Malware Analysis Report

2024-10-19 04:37

Sample ID 210914-qmsv6afge4
Target 608b93e344bd3dbb09d0af9da6856061
SHA256 5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4
Tags
servhelper xmrig backdoor miner persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d45cef43fb4c150c33337fb369a89800f9d235eee1dbdac13a8f6fd13bc1ee4

Threat Level: Known bad

The file 608b93e344bd3dbb09d0af9da6856061 was found to be: Known bad.

Malicious Activity Summary

servhelper xmrig backdoor miner persistence trojan

xmrig

ServHelper

Grants admin privileges

Sets DLL path for service in the registry

Modifies RDP port number used by Windows

Drops file in System32 directory

Drops file in Windows directory

Modifies registry key

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-14 13:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-14 13:23

Reported

2021-09-14 13:25

Platform

win7-en

Max time kernel

137s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-14 13:23

Reported

2021-09-14 13:25

Platform

win10-en

Max time kernel

84s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

Signatures

ServHelper

trojan backdoor servhelper

xmrig

miner xmrig

Grants admin privileges

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3644 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3644 wrote to memory of 3780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3780 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3780 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3780 wrote to memory of 1644 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3880 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 2312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2312 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 2552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3644 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 3644 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 3644 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 3652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 3652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 3652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 2496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 2496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2620 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2620 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 3880 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3880 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3880 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 3120 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4024 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4024 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4028 wrote to memory of 3328 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4028 wrote to memory of 3328 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4028 wrote to memory of 3328 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3644 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1828 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe

"C:\Users\Admin\AppData\Local\Temp\608b93e344bd3dbb09d0af9da6856061.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES555.tmp" "c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\CSC7C53E3D0A2E74C089B16F1D5B1486D26.TMP"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Files

memory/1612-115-0x0000000001670000-0x0000000001671000-memory.dmp

memory/1612-116-0x00000000058E0000-0x0000000005CDF000-memory.dmp

memory/1612-118-0x00000000061E0000-0x00000000061E1000-memory.dmp

memory/1612-119-0x0000000005E80000-0x0000000005E81000-memory.dmp

memory/1612-121-0x0000000001673000-0x0000000001674000-memory.dmp

memory/1612-120-0x0000000001672000-0x0000000001673000-memory.dmp

memory/1612-122-0x0000000001674000-0x0000000001675000-memory.dmp

memory/1612-123-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

memory/1612-124-0x00000000082F0000-0x00000000082F1000-memory.dmp

memory/3644-125-0x0000000000000000-mapping.dmp

memory/3644-128-0x0000000004410000-0x0000000004411000-memory.dmp

memory/3644-129-0x0000000006F70000-0x0000000006F71000-memory.dmp

memory/3644-130-0x0000000006E90000-0x0000000006E91000-memory.dmp

memory/3644-131-0x00000000075A0000-0x00000000075A1000-memory.dmp

memory/3644-133-0x0000000007910000-0x0000000007911000-memory.dmp

memory/3644-134-0x0000000007650000-0x0000000007651000-memory.dmp

memory/3644-135-0x0000000008000000-0x0000000008001000-memory.dmp

memory/3644-136-0x0000000004870000-0x0000000004871000-memory.dmp

memory/3644-137-0x0000000004872000-0x0000000004873000-memory.dmp

memory/3644-138-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/3644-144-0x0000000009600000-0x0000000009601000-memory.dmp

memory/3644-145-0x0000000008C60000-0x0000000008C61000-memory.dmp

memory/3780-146-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.cmdline

MD5 d310e6793a5986bb7afaa38651449759
SHA1 32318bee3e00c14a91f04879ccec80a929ba0666
SHA256 8154cfbfcf3c5dfe52917784d34f8793f5144895ab275306d7c61f2845c71146
SHA512 364adde8d952bc68f1e6f8ec42a03b1eb4c209b8261a77e2f3391501650dc832870a5d616112eed5f695f93027f84fda88788c2788754f49a0b4f1dd8874ba6b

\??\c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/1644-149-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\pgf2ogpo\CSC7C53E3D0A2E74C089B16F1D5B1486D26.TMP

