Malware Analysis Report

2024-11-13 16:49

Sample ID 200518-m7nvffm12n
Target newbuer.exe
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c

Threat Level: Known bad

The file newbuer.exe was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Buer Loader

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates connected drives

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-05-18 15:42

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-05-18 15:42

Reported

2020-05-18 15:45

Platform

win7v200430

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" C:\ProgramData\RedTools\networker.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\RedTools\networker.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\P: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\T: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\U: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\W: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\V: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\G: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\I: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\J: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\L: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\O: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\S: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\B: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\H: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\K: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\R: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\A: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\E: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\F: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\N: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\X: C:\ProgramData\RedTools\networker.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 288 set thread context of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 1836 set thread context of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 288 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 112 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 112 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 112 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 112 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 1836 wrote to memory of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 1836 wrote to memory of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 1836 wrote to memory of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 1836 wrote to memory of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 1836 wrote to memory of 1788 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 1788 wrote to memory of 1784 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 1788 wrote to memory of 1784 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 1788 wrote to memory of 1784 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 1788 wrote to memory of 1784 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\newbuer.exe

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

C:\Users\Admin\AppData\Local\Temp\newbuer.exe

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

C:\ProgramData\RedTools\networker.exe

C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ

C:\ProgramData\RedTools\networker.exe

C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\RedTools\networker.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 maldivosgrant.net udp
N/A 47.241.116.77:443 maldivosgrant.net tcp
N/A 8.8.8.8:53 www.download.windowsupdate.com udp
N/A 47.241.116.77:443 maldivosgrant.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsqA39F.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

memory/112-1-0x0000000040000000-0x000000004000C000-memory.dmp

memory/112-2-0x0000000040000000-0x000000004000C000-memory.dmp

\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

C:\Users\Admin\AppData\Local\Temp\730984234

MD5 ba027a8a3a774d78ecd4919809951bfa
SHA1 1a0509011eeff5b96705f7ee330105965e6a2912
SHA256 5eee8f9e5ca969cf58b38df6125d3666a59000f9f5ff24635e9d8b59d4debd96
SHA512 32baa56e4935eb53a87604fdeae15d09c4da61d8d61e1429c2f63201cd6cfe194711b6690bae6984d414c71dc5917371caa5c92dc6be147e1f4d45557d06b9f8

\Users\Admin\AppData\Local\Temp\nsbAB1E.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

Analysis: behavioral2

Detonation Overview

Submitted

2020-05-18 15:42

Reported

2020-05-18 15:44

Platform

win10v200430

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" C:\ProgramData\RedTools\networker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\RedTools\networker.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\L: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\O: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\P: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\R: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\U: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\B: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\G: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\W: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\M: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\N: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\T: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\A: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\I: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\J: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\V: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\X: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\F: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\H: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\E: C:\ProgramData\RedTools\networker.exe N/A
File opened (read-only) \??\S: C:\ProgramData\RedTools\networker.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 504 set thread context of 656 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 2828 set thread context of 3832 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\secinit.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe N/A
N/A N/A C:\ProgramData\RedTools\networker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 504 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 504 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 504 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 504 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\Users\Admin\AppData\Local\Temp\newbuer.exe
PID 656 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 656 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 656 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\newbuer.exe C:\ProgramData\RedTools\networker.exe
PID 2828 wrote to memory of 3832 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 2828 wrote to memory of 3832 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 2828 wrote to memory of 3832 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 2828 wrote to memory of 3832 N/A C:\ProgramData\RedTools\networker.exe C:\ProgramData\RedTools\networker.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe
PID 3832 wrote to memory of 4088 N/A C:\ProgramData\RedTools\networker.exe C:\Windows\SysWOW64\secinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\newbuer.exe

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

C:\Users\Admin\AppData\Local\Temp\newbuer.exe

"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"

C:\ProgramData\RedTools\networker.exe

C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ

C:\ProgramData\RedTools\networker.exe

C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\RedTools\networker.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 544

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 maldivosgrant.net udp
N/A 47.241.116.77:443 maldivosgrant.net tcp
N/A 13.107.4.52:80 www.msftconnecttest.com tcp
N/A 8.248.3.254:80 ctldl.windowsupdate.com tcp
N/A 47.241.116.77:443 maldivosgrant.net tcp

Files

\Users\Admin\AppData\Local\Temp\nsw74ED.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

C:\Users\Admin\AppData\Local\Temp\730984234

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\nsq7C0D.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\ProgramData\RedTools\networker.exe

MD5 4df84f8de8a5526f119c26518b529757
SHA1 42d281abeb10649bff097504f20e8fc2c8e85f5c
SHA256 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA512 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

memory/304-6-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/304-7-0x0000000004C10000-0x0000000004C11000-memory.dmp