393516358cfefbb72e9e7a895c0343c3cda519a3a8b64226e3eb3ee04735db97

Analysis

max time kernel
458s
max time network
377s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-10-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.rar
Size

7.8MB
MD5

2d359f1041ae0f2ddbfac978ddbeac00
SHA1

cbb3d1bf341bbf977d43019cee0f27a92c2bcf7c
SHA256

393516358cfefbb72e9e7a895c0343c3cda519a3a8b64226e3eb3ee04735db97
SHA512

559e7dd9f2c0f11b06ff4f1bd403ab4e44942a9d752f3ddca9e8a3ea93519cb5b4ad3912033155c2e1be4d5400d4fa1388c3c54c01032fd2575b5fabc36bf428
SSDEEP

196608:sM0TbU7RgGCPcx2C65PzRAj6a/GFzo1kJ1rPd/4+1:CTzL0x/w7OD6zo1kJNFx1

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CGHotman_Redshift_Server.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CGHotman_Redshift_Server.exe

Executes dropped EXE 10 IoCs

pid	Process
1320	CGHotman_Redshift_Server.exe
2644	CGHotman_Redshift_Server.exe
2612	CGHotman_Redshift_Server.exe
4240	CGHotman_Redshift_Server.exe
4268	CGHotman_Redshift_Server.exe
4504	CGHotman_Redshift_Server.exe
3296	CGHotman_Redshift_Server.exe
2328	CGHotman_Redshift_Server.exe
4124	CGHotman_Redshift_Server.exe
4328	CGHotman_Redshift_Server.exe

Loads dropped DLL 8 IoCs

pid	Process
1320	CGHotman_Redshift_Server.exe
2644	CGHotman_Redshift_Server.exe
2612	CGHotman_Redshift_Server.exe
4240	CGHotman_Redshift_Server.exe
4268	CGHotman_Redshift_Server.exe
4504	CGHotman_Redshift_Server.exe
3296	CGHotman_Redshift_Server.exe
2328	CGHotman_Redshift_Server.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CGHotman_Redshift_Server.exe

Writes to the Master Boot Record (MBR) 1 TTPs 10 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe
File opened for modification	\??\PhysicalDrive0	CGHotman_Redshift_Server.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1320	CGHotman_Redshift_Server.exe
2644	CGHotman_Redshift_Server.exe
2612	CGHotman_Redshift_Server.exe
4240	CGHotman_Redshift_Server.exe
4268	CGHotman_Redshift_Server.exe
4504	CGHotman_Redshift_Server.exe
3296	CGHotman_Redshift_Server.exe
2328	CGHotman_Redshift_Server.exe
4124	CGHotman_Redshift_Server.exe
4328	CGHotman_Redshift_Server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m\Content Type (109) = 007bdd288b5a6d1553a3337e	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = f3c57b6d309f2357f08d7d05	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = 03865dcd319f2357f18d7d05	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = 631211f4319f2357f18d7d05	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = 63f971f7319f2357f18d7d05	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = 2318fca4309f2357f08d7d05	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}	CGHotman_Redshift_Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m\Content Type (109) = 308890c78b5a6d1553a3337e	CGHotman_Redshift_Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000084582768110050524f4752417e310000740009000400efbe724a6fa8845827682e0000003f0000000000010000000000000000004a000000000000dd6b00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}\AppID = 03a70480309f2357f08d7d05	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m\Content Type (109) = 70827d978a5a6d1552a3337e	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m\Content Type (109) = 40666d0c8b5a6d1553a3337e	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{ae3da2bd-8a26-3357-a807-558ecb32}	CGHotman_Redshift_Server.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\.twn97m	CGHotman_Redshift_Server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1704	OpenWith.exe
4488	7zFM.exe
5116	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4488	7zFM.exe
Token: 35	4488	7zFM.exe
Token: SeSecurityPrivilege	4488	7zFM.exe
Token: SeDebugPrivilege	5116	taskmgr.exe
Token: SeSystemProfilePrivilege	5116	taskmgr.exe
Token: SeCreateGlobalPrivilege	5116	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4488	7zFM.exe
4488	7zFM.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe
5116	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe
1704	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 4488	1704	OpenWith.exe	75
PID 1704 wrote to memory of 4488	1704	OpenWith.exe	75

