redline | hxxps://www[.]mediafire[.]com/file/8wylh9cqtuxm62f/BLTools_v2[.]9[.]1_%255BPRO%255D[.]rar/file

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/8wylh9cqtuxm62f/BLTools_v2.9.1_%255BPRO%255D.rar/file

Score

10^/10

redline xmrig @waltuhiumcloud discovery evasion execution infostealer miner persistence upx

Malware Config

Extracted

Family

redline

Botnet

@waltuhiumcloud

45.133.36.107:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cd0-253.dat	family_redline
behavioral1/memory/2336-272-0x0000000000A50000-0x0000000000AA2000-memory.dmp	family_redline

Redline family
redline
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/872-357-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-359-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-360-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-362-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-361-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-356-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/872-363-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5588	powershell.exe
5192	powershell.exe
5932	powershell.exe
3924	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	BLTools v2.9.1[PRO].exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	BLTools v2.9.1[PRO].exe

Executes dropped EXE 8 IoCs

pid	Process
5312	BLTools v2.9.1[PRO].exe
2336	build.exe
5480	VLCMediaPlayer.exe
5176	psmwzamfkpsj.exe
5448	BLTools v2.9.1[PRO].exe
4376	build.exe
5928	VLCMediaPlayer.exe
5884	psmwzamfkpsj.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	VLCMediaPlayer.exe
File opened for modification	C:\Windows\system32\MRT.exe	VLCMediaPlayer.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	psmwzamfkpsj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5176 set thread context of 4860	5176	psmwzamfkpsj.exe	174
PID 5176 set thread context of 872	5176	psmwzamfkpsj.exe	175

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/872-353-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-357-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-355-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-359-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-360-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-362-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-361-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-352-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-356-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-351-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-354-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/872-363-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5408	sc.exe
6008	sc.exe
6068	sc.exe
5476	sc.exe
2780	sc.exe
5988	sc.exe
2528	sc.exe
6028	sc.exe
2592	sc.exe
5012	sc.exe
5932	sc.exe
5232	sc.exe
836	sc.exe
660	sc.exe
2520	sc.exe
5188	sc.exe
3768	sc.exe
4968	sc.exe
6116	sc.exe
6124	sc.exe
5304	sc.exe
5512	sc.exe
5320	sc.exe
1372	sc.exe
3804	sc.exe
2056	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools v2.9.1[PRO].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools v2.9.1[PRO].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	msedge.exe
2828	msedge.exe
2108	msedge.exe
2108	msedge.exe
508	identity_helper.exe
508	identity_helper.exe
1204	msedge.exe
1204	msedge.exe
5480	VLCMediaPlayer.exe
5588	powershell.exe
5588	powershell.exe
5588	powershell.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5480	VLCMediaPlayer.exe
5176	psmwzamfkpsj.exe
5192	powershell.exe
5192	powershell.exe
5192	powershell.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
5176	psmwzamfkpsj.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5368	7zG.exe
Token: 35	5368	7zG.exe
Token: SeSecurityPrivilege	5368	7zG.exe
Token: SeSecurityPrivilege	5368	7zG.exe
Token: SeDebugPrivilege	5588	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeLockMemoryPrivilege	872	explorer.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
5368	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4016	2108	msedge.exe	83
PID 2108 wrote to memory of 4016	2108	msedge.exe	83
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 3108	2108	msedge.exe	84
PID 2108 wrote to memory of 2828	2108	msedge.exe	85
PID 2108 wrote to memory of 2828	2108	msedge.exe	85
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86
PID 2108 wrote to memory of 5024	2108	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/8wylh9cqtuxm62f/BLTools_v2.9.1_%255BPRO%255D.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd01646f8,0x7ffcd0164708,0x7ffcd0164718
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,5718388143327838397,7637266078640560046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\" -spe -an -ai#7zMap10114:102:7zEvent24633
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5368

C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\BLTools v2.9\BLTools v2.9.1[PRO].exe
"C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\BLTools v2.9\BLTools v2.9.1[PRO].exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5312
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\VLCMediaPlayer.exe
  "C:\Users\Admin\AppData\Local\Temp\VLCMediaPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5480
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5412
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2420
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5408
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GOPRDESH"
    3⤵
    - Launches sc.exe
    PID:6008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GOPRDESH" binpath= "C:\ProgramData\olxeukorrrgc\psmwzamfkpsj.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:6068
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GOPRDESH"
    3⤵
    - Launches sc.exe
    PID:6124

C:\ProgramData\olxeukorrrgc\psmwzamfkpsj.exe
C:\ProgramData\olxeukorrrgc\psmwzamfkpsj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5176
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1920
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4932
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5476
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5304
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5320
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4860
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:872

C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\BLTools v2.9\BLTools v2.9.1[PRO].exe
"C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\BLTools v2.9\BLTools v2.9.1[PRO].exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5448
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\VLCMediaPlayer.exe
  "C:\Users\Admin\AppData\Local\Temp\VLCMediaPlayer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5928
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:6052
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:904
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5232
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5188
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GOPRDESH"
    3⤵
    - Launches sc.exe
    PID:1372

