redline | 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573

Analysis

max time kernel
88s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
Size

204KB
MD5

3f6f77f2a1a79b61b366714e81155d93
SHA1

df858f5ffa1193f6a2aff97cc8d420c904b95e17
SHA256

633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573
SHA512

747b1fc16ff30eb9f4bea3f481d2b82199ab8a8d67ade39ae4820b6c360bc2a840915f6f99cc406f8bc1efc088fa800f9227f507d5cf49b096017e5983d4d4b4
SSDEEP

3072:Z3SDLqRgTHASJxi5iyAJ7oI4Z4tEmPgc2F/:Z3dRgTHAGo5BEoI4Z4tEvcC/

Score

10^/10

redline smokeloader logsdiller cloud (tg: @logsdillabot)pub1 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4200-29-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

8 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3304
Executes dropped EXE 4 IoCs

Processes:

26BE.exe5C08.exe8C22.exe978D.exe

pid process

4980 26BE.exe
4204 5C08.exe
648 8C22.exe
3836 978D.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
13 drive.google.com
19 raw.githubusercontent.com
20 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

26BE.exe

description pid process target process

PID 4980 set thread context of 4200 4980 26BE.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4804 4980 WerFault.exe 26BE.exe

pid	process
8	netsh.exe

pid	process
3304

pid	process
4980	26BE.exe
4204	5C08.exe
648	8C22.exe
3836	978D.exe

flow	ioc
1	raw.githubusercontent.com
13	drive.google.com
19	raw.githubusercontent.com
20	drive.google.com

description	pid	process	target process
PID 4980 set thread context of 4200	4980	26BE.exe	RegAsm.exe

pid	pid_target	process	target process
4804	4980	WerFault.exe	26BE.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe

Modifies registry class 6 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{C72F8C14-3F32-4993-A0C4-8CB130B646F2}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe

pid	process
4656	633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
4656	633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304
3304

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe

pid process

4656 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

26BE.exeRegAsm.exe8C22.exepowershell.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeDebugPrivilege	4980	26BE.exe
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeDebugPrivilege	4200	RegAsm.exe
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeDebugPrivilege	648	8C22.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeShutdownPrivilege	3304
Token: SeCreatePagefilePrivilege	3304
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeCreatePagefilePrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeCreatePagefilePrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeCreatePagefilePrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeCreatePagefilePrivilege	2872	explorer.exe
Token: SeShutdownPrivilege	2872	explorer.exe
Token: SeCreatePagefilePrivilege	2872	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

explorer.exe

pid process

2872 explorer.exe
2872 explorer.exe
2872 explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

explorer.exe

pid	process
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.exe26BE.execmd.exe978D.exe

description	pid	process	target process
PID 3304 wrote to memory of 1008	3304		cmd.exe
PID 3304 wrote to memory of 1008	3304		cmd.exe
PID 1008 wrote to memory of 1092	1008	cmd.exe	reg.exe
PID 1008 wrote to memory of 1092	1008	cmd.exe	reg.exe
PID 3304 wrote to memory of 4980	3304		26BE.exe
PID 3304 wrote to memory of 4980	3304		26BE.exe
PID 3304 wrote to memory of 4980	3304		26BE.exe
PID 4980 wrote to memory of 4936	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4936	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4936	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 4980 wrote to memory of 4200	4980	26BE.exe	RegAsm.exe
PID 3304 wrote to memory of 4204	3304		5C08.exe
PID 3304 wrote to memory of 4204	3304		5C08.exe
PID 3304 wrote to memory of 4204	3304		5C08.exe
PID 3304 wrote to memory of 2428	3304		cmd.exe
PID 3304 wrote to memory of 2428	3304		cmd.exe
PID 2428 wrote to memory of 1588	2428	cmd.exe	reg.exe
PID 2428 wrote to memory of 1588	2428	cmd.exe	reg.exe
PID 3304 wrote to memory of 648	3304		8C22.exe
PID 3304 wrote to memory of 648	3304		8C22.exe
PID 3304 wrote to memory of 3836	3304		978D.exe
PID 3304 wrote to memory of 3836	3304		978D.exe
PID 3304 wrote to memory of 3836	3304		978D.exe
PID 3836 wrote to memory of 836	3836	978D.exe	powershell.exe
PID 3836 wrote to memory of 836	3836	978D.exe	powershell.exe
PID 3836 wrote to memory of 836	3836	978D.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
"C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A180.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\26BE.exe
C:\Users\Admin\AppData\Local\Temp\26BE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 848
2⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\5C08.exe
C:\Users\Admin\AppData\Local\Temp\5C08.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5E0C.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\8C22.exe
C:\Users\Admin\AppData\Local\Temp\8C22.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\978D.exe
C:\Users\Admin\AppData\Local\Temp\978D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Users\Admin\AppData\Local\Temp\978D.exe
"C:\Users\Admin\AppData\Local\Temp\978D.exe"
2⤵
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1600