MD5 381da61b5528ee653dbf6b3b575121d4
SHA1 9dd21bc284067bb025c954ed8a16f2d85f1d0ace
SHA256 30120c31a8b1bd5f018e67a9668c87111095c922eefafa92d9818f0fee46d064
SHA512 9adfbba2803991a07400558d39b3b24a8078fe53c4d326cfbddc111d7096fe57bc725913a126a3cc4a1e7138b0287e4079baf585afcb7b8cd39e28468f37d7ad

C:\Users\Admin\AppData\Local\Temp\RES555.tmp

MD5 29619ffceaf3d3cd68afbfd7c08c4183
SHA1 75c8c0aa4330a9cea177dd5f81495c138dcbe0b7
SHA256 b231535bc203b694e81c4c7444d22daee64dcb8f601b18babe8992022781ba2d
SHA512 9525dbda36ca6805ee94027bbaa661e023a018da02b492d929fdb75e1bc2e405144c7a46c82bf6e6e150bdb09b2b80a1ad636ca0e754752974dd6b0bfb3979f6

C:\Users\Admin\AppData\Local\Temp\pgf2ogpo\pgf2ogpo.dll

MD5 7c129454ab18fdeab20f058b08c7cfd4
SHA1 520508ab96d7861305168b05e31d6350a8f0f731
SHA256 4fca19ce79af84827c7f5df6d9cb2cc44adfd4f8d32f3f6dc8c3ef7c7f88c942
SHA512 0d1ec845a95a68b28bffc3853bb89fab2bee35b94f9669846bc1990c8688d8cec650e3644513232bf608c8ee89436d73be76bc058de7f97ddf06d06825cd7246

memory/3644-153-0x0000000008D00000-0x0000000008D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 794bf0ae26a7efb0c516cf4a7692c501
SHA1 c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA256 97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA512 20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

memory/3644-155-0x0000000004873000-0x0000000004874000-memory.dmp

memory/3644-176-0x0000000009060000-0x0000000009061000-memory.dmp

memory/3880-177-0x0000000000000000-mapping.dmp

memory/3880-186-0x0000000007500000-0x0000000007501000-memory.dmp

memory/3880-187-0x0000000007502000-0x0000000007503000-memory.dmp

memory/3880-198-0x0000000009240000-0x0000000009273000-memory.dmp

memory/3880-206-0x0000000009220000-0x0000000009221000-memory.dmp

memory/3880-211-0x0000000009370000-0x0000000009371000-memory.dmp

memory/3880-212-0x000000007E590000-0x000000007E591000-memory.dmp

memory/3880-213-0x0000000009520000-0x0000000009521000-memory.dmp

memory/3880-406-0x00000000094C0000-0x00000000094C1000-memory.dmp

memory/3880-412-0x00000000094B0000-0x00000000094B1000-memory.dmp

memory/2004-432-0x0000000000000000-mapping.dmp

memory/2004-439-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/2004-441-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

memory/2004-536-0x000000007E210000-0x000000007E211000-memory.dmp

memory/496-683-0x0000000000000000-mapping.dmp

memory/496-697-0x00000000070D2000-0x00000000070D3000-memory.dmp

memory/496-696-0x00000000070D0000-0x00000000070D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f3068198b62b4b70404ec46694d632be
SHA1 7b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256 bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512 ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

memory/496-792-0x000000007ECE0000-0x000000007ECE1000-memory.dmp

memory/2312-962-0x0000000000000000-mapping.dmp

memory/3904-963-0x0000000000000000-mapping.dmp

memory/2552-964-0x0000000000000000-mapping.dmp

memory/1908-1001-0x0000000000000000-mapping.dmp

memory/3652-1002-0x0000000000000000-mapping.dmp

memory/2496-1005-0x0000000000000000-mapping.dmp

memory/2620-1006-0x0000000000000000-mapping.dmp

memory/3880-1007-0x0000000000000000-mapping.dmp

memory/2892-1008-0x0000000000000000-mapping.dmp

memory/3120-1009-0x0000000000000000-mapping.dmp

memory/4024-1010-0x0000000000000000-mapping.dmp

memory/4028-1011-0x0000000000000000-mapping.dmp

memory/3328-1012-0x0000000000000000-mapping.dmp

memory/1688-1025-0x0000000000000000-mapping.dmp

memory/1828-1026-0x0000000000000000-mapping.dmp

memory/3644-1058-0x000000007F070000-0x000000007F071000-memory.dmp