C:\ProgramData\olxeukorrrgc\psmwzamfkpsj.exe
C:\ProgramData\olxeukorrrgc\psmwzamfkpsj.exe
1⤵
- Executes dropped EXE
PID:5884
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5272
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3804
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
861935d7375c5fab9d077b75d0ce2759

SHA1
f6c3df4d1f81fc4063ac7e97bd1664ea3ad59413

SHA256
c1d6b449ae6a3fd3ba201a72314f6c62060c6728dd42d4718f64412f6b2492f2

SHA512
896f9d80966cfe660cf8ff4df2c436eaec1fd42482edc8ee81e43d3c67b60dd89c13d8bbcae5795d1dfe71ec70749e29b27a61c4f5c3c5e0a53757370e551b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
ec85d8c7bdd74d878ae837c6e4101ab4

SHA1
04329fe9c2c67e7cc979bc4f261d7d4e60b5e04a

SHA256
3c87b992bc038d533b94996dd2b7f3e8081839af30386ae72452cf4e37434d7c

SHA512
e2361423aef51dbb419a54824c694cf78d79c7d8fda365f69ad37c7275112b766b80251a325b1b25867c9e393cd85d67ad2df1c3bcbb1ebe70330837bed49276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
ea1a8ded53f5dd4070fa217bb37d9d9a

SHA1
db49f55c22b4b54633ad4fac07331d2ddfef8351

SHA256
a1a293cded4a83fa2f46576f18b551fb6b0de722f5fb96fcc111c637701f63dd

SHA512
02fe6f2883081fd7399b7d783587abb77fbc104812dd6f6eac833f6a620c70d5d6555a31bc00e4ead18c8ed5198e0d41f36a8d7023eb161f7be0137ea821adb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0fa0c4f60c56b9292e7dbe9acac443d3

SHA1
976acfcb56890e0c3ef3a6cae9cf3e787e97ab3b

SHA256
b2cf4936dd250e381a715a40606371bccf04dbf142c9db400387e92f9c9322a2

SHA512
8b0a07137514cf333fafb69f1f405a4b03d031c07f64fd35ef0c1d4ebb13805d97d19ea3cedcd14d6f75a450630229806135a3deb2711a651a193563b9d51c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1f3bd19e6788cca586c010a04a45fea3

SHA1
ebdfebd2d6df5756c8ddfb643f98c529962284d7

SHA256
0ba98bae9f62be2aad6bbcca16d5db57830437608b9c173a3f76efbfdfc5f0bc

SHA512
2f37032be4fe7c31089bdd36b6d7ebf4f148a13ce398bf44be43cd7a1999daa73ab6ba505b77ee74e359ecce6aaf423f37796ab2eca1e1756e72f9e0eb15922c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d6353a7085e1cb19a0f04c1a82fd59a

SHA1
3f34a196abc23c0c6cbf5b27c191f622dafd61af

SHA256
f2b09e80c64b29cb6e6fe5f26f7630b613c704569ba44ccdbde87b5387cb58fc

SHA512
dbfff5cfe02fa12fd057cbeb9214965e434d52df765aa57ae09721bcaec55f80a00fb2d63013ca4047bc782abd20a968f2dc5890d41b32f624ff8ca7691531a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
df74b3a4eb0e25fff6965681e1fbc641

SHA1
5df29df04b2190281f20f8610f621c731f73dc20

SHA256
0da89391b709e625bb077448f0f59376c53f089ba640479f3cf2538aac108a96

SHA512
9052449aa6012ad292112c68011d164e17a0bdc73e6b0e26ab4e8c45d694106357abf04f89a4dd6c62f647596f65a87247d450ed833b6f7907dc1c4dfe418900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
72c82082fe9b95fbc7f15bf0cc902cb0

SHA1
b0af9c07a8b0ccfc1268f5c56ae937823691af35

SHA256
7cc3461e930497770a679dd2e905d0b2e1d3d65d39ea6862f7a04c1eecdfa20a

SHA512
94ba1ee94ca9ab4d6f4d53c31f68e261c584031cb2855db826b5a2254e95ca288de1133effded4ffc38b3928df3646dea77598714afa367cde0bd00a6c1a0e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9c3135bb292fb1c06e5eab420d05b56

SHA1
f414c74837be221d516667aa616b6760c754d4f1

SHA256
cc943e9e5e593dc6cfe975fe8ca336cee75313c8ca8d7e19a165c520a987b098

SHA512
383395e75b12c67fd2bdbaa5152871b72c47ca852cc33e0544762082e2739a81cddda3883ccfef418e99c72a26d53ca3d6136d8566090e85b30f5da31f1e406d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLCMediaPlayer.exe

Filesize
2.5MB

MD5
1584ec9d49300648fb4787af01e581ad

SHA1
36382ee29663f9a72140eac36c006fbba8c23eaa

SHA256
83aad4b727208a7611de04a56e6a7c98ae2d73fd3bd47cfa93ce862e4adbf151

SHA512
fc8251e40448c1f9aee8f2fb2034e4bc94f9e1c4b01b0713459d01611f884dc7c151067e0fb610af0210748c06c7c898c05d6b2407b8462593a3aaee58da15ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xk5b45h0.ce0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
79c26910f1fc92ef6b297e5f70365b99

