redline | 054ce7a68c5ef3e99d04df90781e6e084517e9499f62afef7f423d4d331e155d

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe
Size

1.0MB
MD5

a2662fb73bd4f01311cb33f20b72baca
SHA1

df62e36435f56799154bfcc1962a3e0a36769eec
SHA256

054ce7a68c5ef3e99d04df90781e6e084517e9499f62afef7f423d4d331e155d
SHA512

de09c6023a185525e29c0f3f19d00aa6c38b386cf3262827d245cac0d92f70f79f87d1d9c5c053fd490766a67feefdc33a0a474453624d535677a69ae421c357
SSDEEP

24576:XL2oFugO/TMRpV5n08Xcvpr+NOwZi3uv+:X6oJ1Rtn0Ll+Jyu2

Score

10^/10

redline sectoprat @fx0321 discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

@fx0321

193.56.8.53:25656

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1772-165-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1772-165-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4596	powershell.exe
840	powershell.exe
1940	powershell.exe
2520	powershell.exe
3308	powershell.exe
1328	powershell.exe
2264	powershell.exe
388	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	KeyActivate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services32.exe

Executes dropped EXE 8 IoCs

pid	Process
4720	KeyActivate.exe
3880	RuntimeBroker.exe
1484	launcher.exe
4572	svchost32.exe
4728	services32.exe
3592	svchost32.exe
2472	sihost32.exe
1772	launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationName = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe"	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 1772	1484	launcher.exe	131

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5008	schtasks.exe
4744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2520	powershell.exe
2520	powershell.exe
3308	powershell.exe
3308	powershell.exe
1328	powershell.exe
1328	powershell.exe
2264	powershell.exe
2264	powershell.exe
4572	svchost32.exe
388	powershell.exe
388	powershell.exe
4596	powershell.exe
4596	powershell.exe
840	powershell.exe
840	powershell.exe
1940	powershell.exe
1940	powershell.exe
3592	svchost32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	4572	svchost32.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	3592	svchost32.exe
Token: SeDebugPrivilege	1772	launcher.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4720	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	83
PID 1520 wrote to memory of 4720	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	83
PID 1520 wrote to memory of 3880	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	84
PID 1520 wrote to memory of 3880	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	84
PID 1520 wrote to memory of 1484	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	85
PID 1520 wrote to memory of 1484	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	85
PID 1520 wrote to memory of 1484	1520	a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe	85
PID 4720 wrote to memory of 1636	4720	KeyActivate.exe	86
PID 4720 wrote to memory of 1636	4720	KeyActivate.exe	86
PID 1636 wrote to memory of 2520	1636	cmd.exe	88
PID 1636 wrote to memory of 2520	1636	cmd.exe	88
PID 1636 wrote to memory of 3308	1636	cmd.exe	89
PID 1636 wrote to memory of 3308	1636	cmd.exe	89
PID 1636 wrote to memory of 1328	1636	cmd.exe	90
PID 1636 wrote to memory of 1328	1636	cmd.exe	90
PID 1636 wrote to memory of 2264	1636	cmd.exe	91
PID 1636 wrote to memory of 2264	1636	cmd.exe	91
PID 4720 wrote to memory of 3284	4720	KeyActivate.exe	105
PID 4720 wrote to memory of 3284	4720	KeyActivate.exe	105
PID 3284 wrote to memory of 4572	3284	cmd.exe	107
PID 3284 wrote to memory of 4572	3284	cmd.exe	107
PID 4572 wrote to memory of 4336	4572	svchost32.exe	108
PID 4572 wrote to memory of 4336	4572	svchost32.exe	108
PID 4336 wrote to memory of 5008	4336	cmd.exe	110
PID 4336 wrote to memory of 5008	4336	cmd.exe	110
PID 4572 wrote to memory of 4728	4572	svchost32.exe	111
PID 4572 wrote to memory of 4728	4572	svchost32.exe	111
PID 4572 wrote to memory of 4448	4572	svchost32.exe	112
PID 4572 wrote to memory of 4448	4572	svchost32.exe	112
PID 4728 wrote to memory of 2732	4728	services32.exe	114
PID 4728 wrote to memory of 2732	4728	services32.exe	114
PID 4448 wrote to memory of 4900	4448	cmd.exe	116
PID 4448 wrote to memory of 4900	4448	cmd.exe	116
PID 2732 wrote to memory of 388	2732	cmd.exe	117
PID 2732 wrote to memory of 388	2732	cmd.exe	117
PID 2732 wrote to memory of 4596	2732	cmd.exe	118
PID 2732 wrote to memory of 4596	2732	cmd.exe	118
PID 2732 wrote to memory of 840	2732	cmd.exe	119
PID 2732 wrote to memory of 840	2732	cmd.exe	119
PID 2732 wrote to memory of 1940	2732	cmd.exe	120
PID 2732 wrote to memory of 1940	2732	cmd.exe	120
PID 4728 wrote to memory of 1660	4728	services32.exe	123
PID 4728 wrote to memory of 1660	4728	services32.exe	123
PID 1660 wrote to memory of 3592	1660	cmd.exe	125
PID 1660 wrote to memory of 3592	1660	cmd.exe	125
PID 3592 wrote to memory of 456	3592	svchost32.exe	126
PID 3592 wrote to memory of 456	3592	svchost32.exe	126
PID 3592 wrote to memory of 2472	3592	svchost32.exe	128
PID 3592 wrote to memory of 2472	3592	svchost32.exe	128
PID 456 wrote to memory of 4744	456	cmd.exe	129
PID 456 wrote to memory of 4744	456	cmd.exe	129
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 1484 wrote to memory of 1772	1484	launcher.exe	131
PID 3592 wrote to memory of 5076	3592	svchost32.exe	134
PID 3592 wrote to memory of 5076	3592	svchost32.exe	134
PID 5076 wrote to memory of 808	5076	cmd.exe	136
PID 5076 wrote to memory of 808	5076	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2662fb73bd4f01311cb33f20b72baca_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\KeyActivate.exe
  C:\Users\Admin\AppData\Local\Temp\KeyActivate.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\KeyActivate.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\KeyActivate.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
    - - C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4744
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:4900
- C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3880
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  C:\Users\Admin\AppData\Local\Temp\launcher.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\launcher.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab24765a7393bd3cef8acbf0a617fba2

