redline | be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a96b4fac36efb0df7930f7fe19b9b6a.exe
Size

309KB
MD5

2a96b4fac36efb0df7930f7fe19b9b6a
SHA1

9bbc377eeb1f58002cfea817f78efa91b16e85ec
SHA256

be2d3b6889b9ca8882be65aff3224179df54c0599b2fad90bdb55e211024472e
SHA512

82ad01d52c443e62463a3140aded6b473c6dfdc03dd56609f67024b32bd37a8945131e0a7077855f59249da56994633e389a71c57d259c1d12c7ff04a5b3b8f4
SSDEEP

3072:nJJh6BbCqA4w//xQwRti4LT8yf6905sd1MvfN2FjGVr51VXNmfV8XBJ3dAQ:fkXAD2qDLKDyfN2ZgrTV9mfVSXdA

Score

10^/10

redline sectoprat @dashyknight infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

@DashyKnight

80.89.229.97:7479

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e7f5-23.dat	family_redline
behavioral2/memory/3912-122-0x0000000000D00000-0x0000000000D22000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e7f5-23.dat	family_sectoprat
behavioral2/memory/3912-122-0x0000000000D00000-0x0000000000D22000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	2a96b4fac36efb0df7930f7fe19b9b6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	services32.exe

Executes dropped EXE 6 IoCs

pid	Process
1580	WindowsDefender.exe
3912	XVisualStudio.exe
3884	svchost32.exe
1796	services32.exe
4628	svchost32.exe
3308	sihost32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3332	schtasks.exe
3684	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	2a96b4fac36efb0df7930f7fe19b9b6a.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1600	powershell.exe
1600	powershell.exe
1660	powershell.exe
1660	powershell.exe
4064	powershell.exe
4064	powershell.exe
1904	powershell.exe
1904	powershell.exe
3884	svchost32.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
4628	svchost32.exe
4628	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	3884	svchost32.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	4628	svchost32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 1580	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	97
PID 3688 wrote to memory of 1580	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	97
PID 3688 wrote to memory of 3912	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	98
PID 3688 wrote to memory of 3912	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	98
PID 3688 wrote to memory of 3912	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	98
PID 1580 wrote to memory of 3724	1580	WindowsDefender.exe	101
PID 1580 wrote to memory of 3724	1580	WindowsDefender.exe	101
PID 3724 wrote to memory of 1600	3724	cmd.exe	103
PID 3724 wrote to memory of 1600	3724	cmd.exe	103
PID 3688 wrote to memory of 4368	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	100
PID 3688 wrote to memory of 4368	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	100
PID 3688 wrote to memory of 4368	3688	2a96b4fac36efb0df7930f7fe19b9b6a.exe	100
PID 1580 wrote to memory of 1464	1580	WindowsDefender.exe	106
PID 1580 wrote to memory of 1464	1580	WindowsDefender.exe	106
PID 1464 wrote to memory of 3884	1464	cmd.exe	108
PID 1464 wrote to memory of 3884	1464	cmd.exe	108
PID 3724 wrote to memory of 1660	3724	cmd.exe	110
PID 3724 wrote to memory of 1660	3724	cmd.exe	110
PID 3724 wrote to memory of 4064	3724	cmd.exe	111
PID 3724 wrote to memory of 4064	3724	cmd.exe	111
PID 3724 wrote to memory of 1904	3724	cmd.exe	112
PID 3724 wrote to memory of 1904	3724	cmd.exe	112
PID 3884 wrote to memory of 864	3884	svchost32.exe	113
PID 3884 wrote to memory of 864	3884	svchost32.exe	113
PID 864 wrote to memory of 3332	864	cmd.exe	115
PID 864 wrote to memory of 3332	864	cmd.exe	115
PID 3884 wrote to memory of 1796	3884	svchost32.exe	118
PID 3884 wrote to memory of 1796	3884	svchost32.exe	118
PID 3884 wrote to memory of 3156	3884	svchost32.exe	120
PID 3884 wrote to memory of 3156	3884	svchost32.exe	120
PID 1796 wrote to memory of 1036	1796	services32.exe	124
PID 1796 wrote to memory of 1036	1796	services32.exe	124
PID 3156 wrote to memory of 4704	3156	cmd.exe	126
PID 3156 wrote to memory of 4704	3156	cmd.exe	126
PID 1036 wrote to memory of 4664	1036	cmd.exe	125
PID 1036 wrote to memory of 4664	1036	cmd.exe	125
PID 1036 wrote to memory of 4364	1036	cmd.exe	128
PID 1036 wrote to memory of 4364	1036	cmd.exe	128
PID 1036 wrote to memory of 1608	1036	cmd.exe	130
PID 1036 wrote to memory of 1608	1036	cmd.exe	130
PID 1036 wrote to memory of 3664	1036	cmd.exe	132
PID 1036 wrote to memory of 3664	1036	cmd.exe	132
PID 1796 wrote to memory of 1596	1796	services32.exe	133
PID 1796 wrote to memory of 1596	1796	services32.exe	133
PID 1596 wrote to memory of 4628	1596	cmd.exe	135
PID 1596 wrote to memory of 4628	1596	cmd.exe	135
PID 4628 wrote to memory of 3716	4628	svchost32.exe	136
PID 4628 wrote to memory of 3716	4628	svchost32.exe	136
PID 3716 wrote to memory of 3684	3716	cmd.exe	138
PID 3716 wrote to memory of 3684	3716	cmd.exe	138
PID 4628 wrote to memory of 3308	4628	svchost32.exe	140
PID 4628 wrote to memory of 3308	4628	svchost32.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a96b4fac36efb0df7930f7fe19b9b6a.exe
"C:\Users\Admin\AppData\Local\Temp\2a96b4fac36efb0df7930f7fe19b9b6a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1904
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:3332
    - - C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3684
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:4704
- C:\Users\Admin\AppData\Local\Temp\XVisualStudio.exe
  "C:\Users\Admin\AppData\Local\Temp\XVisualStudio.exe"
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
  2⤵
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96d012dd35ee43a23db987854cc9f3eb