SHA1
38d6140773561425c9061c8110bcdd711532b455

SHA256
0ddd45ec670bd68fa73f0124e91998286c32488d8f180f5c73ed57e87277a1eb

SHA512
64f82d5de194f2f75a76eb3211928ec7e6c1949e778f23ec9c4f0d7427b3d2938995b38a1021afd74f1ee990fb93933728cc4d34d911018d2bf8a98c9e2c3595

Download Submit
C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO].rar

Filesize
4.7MB

MD5
7c278420a7ab0c7aa55c18bf1dca176a

SHA1
565af12ed76e8b2d5de4c3796e26634af45ac26d

SHA256
d4653d1d33a06367313d7a5ee6dd40d931a810d7e0ea5f26223a28dccd53f47a

SHA512
9288ca19b910ea84346c5f4ce5e481e11c992ad279422471d9f63d48725697b8b91e84187713b686bc33dd280c51e7e18fa82d3d22fadede39e996f84e709283

Download Submit
C:\Users\Admin\Downloads\BLTools v2.9.1 [PRO]\BLTools v2.9\BLTools v2.9.1[PRO].exe

Filesize
2.9MB

MD5
bc3466c1631aca5b8a9466e6029680ec

SHA1
618e029a367018a224b324d43878f0fc43b7215d

SHA256
7de8de10e82f5873a36f1d73d9af3c3c96b96a988ffbf4357c359b0f5b52fd1a

SHA512
4452660ea45eb2019aadd8bfbda14230517bccbe99443e0210617a1bc0d8d3b235fe03253e7a4c873203aeabf1e04ca206f9902285da9dc2e9889357ceed24df

Download Submit
C:\Windows\TEMP\gotarvwectil.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
7b1fe6890101f73a0c9796d8d585b168

SHA1
56eb99ee341b880cf7a80ebc705371aea87b3743

SHA256
93ea56ad38069dbc3d1ae192afd3f3dc8704e9298752f73729b95cf3298dcaca

SHA512
fe73cccfadc916f613fbcc7a80ec82ae1228ea2aa28bba4515851e82463e76942ff3a3d6bcc78ea666a841d89220fb49b8fa52279985e88fe0aec6728f21aefa

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2722730a0cf82161fb1452b600334796

SHA1
4479415f50cd9ab55c4f7bcdc1a0a5177492f053

SHA256
a44ba59eb52b4d6555065fa840ac7162080eb538e6b6a47198fe4961d0297833

SHA512
54ec97b79003db56fb1ca44b33a1c2a9748014a3c1dc84fdb2afca84d3c6618ad88ccb353d52078789e3e0ed0ee6c763a74bf34cea1334e427a264db9171dfb0

Download Submit
memory/872-354-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-363-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-353-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-351-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-356-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-358-0x0000000001580000-0x00000000015A0000-memory.dmp

Filesize
128KB

Download
memory/872-352-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-361-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-362-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-360-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-359-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-355-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/872-357-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2336-273-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/2336-274-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/2336-279-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/2336-278-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/2336-280-0x00000000056B0000-0x00000000056FC000-memory.dmp

Filesize
304KB

Download
memory/2336-277-0x0000000005720000-0x000000000582A000-memory.dmp

Filesize
1.0MB

Download
memory/2336-276-0x00000000064B0000-0x0000000006AC8000-memory.dmp

Filesize
6.1MB

Download
memory/2336-275-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/2336-272-0x0000000000A50000-0x0000000000AA2000-memory.dmp

Filesize
328KB

Download
memory/3924-443-0x000002925B080000-0x000002925B135000-memory.dmp

Filesize
724KB

Download
memory/4860-345-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4860-343-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4860-344-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4860-350-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4860-346-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4860-347-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5192-340-0x0000027659100000-0x000002765910A000-memory.dmp

Filesize
40KB

Download
memory/5192-332-0x0000027658E80000-0x0000027658E9C000-memory.dmp

Filesize
112KB

Download
memory/5192-333-0x0000027658EA0000-0x0000027658F55000-memory.dmp

Filesize
724KB

Download
memory/5192-334-0x0000027640710000-0x000002764071A000-memory.dmp

Filesize
40KB

Download
memory/5192-335-0x00000276590C0000-0x00000276590DC000-memory.dmp

Filesize
112KB

Download
memory/5192-336-0x0000027640720000-0x000002764072A000-memory.dmp

Filesize
40KB

Download
memory/5192-337-0x00000276590E0000-0x00000276590FA000-memory.dmp

Filesize
104KB

Download
memory/5192-338-0x00000276590A0000-0x00000276590A8000-memory.dmp

Filesize
32KB

Download
memory/5192-339-0x00000276590B0000-0x00000276590B6000-memory.dmp

Filesize
24KB

Download
memory/5588-304-0x000001A8E4520000-0x000001A8E4542000-memory.dmp

Filesize
136KB

Download