redline | 3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b

Analysis

max time kernel
112s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
Size

265KB
MD5

3e9673f5a67c18e97c82e072aaa06c5c
SHA1

9b1cd5ab1af8fecb5e3bc898dc5a39874ef70a30
SHA256

3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b
SHA512

62054f8edf91221d3dc7b04af6b6782d7f539ee41a608f480bc66d2f2a97ca9168afb7a43ce070117a894228e58791dea894d48c64b7e2cfb41b81ac02855169
SSDEEP

3072:jNHXwDrphiD1+++jK+gT0xZD0VeqRNDCYtvUBb2Jb/3KTUIIufnaCCph99nKgVwn:+nGZ++0gTU4xdCYtvjJWT1IUnE399b

Score

10^/10

redline smokeloader logsdiller cloud (telegram: @logsdillabot)pub1 backdoor bootkit discovery infostealer persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

5.42.65.96:28380

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3488-20-0x0000000000850000-0x00000000008CA000-memory.dmp	family_redline
behavioral1/memory/3748-21-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/3488-22-0x0000000000850000-0x00000000008CA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

237F.exework.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	237F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	work.exe

Deletes itself 1 IoCs

Processes:

pid process

3356
Executes dropped EXE 5 IoCs

Processes:

FEF2.exe237F.exe2758.exework.exepodaw.exe

pid process

3488 FEF2.exe
2000 237F.exe
2512 2758.exe
4888 work.exe
4968 podaw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3356

pid	process
3488	FEF2.exe
2000	237F.exe
2512	2758.exe
4888	work.exe
4968	podaw.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe	vmprotect
behavioral1/memory/4968-107-0x0000000000AF0000-0x00000000013E1000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

43 drive.google.com
44 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

2758.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 2758.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

FEF2.exe

description pid process target process

PID 3488 set thread context of 3748 3488 FEF2.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
43	drive.google.com
44	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	2758.exe

description	pid	process	target process
PID 3488 set thread context of 3748	3488	FEF2.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{5F34A9F7-0667-4C82-BFA8-4650C20A9BEE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe

pid	process
4400	3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
4400	3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe

pid process

4400 3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

RegAsm.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeDebugPrivilege	3748	RegAsm.exe
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	3356
Token: SeCreatePagefilePrivilege	3356
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe
Token: SeShutdownPrivilege	1612	explorer.exe
Token: SeCreatePagefilePrivilege	1612	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

explorer.exe

pid	process
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

explorer.exe

pid	process
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe
1612	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

cmd.exeFEF2.execmd.exe237F.execmd.exework.exe

description	pid	process	target process
PID 3356 wrote to memory of 4536	3356		cmd.exe
PID 3356 wrote to memory of 4536	3356		cmd.exe
PID 4536 wrote to memory of 2804	4536	cmd.exe	reg.exe
PID 4536 wrote to memory of 2804	4536	cmd.exe	reg.exe
PID 3356 wrote to memory of 3488	3356		FEF2.exe
PID 3356 wrote to memory of 3488	3356		FEF2.exe
PID 3356 wrote to memory of 3488	3356		FEF2.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3488 wrote to memory of 3748	3488	FEF2.exe	RegAsm.exe
PID 3356 wrote to memory of 1128	3356		cmd.exe
PID 3356 wrote to memory of 1128	3356		cmd.exe
PID 1128 wrote to memory of 2456	1128	cmd.exe	reg.exe
PID 1128 wrote to memory of 2456	1128	cmd.exe	reg.exe
PID 3356 wrote to memory of 2000	3356		237F.exe
PID 3356 wrote to memory of 2000	3356		237F.exe
PID 3356 wrote to memory of 2000	3356		237F.exe
PID 3356 wrote to memory of 2512	3356		2758.exe
PID 3356 wrote to memory of 2512	3356		2758.exe
PID 3356 wrote to memory of 2512	3356		2758.exe
PID 2000 wrote to memory of 4628	2000	237F.exe	cmd.exe
PID 2000 wrote to memory of 4628	2000	237F.exe	cmd.exe
PID 2000 wrote to memory of 4628	2000	237F.exe	cmd.exe
PID 4628 wrote to memory of 4888	4628	cmd.exe	work.exe
PID 4628 wrote to memory of 4888	4628	cmd.exe	work.exe
PID 4628 wrote to memory of 4888	4628	cmd.exe	work.exe
PID 4888 wrote to memory of 4968	4888	work.exe	podaw.exe
PID 4888 wrote to memory of 4968	4888	work.exe	podaw.exe
PID 4888 wrote to memory of 4968	4888	work.exe	podaw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe
"C:\Users\Admin\AppData\Local\Temp\3e0f6857792d90d67def0bce89fd498a0ab94ff437ab13d4c4dcb0338cec253b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F82B.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\FEF2.exe
C:\Users\Admin\AppData\Local\Temp\FEF2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6C3.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\237F.exe
C:\Users\Admin\AppData\Local\Temp\237F.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"
4⤵
- Executes dropped EXE
PID:4968