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4548

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:1616

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
245e23ceb7b4021f5a8805008fe0c74c

SHA1
1b8a94606735d60802b37ef568ae33bfe82043ed

SHA256
36f27281c6c0310624184eec14b8886c18a09b0bd2caf6420961c43ab2e1d730

SHA512
b87cb2f5a4ab30ccda40452c09dbf6ef1b666495da4a4ad16a5d78ae09ba1108ccb1d03edfe4d3912a34ecb852762c0ee19f81090a5f857e89630860a487432a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
Filesize
312B

MD5
2260acab17518791f1c4caeca6d87bed

SHA1
ba38cbbb69b750eda456c649004cd01af863c70b

SHA256
89571247f878b30bdcd3db918f0ec2c42865fdde231b885087719c5ba470207c

SHA512
67b94c8cd296fa7a735a8c359a35dbbe79d03e5314ec74ab21d7562ef6e58dd13cdee48e872516a98414b29473b29602df74d2ed762b67850f3c175b42429617

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A
Filesize
404B

MD5
2d67641edccba5f46d990e390b923236

SHA1
321a111b62d98f2c122212b001e1c3a5b0a7a954

SHA256
2debd3b656d71f7bace0e9bb3fcdecec44ec8f9f4f1ce76c0555d1ea7eccd758

SHA512
196936d281b1ddb97ced8e504b50faea4a045ace2d7c33466cbdf2bf010bb9893b08eafde8c45c4ba0ae4d9f867dab7bb572f9ed44b01d7ee6d54be126de1c5b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\A2HK19T5\www.bing[1].xml
Filesize
2KB

MD5
68efe310488d3c5180471af3f1393de2

SHA1
c4be926891d6d7a07f1c407dbd0834b33c7fa2d7

SHA256
e08d77f00aa0d4fe21c128f96061c68bfdfd48759eefa40dd86a3b26c67ffa40

SHA512
145091dfffb6fa9840ea3aa8cb888d54af84275dd1cf3d2a6727476a5a523073b565fa8ff91f0e4f273a4152db03bab92fdbdca96352da65111d63705475f0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\26BE.exe
Filesize
392KB

MD5
89ec2c6bf09ed9a38bd11acb2a41cd1b

SHA1
408549982b687ca8dd5efb0e8b704a374bd8909d

SHA256
da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

SHA512
c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C08.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C22.exe
Filesize
30.6MB

MD5
ff35671d54d612772b0c22c141a3056e

SHA1
d005a27cd48556bf17eb9c2b43af49b67347cc0e

SHA256
2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

SHA512
9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

Download Submit
C:\Users\Admin\AppData\Local\Temp\978D.exe
Filesize
4.1MB

MD5
f3023cf0027501c0057cc293d3c792ef

SHA1
fce12239da0220dde68c849b94d8c670af1b5e77

SHA256
7a61ec57a9de30633d3d8d8ce8708cc5c68179c2d42dd49dff3412914b9e52d5

SHA512
6dfb815413d92745c6845046be2f0ac6325d7ab7510e757916d9c116b144634785ee82d5fc07af7f46310d3bd5b09b8bc9c79aca9d0c0b09fd09f112099fba07

Download Submit
C:\Users\Admin\AppData\Local\Temp\A180.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgc5pa2s.j53.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2fe1cfba53f8d1490f8da6fd7abb327a

SHA1
44e7ecb41630a74614bb77d040c1cae664948132

SHA256
ab3943ea5714e334bcc61b3d608eb140354da9439f7ea67642f946a3e7ac5d03

SHA512
92d22c1d8cf3cc278f4621212307fc35ba79abf0851897b2e05fe19b955e39f74d28fa9e90e16ed74f34e8d8087890326d4e70e070310a88711dabe8745cbafd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
eca9a6549a49854d2d8b6c612c8c7053