SHA1
ef2c12a457a11f6204344afed09a39f4d3e803cb

SHA256
3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

SHA512
e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65e4f01c24b55569d54d23b8efd0c8d5

SHA1
2c58f21418af8c0f1e118a7f3cf17d8448a8be64

SHA256
c1e9cf9a0865152d180419cb3ebc77538bdbdc9d1e633eb71ad6871fbc4d4763

SHA512
afaf0c200caba78650aee46bd62994c5becc073c22cb62404f783b257c78a72061e240b8678c38790b2cec1e41429161b13c6d92cc9817fe70e86abff5af2056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb904188a321994906abe152659c567

SHA1
1a131923372bab101ca002c35544858fe3e2370c

SHA256
ccd43cc5dbdd2dc786bdd89460c11ea5f55b4e8389b98e0bcd6400f614fe9d04

SHA512
37cbba09369d94ce3d9852503c50a1cdc14a5646d8b4fdeca9bffd3d9284d8e0ceb2801ba458fdddf762f1a4058c5781d0a2f95452d3f7302e42abc5920238ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4920f7bec7cdb8ac44637a6af9d2fc6f

SHA1
d4c5e3c9397926ec9bdaccdd955e89f5138b1816

SHA256
8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277

SHA512
321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyActivate.exe

Filesize
569KB

MD5
9bb06ab42d4883d1315641b62dd65e58

SHA1
e58876178a5cfc69c62c6f72c06c6f34b3e4b821

SHA256
d1347ceaeb056a0ba1ceb2a674864c2b6123c5ec516d1de0d6f1b17653638474

SHA512
1ca41b28fa675c6b7f8efc9d5fa9e515324985e7715f0bca33c5e75ccf85845096cbc44688a0a7f6b1c73a807031ffe1814873b51559d56e9f608525250870c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gfcoqmxi.d5c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
416KB