C:\Users\Admin\AppData\Local\Temp\2758.exe
C:\Users\Admin\AppData\Local\Temp\2758.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1752

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1724

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5024

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5108

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2004

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:32

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2248

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3148

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
7c9fc68dea252efc3125023b3c6a9020

SHA1
392369aaf32c390d1a63434da04b9091bf7ebebc

SHA256
0391d1fe3c551c24b85a7e12d818c0be50a3a29d6ed51ffd97847a839657f1de

SHA512
e581c92caf0a6ba3336d01cbc8ceacf1363b255330cdafc3a161ee78bc0128a90dc347723c0a8eadc4a33938f204981b2853f8af0dba83208bdff52d2517f16a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
7cdcf2a57f65d5f5f40769e70dcec94b

SHA1
399eae8e75d94b2c62dd681edf775aa3d75cd9b9

SHA256
078131e4fc4410931eac101dceaedce73adb906f45ee36bedcd4f2f41adb71c5

SHA512
98bbd7f17145c3c5bf2cd548e47d6f82e20ae268ee82510e3a3ff9673f4ccd60444b9b5cc1e1b80059371dddcdcf5045d3a04f16afbc976b4239cd483a3c173d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
7b5058e4550fa36515c5abb454ba8a4b

SHA1
fb6f6d9acbe9dd98af89d4f52d305fc3b951201b

SHA256
031e1533a094b24157d505d6907a1ede907247faa8d7d4b8570d111fb3c1417f

SHA512
1fc9e878a24d4f73ca058daeb7962ff211017104752846336aadcc960df36b3d0fa169485205db41a13175153f844dfdff9c27106461c431b0ea9a70e5384c51

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
50be6f5b31aba15a111a454820ac0a4f

SHA1
13dfe2f276eef600baa7d89be59c3ebf149f822b

SHA256
67f6c11140536c0edde805ea3e854694bc6a87420d0bae8db95cf0568ceb8bdb

SHA512
c9b0851bff95e4670220b1d3cad3bc6c43cd320bcaa6d16643246cd78d4b8e7ccaec50fd2e4c84a7cd5813ce6f87c3ef3bb2cf3a6086a7270493e6eefe85bd7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\237F.exe
Filesize
6.1MB

MD5
9fb56dd5b5beb0b9c5d0102f22373c0b

SHA1
5559dc162d09c11c1ed80aedf8e9fa86fd531e4c

SHA256
a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539

SHA512
ab6c88acddf3350f4da37e20e38fc1bd4ac56433d5320fa071649ddf261cf1b6bb4692b54791e08e47b9e887a87ba5704afde6cb9aa9220c1da7f27c85400a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2758.exe
Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82B.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF2.exe
Filesize
472KB

MD5
0c7b5e30a05a51036a19b43e5570cb41

SHA1
1cdcd53fbb3da4e9bc4ad2aaa252e374901e2324

SHA256
18c5962f4e5684fb011adde20a4169157b62522bd249dd936bd4c341c85ff9a8

SHA512
ebe47e90d062aa956c386fd17ef57a2e469c45f8009a370a1cab6e1008aa26cb95f27480e41f9c09a2ae989cf69208aa36ce25946aad670d12cb90aa4ee210c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
5.8MB

MD5
8eeea65d388106b4489d07e025e17fed

SHA1
96651968f724c7daec51e74476403899bc7bf8c2

SHA256
69efe73bf8f9669427fb25962d104fb63ae7a4fdb4fb2f0022c7541a72c8a2c3

SHA512
1c5966906a89b8e7e83bf382c382e5ece1cf6827e7ba7e4ab4fc0ba0c91284bf398bf4822c53aab250520f7ffde231090a9e44d11493b6be8921899fb6d944d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe
Filesize
5.5MB

MD5
125c7efdef3f11c70b514739b1bab646

SHA1
526560d1ff7636ea4f0404eb74f5da68f7eb8e23

SHA256
2ca04fad5b8a81264292bb9877cb9c1c9f7a484cd03815ec9bb686ddf70edefa

SHA512
e08218e2415a051b9b8b7e6d28e6822341227fc5256f418c22b2b39f6d3d89e763f58b77dbbdfc792f8a8a17870136be5757c736db1c98d3437e76500f768261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1008.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
464526244fa9db8388bb26b2bdeb3167