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.rar
1⤵
- Modifies registry class
PID:2024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\test.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2816

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5116

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2644

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2612

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\New Text Document.txt
1⤵
PID:2576

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4240

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4268

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4504

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3296

C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe
"C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:428

C:\Flexlm\RLM_Redshift_LicServer\CGHotman_Redshift_Server.exe
"C:\Flexlm\RLM_Redshift_LicServer\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4124

C:\Flexlm\RLM_Redshift_LicServer\CGHotman_Redshift_Server.exe
"C:\Flexlm\RLM_Redshift_LicServer\CGHotman_Redshift_Server.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
8d1d3d298f86a94a663906713ee2add2

SHA1
1adeebc86ef03e6f8850f3b3de89587ad6638046

SHA256
59464347b121553ce93e0eb82f605c0e0b704e3d1323ca72376f8309d0ab1f66

SHA512
b104c001e24d5f352a034e46b7f364586456afbabaca2862c1a8c0c92d693d80fef8f4306c56c41fe61c4250f209d2cda5c274906ac3334fbfa619265821b2c9

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
67f85ea53907418037e87638a4b5ed99

SHA1
3b1e1f6205f27c2064c29eb84f11f1d7f29f12c0

SHA256
ab28b3bed4594e1b9fffd7f0eb9a9051063f3ca6a929846a150d42b8ccf06d36

SHA512
5a4b8eac69b0ffd21f36f5deedec6178ae43bfbe4ba0cb9604417b70b5d02b7f56a3999f6c8f8fa36f2a81108b9bcb3b638e1f64c460c191535aecc964abfd5e

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
97ba9507871054cdbb27bbb07a5c340c

SHA1
c6e51fcc447778fbf6a0e335ec1f61106f3781db

SHA256
114e9d53b164cb663ecc657829ab9783483fef4e602532d90fe04241a8dd09c2

SHA512
ce9375079ed444df57ee5009e28c8a2b000851ad467f4e181dac9faca2214d35c65d6d9d50659694edf051baaf083d6b21fe80e6586737a17b1d096ddb69ce20

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
ef756f26e0521d239ae48bf5a9aab54e

SHA1
cef704299f9b8e4b99227703804c4b32a1141d3a

SHA256
4bf378e8e3497c1e7b332770d2b752b6c8fa03b650cdc8e0e62a7975e3c78308

SHA512
c3e5defebb23d6f82c2eb5a82ba47e1ab2dcfdbbfe5604bc57f01a97e77ff1bab0047434ef2ceb467fca950ee933e4d1dde3a240697c168acdf55bcc043f9229

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
26624ca293204e867312a05c3c29a855

SHA1
cc2d4b25405c588c3b5562950da413423ed845a1

SHA256
b2f9bcf63ffef1633ebed9de1dc93f4197c6ccc8b302b97ee65677c7e2501542

SHA512
30f6ebc00d46cbbf8ce0097ccc5eb9a0463db13161be32d61122161dd468d8b1c51ae94c5b14a305f6801d859147190401f71e2c7824f7380eaccab4e0cf455b

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
6267f6ac78385e754f3820092aa0aeaf

SHA1
a7dbc63522f4562708755441f46cfcd911dfff5a

SHA256
b9f5e6af8a8c2d679cdf72bc439d5d4d5627365dedf18bc65cc6e96a30591425

SHA512
6843766f1b2553507fa8c0b5fd7e49aff6ad74d069b619d0f8fddd60ee1ea906bb5e0727c4848d8cfa63c3caeff1ff93a95c934fc2666f195ae2485beafefc8f

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
b604f643db584cf2a702ebbac7954f16

SHA1
55896758fd967e874e19e3eb81e7206b9d9bbb59

SHA256
2715c1a4fe33c0b0d659f2b2bedb49f46e4f36aaaf2a6f5ffc8095aee9d8288c

SHA512
d3783d902993e67a41bc3c1714ccad5bcb734a2012d4ab4959fb550ad517e783975a7a1672c6d92242d1cd8048ba29359b52095387cb730ddd0284a18e79bdf8