SHA1
68fb6c90ec116b5464c1a1e7764fd17dc043bf5b

SHA256
7e35c3ce2380410d8c23b9475a5b9f0f9a9f43002638a41219e4e8023afd0ef2

SHA512
c487d1a9eb7b2290cdbfce6d81df3836d22877efc6fa6aa5357c59ae70f3b577ae7094e69bb589d207f7657c2110a65b669880922c56817c055e5addad0daee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1bdb6c69c2808932dce4a253127284b

SHA1
097fa26afbbd1399caaaeb34244fa99c535924fe

SHA256
8eaa32e6a0405e86d319a95187958e1bbfe43b05a0258d01019860cfb4ae38fb

SHA512
e5b1d6af305984f53e422ca30d6304e1b0334b9eea62cbd953f5e699a06a84482a8fa0e72aace82bde6483db531c56ad681fd863fc9719a45437edee42cc7e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb0cf19ebeba3256a05065693a1ca866

SHA1
c028aff9b6850c2bdd6673b74037630b4ee2ccd8

SHA256
58e1183323526c135119df281171285d98b5ce05ad00f201ca899cd43358e3fb

SHA512
811606a0c8545eac53127a3687c6b0fde595dd7e958ef11ae650d142d40ac5e86ebbd313dc17dfa86c091ee868dc1c9ed422c2e541c6de3487e0c50c1a3e8fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f473e15a0686d0c819ad40b5f232368

SHA1
a769892ae2e8203e7d4a992a317189b56723da33

SHA256
53d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237

SHA512
d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2dd6e344149a8bfc73b33b28a8bf0904

SHA1
01346ab805a9ab72590b9b087c9cca404fa11477

SHA256
0a264b9bd68b1b4910ea5df7f25714cf45be245bf3fb397d202b0cbd4f22d632

SHA512
0c4b351e5b4ceeb7be223df2c5689cad6709bbf66d1d8296a39e8c9e194668a4fec9b8ac15295f4786e73639c815350886d7ba1b73c64daf95c7e17268a8b640

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt

Filesize
617B

MD5
292806f9ebd655b601d4fe9e9c482d9f

SHA1
be73ffc844d1071a6a98131861c39e29ca5b8d8c

SHA256
c7c19f3cb0e3c8f820c36fa809d20ed776d2312314b81e1ccb6098fdc541c55e

SHA512
a3468990b4867f3722de1040cdd720cc72cfa590b3643db1aa6a8d5293e4a09f73c5f9f7f5914cd2bf5d0a1cdc6283e9396bfd90574a41003d8397fa67bcc6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe

Filesize
418KB

MD5
06880138334dc59019276844e8fd39c2

SHA1
3948d3907dbbba5b4ffd109b2b212a2c42e30eec

SHA256
540dc86d9a7e0afb2b945ad6ae1804dd10d9711f6b03ac84e8abc6d9340328f7

SHA512
09b4e9aa35bcede4c77ab982482a196a82ef5871c9015c384738299f1267584019b73510c7fdd0bfc863c4898ba0db86decda509838fa9cc01b8f0dec23b2be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVisualStudio.exe

Filesize
115KB

MD5
044ea4b85761fdb858ac6dc759aa9b48

SHA1
041f98726799deef358e8f6f2b22c7604f981b09

SHA256
639824ecfdb0f6c8fdc7589d80c01a435400b6118735165c503714615f8dd6cd

SHA512
3b04dd5ebc6e12d4117cfffe6afd3a6952c198e58ac6ee1c94da2c677eeb0e515ae715af7a7e5b569b9987c0da7e8ea01775bfa8ff43a8611cabe330454a1bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vgpjmvw.mef.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
117KB

MD5
bbab39dfb953ecfc69ff561f5974b1b0

SHA1
79dca46fb777493ccd52e2625bd32dec74f40ed4

SHA256
39c8d6bcb27009984f54319ec0501112216803391ce881aabe880c99fde243f5

SHA512
4d621f5e832b949ec4a70eff7480063079955d9e5654a9f4b212ea4ac15d7496599c57b0183b0905a34cf6af9ae20c26d0b08bc66b2feabb7c5d9d29b2b05af9