SHA1
0763229086d49bdd949f07897de8c6075db408cd

SHA256
07529462b446cbf5a972b5d9f44465be8b61390cdb9fab8b846242d1d957f0b8

SHA512
e353b6e2402d189159916bf10ef04aea9b872b1dcb6c8f8e0b7fb3c0529a94e37bc69d1c6c67756106fe73698025d4823788f98e44c30aa0ca901d52bfc8362a

Download Submit
memory/648-412-0x00007FF657B90000-0x00007FF659ADC000-memory.dmp

Filesize
31.3MB

Download
memory/648-288-0x00007FF657B90000-0x00007FF659ADC000-memory.dmp

Filesize
31.3MB

Download
memory/2196-409-0x0000000000CC0000-0x0000000000D0B000-memory.dmp

Filesize
300KB

Download
memory/2196-406-0x0000000000CC0000-0x0000000000D0B000-memory.dmp

Filesize
300KB

Download
memory/3108-431-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3304-230-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/3304-4-0x0000000001520000-0x0000000001536000-memory.dmp

Filesize
88KB

Download
memory/4020-411-0x00000184F4520000-0x00000184F4540000-memory.dmp

Filesize
128KB

Download
memory/4200-37-0x0000000006610000-0x0000000006C28000-memory.dmp

Filesize
6.1MB

Download
memory/4200-41-0x0000000005810000-0x000000000584C000-memory.dmp

Filesize
240KB

Download
memory/4200-42-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/4200-43-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4200-44-0x0000000007220000-0x00000000073E2000-memory.dmp

Filesize
1.8MB

Download
memory/4200-45-0x0000000008030000-0x000000000855C000-memory.dmp

Filesize
5.2MB

Download
memory/4200-46-0x00000000076F0000-0x0000000007740000-memory.dmp

Filesize
320KB

Download
memory/4200-48-0x00000000748A0000-0x0000000075051000-memory.dmp

Filesize
7.7MB

Download
memory/4200-39-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/4200-38-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4200-36-0x00000000748A0000-0x0000000075051000-memory.dmp

Filesize
7.7MB

Download
memory/4200-35-0x00000000055D0000-0x00000000055DA000-memory.dmp

Filesize
40KB

Download
memory/4200-34-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4200-33-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/4200-31-0x0000000005A40000-0x0000000005FE6000-memory.dmp

Filesize
5.6MB

Download
memory/4200-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4204-78-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-97-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-71-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-73-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-70-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-72-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-74-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-75-0x0000000000F20000-0x0000000000F60000-memory.dmp

Filesize
256KB

Download
memory/4204-76-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-77-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-79-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-68-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4204-81-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-82-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-83-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-85-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-84-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-80-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-86-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-87-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-88-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-89-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-90-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-91-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-92-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-94-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-95-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-96-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-98-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-69-0x0000000000F70000-0x0000000001C55000-memory.dmp

Filesize
12.9MB

Download
memory/4204-100-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-99-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-93-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-101-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-102-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-103-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-104-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-106-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-107-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-108-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-105-0x0000000003C30000-0x0000000003D30000-memory.dmp

Filesize
1024KB

Download
memory/4204-67-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4204-66-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4204-65-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4204-64-0x0000000000F70000-0x0000000001C55000-memory.dmp

Filesize
12.9MB

Download
memory/4204-63-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4204-62-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4204-57-0x0000000000F70000-0x0000000001C55000-memory.dmp

Filesize
12.9MB

Download
memory/4548-319-0x0000029B66F00000-0x0000029B67000000-memory.dmp

Filesize
1024KB

Download
memory/4548-320-0x0000029B66980000-0x0000029B669A0000-memory.dmp

Filesize
128KB

Download
memory/4656-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4656-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4656-2-0x0000000000720000-0x000000000072B000-memory.dmp

Filesize
44KB

Download
memory/4656-1-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/4980-40-0x00000000748A0000-0x0000000075051000-memory.dmp

Filesize
7.7MB

Download
memory/4980-32-0x0000000003460000-0x0000000005460000-memory.dmp

Filesize
32.0MB

Download
memory/4980-26-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4980-25-0x0000000005B70000-0x0000000005B80000-memory.dmp

Filesize
64KB

Download
memory/4980-24-0x00000000748A0000-0x0000000075051000-memory.dmp

Filesize
7.7MB

Download
memory/4980-23-0x0000000000EF0000-0x0000000000F54000-memory.dmp

Filesize
400KB

Download