Download Submit
C:\ProgramData\owtwnmla.tok

Filesize
12B

MD5
4ee0db98a62bb5c5de52f951bf25cc9b

SHA1
9cb65fd98df5440b5f768252120d4cb34cd937a9

SHA256
8349a98b1a522ef02ed1eb799b68babb69133e2c62d93555b44c539998a60e02

SHA512
c87e8855063d6ccc23f8c73b6f3539adb475821dd2046460bb55a4a30805875ac2e36257e17f8f174321c6a206272013e25c30e67dd0472f7f76702b4f3624ca

Download Submit
C:\ProgramData\rtpeskt

Filesize
16B

MD5
dfc9a0dd057fcf84edfaf18b09b9c802

SHA1
26cfcb82d703656ac951b34c0eeabf6d2447eadc

SHA256
eee6ae83ab5ba6727b48b2a63805909d524e1dfe9262360564119628ef9b5a44

SHA512
bf45ad87715aadfd2c54e070c9e6d4aff0447ff134e0101a15d61bc9ca660d24f72f678eb1b589c8bf5558803d14410b7b5db9f5d4f1109e86f9eb7a9b1bf225

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
009306f6bb97b1fbade2f15dc706296b

SHA1
1af4485beae2b3cb8474ce0e8a3522104611ff23

SHA256
a6ce2ee030efb4f1a3e136808f78a258d311545a4bc7ac8ebacf5db09159c804

SHA512
fe67c0d20436630faacf13dadbf0597f1d32ba6c3bfb12a76615a803b1bf99aa44c43ca928cb3b77d5acd83c7463e3240d4ae024db6c6d0457f7f1228bce5c42

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
a432f8622dc63e0a40c95cec8adbd13b

SHA1
0298fdb3a55ceb9d525ae80c483ae212deec09a5

SHA256
8a57b3238e6cf070116e6173ea98218822edae9b95b5a4fc1f2d631ac3a0cb80

SHA512
2ee3e0082775ec085b078a9e10e14839edb243997a5acb95d457f3d55dac8dfc20cab551f55427f1fa1aad4c910fa111ee5741c6e048b70ee8c6517085a80d83

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
6852ebb2ab8110ba1c272976c7e306f6

SHA1
ef8b70d35ddbefd9311c05f1d84722ceac1031e2

SHA256
5f4091cd0a3ace66a559f55a1cfccbaa5cfcc710212e12556f3b323d9702b615

SHA512
4c6588dc681e8cf4fdf9350dd279d26d7425a4beb585fa1a6fd3fbe8c343ca9ab2e6451c3e4916f000ffbd9dba349eb3ea5902a0296993e0b6586d7d69ee3a33

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
f90499a6f0e14117e2f3889bad12c6d3

SHA1
4404f0d190e66f7aeb157ef95d4cb123b7b5d723

SHA256
37f788d8d5b1e54b849da1a1e7b35f73c2ccd8f02ab4e1c5b10e78830fce5222

SHA512
77240eed33914078991bc03813d2a762e442180e17120ebcafad2039eae7ef9a69758f91f6289db0de3699e17f448394426d1e4cefd3a38f3f27a6ab8e9ad331

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
8d3c8677d4c5c44aa5505eedf36eb7ae

SHA1
db6b49c3badbcd0c14da110726f7003998986653

SHA256
8f8bc56c31e54eb8e46d8239adcfe2096ae0a18e9fb8a246e8706b134ca74162

SHA512
d2eda1f6bd0cd9f2e37a1846ae7eb1625ccbdbe00759bba2363d3cbda0a5e168e26d5b1dc5cc409ab94ef4deaffcffb3d4da23d6f38772b3ecc56950dcf0093c

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
268b0dc52d70e6f94db28550a5414a55