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
51KB

MD5
c399cf820b48b6d0164fad0f45eae6dc

SHA1
44b0149728a32a5d4fba6a68c287d4d4be54aee3

SHA256
14c3fa4cfda8da5a4948d0211ded7185830eecfbb7f432423834c71065a92bf0

SHA512
ae040fa53d5b1e10f6302273ddae20400d817d97812ce1df2830ba00e1221eb3f29b4107496434be4804ce08bdbc0c5235b4e59d103e9fbab9e289ee1a871584

Download Submit
memory/1580-30-0x00000000007C0000-0x000000000082C000-memory.dmp

Filesize
432KB

Download
memory/1580-56-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1580-32-0x00000000031A0000-0x00000000031C2000-memory.dmp

Filesize
136KB

Download
memory/1580-34-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1580-52-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1580-35-0x000000001C4E0000-0x000000001C4F0000-memory.dmp

Filesize
64KB

Download
memory/1600-54-0x0000019179AD0000-0x0000019179AE0000-memory.dmp

Filesize
64KB

Download
memory/1600-48-0x00000191799F0000-0x0000019179A12000-memory.dmp

Filesize
136KB

Download
memory/1600-63-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1600-42-0x0000019179AD0000-0x0000019179AE0000-memory.dmp

Filesize
64KB

Download
memory/1600-36-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1600-49-0x0000019179AD0000-0x0000019179AE0000-memory.dmp

Filesize
64KB

Download
memory/1608-186-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1608-184-0x0000019654980000-0x0000019654990000-memory.dmp

Filesize
64KB

Download
memory/1608-171-0x0000019654980000-0x0000019654990000-memory.dmp

Filesize
64KB

Download
memory/1608-169-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1608-170-0x0000019654980000-0x0000019654990000-memory.dmp

Filesize
64KB

Download
memory/1660-68-0x0000022F88800000-0x0000022F88810000-memory.dmp

Filesize
64KB

Download
memory/1660-82-0x0000022F88800000-0x0000022F88810000-memory.dmp

Filesize
64KB

Download
memory/1660-83-0x0000022F88800000-0x0000022F88810000-memory.dmp

Filesize
64KB

Download
memory/1660-85-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1660-70-0x0000022F88800000-0x0000022F88810000-memory.dmp

Filesize
64KB

Download
memory/1660-67-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1796-133-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1796-166-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1796-182-0x000000001C630000-0x000000001C640000-memory.dmp

Filesize
64KB

Download
memory/1796-134-0x000000001C630000-0x000000001C640000-memory.dmp

Filesize
64KB

Download
memory/1904-118-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/1904-103-0x000001A369860000-0x000001A369870000-memory.dmp

Filesize
64KB

Download
memory/1904-114-0x000001A369860000-0x000001A369870000-memory.dmp

Filesize
64KB

Download
memory/1904-102-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/3664-187-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/3664-188-0x000001746A420000-0x000001746A430000-memory.dmp

Filesize
64KB

Download
memory/3688-1-0x0000000000E20000-0x0000000000E30000-memory.dmp

Filesize
64KB

Download
memory/3688-0-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-3-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-4-0x0000000000E20000-0x0000000000E30000-memory.dmp

Filesize
64KB

Download
memory/3688-5-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3688-50-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-116-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3884-62-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/3884-136-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/3884-69-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3884-65-0x0000000001280000-0x0000000001292000-memory.dmp

Filesize
72KB

Download
memory/3884-71-0x00000000012B0000-0x00000000012C2000-memory.dmp

Filesize
72KB

Download
memory/3884-64-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/3884-113-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/3912-51-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-88-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-122-0x0000000000D00000-0x0000000000D22000-memory.dmp

Filesize
136KB

Download
memory/4064-86-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/4064-101-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/4064-99-0x000001CD742C0000-0x000001CD742D0000-memory.dmp

Filesize
64KB

Download
memory/4064-87-0x000001CD742C0000-0x000001CD742D0000-memory.dmp

Filesize
64KB

Download
memory/4364-168-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/4364-165-0x0000026EEC280000-0x0000026EEC290000-memory.dmp

Filesize
64KB

Download
memory/4364-154-0x0000026EEC280000-0x0000026EEC290000-memory.dmp

Filesize
64KB

Download
memory/4364-153-0x0000026EEC280000-0x0000026EEC290000-memory.dmp

Filesize
64KB

Download
memory/4364-152-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/4664-151-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download
memory/4664-149-0x0000020FBB950000-0x0000020FBB960000-memory.dmp

Filesize
64KB

Download
memory/4664-138-0x0000020FBB950000-0x0000020FBB960000-memory.dmp

Filesize
64KB

Download
memory/4664-137-0x00007FF9A0C40000-0x00007FF9A1701000-memory.dmp

Filesize
10.8MB

Download