SHA1
4442525d469ed790ff3d2b53c118e01d848e08fd

SHA256
1844ebff06f2d391dce2dd1aec478e71577f2c971ffb78e4411b3e29fd8a7f41

SHA512
c52a941940f220e06383e32a627717cfe6e50fd6d8b26ffeab0b49135fce922eebfbd546c26fbc3d3534164c33af90f8b9fa22f81c8d6dd78c154cb2adc9396f

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/32-584-0x000002012EEA0000-0x000002012EEC0000-memory.dmp

Filesize
128KB

Download
memory/32-579-0x000002012EA90000-0x000002012EAB0000-memory.dmp

Filesize
128KB

Download
memory/32-561-0x000002012EAD0000-0x000002012EAF0000-memory.dmp

Filesize
128KB

Download
memory/228-115-0x0000014C8E700000-0x0000014C8E800000-memory.dmp

Filesize
1024KB

Download
memory/228-120-0x0000015490820000-0x0000015490840000-memory.dmp

Filesize
128KB

Download
memory/228-143-0x00000154905E0000-0x0000015490600000-memory.dmp

Filesize
128KB

Download
memory/228-151-0x0000015490BF0000-0x0000015490C10000-memory.dmp

Filesize
128KB

Download
memory/1496-304-0x000001F3A7400000-0x000001F3A7420000-memory.dmp

Filesize
128KB

Download
memory/1496-270-0x000001F3A6300000-0x000001F3A6400000-memory.dmp

Filesize
1024KB

Download
memory/1496-275-0x000001F3A7440000-0x000001F3A7460000-memory.dmp

Filesize
128KB

Download
memory/1496-307-0x000001F3A7850000-0x000001F3A7870000-memory.dmp

Filesize
128KB

Download
memory/1724-407-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2248-699-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2724-429-0x000002BEF3EB0000-0x000002BEF3ED0000-memory.dmp

Filesize
128KB

Download
memory/2724-415-0x000002BEF3EF0000-0x000002BEF3F10000-memory.dmp

Filesize
128KB

Download
memory/2724-443-0x000002BEF44C0000-0x000002BEF44E0000-memory.dmp

Filesize
128KB

Download
memory/2724-410-0x000002BEF3000000-0x000002BEF3100000-memory.dmp

Filesize
1024KB

Download
memory/3356-4-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

Filesize
88KB

Download
memory/3356-86-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3488-22-0x0000000000850000-0x00000000008CA000-memory.dmp

Filesize
488KB

Download
memory/3488-20-0x0000000000850000-0x00000000008CA000-memory.dmp

Filesize
488KB

Download
memory/3748-31-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/3748-24-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-64-0x0000000008C00000-0x000000000912C000-memory.dmp

Filesize
5.2MB

Download
memory/3748-63-0x0000000008500000-0x00000000086C2000-memory.dmp

Filesize
1.8MB

Download
memory/3748-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3748-23-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/3748-62-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3748-61-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/3748-68-0x00000000741D0000-0x0000000074980000-memory.dmp

Filesize
7.7MB

Download
memory/3748-60-0x00000000073C0000-0x0000000007410000-memory.dmp

Filesize
320KB

Download
memory/3748-59-0x0000000006A60000-0x0000000006AC6000-memory.dmp

Filesize
408KB

Download
memory/3748-58-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/3748-57-0x0000000006790000-0x00000000067CC000-memory.dmp

Filesize
240KB

Download
memory/3748-28-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/3748-54-0x0000000006730000-0x0000000006742000-memory.dmp

Filesize
72KB

Download
memory/3748-53-0x00000000067F0000-0x00000000068FA000-memory.dmp

Filesize
1.0MB

Download
memory/3748-52-0x0000000006CA0000-0x00000000072B8000-memory.dmp

Filesize
6.1MB

Download
memory/3748-49-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/3748-48-0x0000000005E80000-0x0000000005EF6000-memory.dmp

Filesize
472KB

Download
memory/3748-30-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/3908-113-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4400-1-0x0000000001B90000-0x0000000001C90000-memory.dmp

Filesize
1024KB

Download
memory/4400-5-0x0000000000400000-0x0000000001A0E000-memory.dmp

Filesize
22.1MB

Download
memory/4400-8-0x0000000001A50000-0x0000000001A5B000-memory.dmp

Filesize
44KB

Download
memory/4400-3-0x0000000000400000-0x0000000001A0E000-memory.dmp

Filesize
22.1MB

Download
memory/4400-2-0x0000000001A50000-0x0000000001A5B000-memory.dmp

Filesize
44KB

Download
memory/4748-268-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/4968-107-0x0000000000AF0000-0x00000000013E1000-memory.dmp

Filesize
8.9MB

Download
memory/4968-106-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/5108-553-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download