MD5
3f4ced9fb30a8c31f129d5e717141171

SHA1
2e6cdc927bc9e17e8c3e3985e6dc783d2f359e55

SHA256
507640330eb0d338c68d640ed4c4a4fe0a87a6293bf57afa74cfbaea20dd019c

SHA512
01374beb7508b7ee962fdb4764cfce2a3b5902ebb92993f0359ede0363de905eea72c30ab1d80cc9e0f0771c8c95e5b3faa189703d948a2d87386eb9c0df0faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
119KB

MD5
25ded84c49d528dd9e42b67957a50054

SHA1
bd60e556f58a1003f61c4a8a5030827e83e9e5b7

SHA256
d8c727520b198021c1ea7dd848900be0c21d308028f46982796c027a53e9a2de

SHA512
643a3b90c06a5d1e9b01df9c616aebf393a249a50610a4489d4fb7135a4b813371f53caaaf41c85d03879193d55b9715acf1a6ceb250b9b0a5d9274e94bf70bc

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
58KB

MD5
411e7ed61ef7002096f3e3d2ce519734

SHA1
fdf8d29b4b310974477539fc35c3b3d327963c6c

SHA256
822c45c64e7c5e5781cc07933042ed274b13083ab32125efcd8d68cb33a899bc

SHA512
7500c26d1a3e6c3e318c48799c4adb35dfb8940daef7950a451fe78c6433cec057d4fdf4cc024e6e172568253056b869dec058f9b2d3c21e0a8c25001887bfe2

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
51KB

MD5
45a31abb24f3e89a782878eaf61b0fa1

SHA1
5fcad02840a08f7a74dfbb5b1b08d07b3b3c03da

SHA256
95c4af41d733e31b1208cf70e34faf56856ccdf0f5f8a2a29ec37ba81b68402b

SHA512
90a0d2c0b7b4e5aa1853d5dea654de93e34e196c57aff6b0102d1984c2427fc6e2dca936de3998b320e3dc438411ff7b1bece05374e0d48cec7dc632d326a15f

Download Submit
memory/1484-32-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/1484-19-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/1484-163-0x0000000006540000-0x00000000065B6000-memory.dmp

Filesize
472KB

Download
memory/1484-18-0x0000000000820000-0x000000000088E000-memory.dmp

Filesize
440KB

Download
memory/1484-69-0x00000000091B0000-0x00000000091B8000-memory.dmp

Filesize
32KB

Download
memory/1484-70-0x0000000009260000-0x00000000092FC000-memory.dmp

Filesize
624KB

Download
memory/1484-21-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/1484-164-0x0000000006420000-0x0000000006448000-memory.dmp

Filesize
160KB

Download
memory/1772-171-0x0000000005170000-0x00000000051AC000-memory.dmp

Filesize
240KB

Download
memory/1772-172-0x00000000051B0000-0x00000000051FC000-memory.dmp

Filesize
304KB

Download
memory/1772-173-0x0000000005420000-0x000000000552A000-memory.dmp

Filesize
1.0MB

Download
memory/1772-169-0x0000000005750000-0x0000000005D68000-memory.dmp

Filesize
6.1MB

Download
memory/1772-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1772-170-0x0000000002C80000-0x0000000002C92000-memory.dmp

Filesize
72KB

Download
memory/2472-162-0x0000000001460000-0x0000000001466000-memory.dmp

Filesize
24KB

Download
memory/2472-161-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2520-27-0x0000025A7EF70000-0x0000025A7EF92000-memory.dmp

Filesize
136KB

Download
memory/3880-16-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/3880-15-0x000000001AF30000-0x000000001AF36000-memory.dmp

Filesize
24KB

Download
memory/3880-14-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/3880-72-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4572-82-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/4572-81-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/4572-80-0x0000000000470000-0x0000000000492000-memory.dmp

Filesize
136KB

Download
memory/4720-20-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4720-76-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4720-73-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4720-71-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/4720-10-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/4720-17-0x0000000002950000-0x0000000002972000-memory.dmp

Filesize
136KB

Download
memory/4720-9-0x0000000000360000-0x00000000003F2000-memory.dmp

Filesize
584KB

Download
memory/4728-97-0x0000000001190000-0x00000000011B2000-memory.dmp

Filesize
136KB

Download