80-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-79-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/5040-77-0x0000000140000000-0x0000000140138000-memory.dmp
memory/3964-87-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/3964-85-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/5040-75-0x0000000140000000-0x0000000140138000-memory.dmp
memory/5040-74-0x0000000140000000-0x0000000140138000-memory.dmp
memory/5040-73-0x0000000140000000-0x0000000140138000-memory.dmp
memory/3424-72-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-71-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-68-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-67-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-66-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-65-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-64-0x0000000140000000-0x0000000140026000-memory.dmp
memory/3424-63-0x0000000140000000-0x0000000140026000-memory.dmp
C:\Program Files\Windows Media Player\background.jpg
| MD5 | b37c3d3ab20f7e8a06232330122d1ed7 |
| SHA1 | 6daa977d591b1cbb1ecde9fd82e14287a284bdd2 |
| SHA256 | e796f0d6d6960af232a1b8f039cd45a703c1743dfd6f4098cdde0a46a69e33a2 |
| SHA512 | da26eee1e9f1d594f2f4604838b66dac95db29373a59e347b1cf31022eb0040f5a9ebdd50c12f4af1dbbfd7c5bae20f3937cbdd8016e441d8822f9f86d03e5bb |
C:\Program Files\Windows Media Player\down_info
| MD5 | 5dbc8390f17e019d300d5a162c3ce3bc |
| SHA1 | 7ad2d957d5e51ca09c88183daea2e889f690fdbe |
| SHA256 | c426adaef99b6ea22a3281ef9b397db0ecad44f881be1b67369e1a2d95a4f060 |
| SHA512 | ac54a57562686c32fb7ad9bd9f15edae28c4740ff130a5db2bf5ca23f8631420757d322d87b88ca0d9fb2614469ae8c3bfde44c7ad9d56ce68f1f02f29acbcc4 |
C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2
| MD5 | 73ff81da2bc1284433e411890ccc7642 |
| SHA1 | 4ccd2502471783f724c60492bd1f84f60e8e9749 |
| SHA256 | 6f90fa7a69ee3b00abdef011b05fa3ba65ea47dc8588a01d97850c1cd3c262a1 |
| SHA512 | b656ed74b8f3b33556134da8f35209552fc7969cf49d249a7e99464c5e9e4c6ef1ddc46127d61fcba9c64e2e23811a7968d6de8b4c8f2eefec4e46a728698c98 |