SHA1
74ede5ccb133f31039592a80817b77df4a91d607

SHA256
5f96b2a04c515b9cb48fccb0998f1fbb74f7f5e8082a4a97e65687a825868dc5

SHA512
4c60fe74b82403e42b1f06673d997f347cad4f54a2f4da0ded2ad2aa3de99aa0d5e0e4ad5635528d8c7ff9084e7bd2e5b7777a3e62142f8c3ac4adf30acd56ef

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
6c60ce2b87dc5966af10a0c921e24e09

SHA1
92107ccc7515b44c549958db5cd2b944da009940

SHA256
22e8dd7abb849e961692ed73181c18f9f050836d70233daa347d268aa0989636

SHA512
6bc87ba410700b4f0d0c6367974cd261a2bb2d06d39c6f50efd0ed62682a7d13ba1679739251a2ef8e4756c66a905df92c0bec19d40c816ebf4dd29b2e90bf24

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
e139257aa6c77889dd82cc9943275bfc

SHA1
0a63de2a12d573ee55aefae2936296db64de9b19

SHA256
adf3be4c70d0d478659334cb89abe120caa2bb14f08fc60e566bb681e92af370

SHA512
855e08af2a4ff6a9c0a1a99fcfbd6a7cf983241f15e2cea0ece08de548e2b163c1a60f6b9ad8f424e2a5c359c47b6b35fb2651c2b9714b61a847abb986c8f955

Download Submit
C:\ProgramData\sdpmvddk.hgx

Filesize
12B

MD5
1bbdc13f0dcd6eb2a1bbf9afa6bb7a1f

SHA1
13e3675169a95c985bdb214a96678aab70f755cf

SHA256
94d2d83520f1e0d28a819a700536e41ec579173bc0e84092639a4f96b335b4f1

SHA512
264d6b5930c42a98a9828e033bd49b359fe0681f83822c279f1d27ccff165de274e036f32cc23ba73cdf725be77199d9c995d7cfbf097634c54b926adc07f9c2

Download Submit
C:\Users\Admin\Desktop\New folder\CGHotman_Redshift_Server.exe

Filesize
7.7MB

MD5
b0d6ae3bae0ecf922835e88f0d2651f2

SHA1
ca62d67d5eeec91bd5d7b683198af9b5c3afe396

SHA256
802ff85804d2980c56a008faaf630d43fbabd1cf3926d154189fb482d9e64948

SHA512
26fc0a5e5fa3e1849afc4090cb74edb712f72a12495026d3d90d4d75190ce153d340c63d3ee57c32fa5810637d8598442de240c9e27a3f149c8d7fcfcac0c87a

Download Submit
\Users\Admin\Desktop\New folder\PatchCode.dll

Filesize
352KB

MD5
6f4d1ca799db5b697020b766cb4e7e0c

SHA1
990c3115d2735e21372172bc68582942baa345fd

SHA256
ba6bf08993a7af731350c033f0d8baef60cbf1be1dc7b5470ffc94346694d3f5

SHA512
d8c5de383d5fd458313b0d7dc90dfae058c31cac2c082e3f59b7aee68d03b7d6bd97eab461aa553d796e7b598f7fd4cca18d217f38f7182b2e06b1b705bb6045

Download Submit
memory/1320-13-0x0000000140000000-0x0000000141520000-memory.dmp

Filesize
21.1MB

Download
memory/1320-9-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/1320-5-0x0000000140000000-0x0000000141520000-memory.dmp

Filesize
21.1MB

Download
memory/2328-68-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/2612-30-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/2612-35-0x0000000140000000-0x0000000141520000-memory.dmp

Filesize
21.1MB

Download
memory/2644-27-0x0000000140000000-0x0000000141520000-memory.dmp

Filesize
21.1MB

Download
memory/4124-74-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/4124-79-0x00007FFC09E10000-0x00007FFC09E6F000-memory.dmp

Filesize
380KB

Download
memory/4240-44-0x0000000140000000-0x0000000141520000-memory.dmp

Filesize
21.1MB

Download
memory/4240-39-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/4328-81-0x00007FFBCE920000-0x00007FFBCE930000-memory.dmp

Filesize
64KB

Download
memory/4328-86-0x00007FFC03DE0000-0x00007FFC03E3F000-memory.dmp

Filesize
380KB

Download