redline | 4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d

Analysis

max time kernel
138s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
01-12-2021 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe
Size

980KB
MD5

9148ff616cc568897c299dab46a6c57d
SHA1

f91a4cfd04660dac905a2a22470b95a5537650bf
SHA256

4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d
SHA512

c7a6b2e0acf8f6c6286c880f848ca108ed9a423b16151cfb959bfa342bc1407102028e2a602176da806de69eb58471ef3448dc624e3c1ca9f3bcb51b68fd2cf1

Score

10^/10

redline xmrig lastlovely discovery infostealer miner spyware stealer

Malware Config

Extracted

Family

redline

185.215.113.57:50723

Extracted

Family

redline

Botnet

LastLovely

95.181.152.177:21142

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2256-120-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2256-121-0x000000000041B78E-mapping.dmp	family_redline
behavioral1/memory/2256-128-0x0000000005110000-0x0000000005716000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\awsgfasg.exe	family_redline
C:\Users\Admin\AppData\Roaming\awsgfasg.exe	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 5072 created 1688 5072 WerFault.exe KadkaDK.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

fl.exeKadkaDK.exeawsgfasg.exegweqg.exeandvlr.exesihost32.exe

pid process

1036 fl.exe
1688 KadkaDK.exe
1884 awsgfasg.exe
2844 gweqg.exe
3496 andvlr.exe
1764 sihost32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	pid	process	target process
PID 5072 created 1688	5072	WerFault.exe	KadkaDK.exe

pid	process
1036	fl.exe
1688	KadkaDK.exe
1884	awsgfasg.exe
2844	gweqg.exe
3496	andvlr.exe
1764	sihost32.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\andvlr.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\andvlr.exe	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe

description	pid	process	target process
PID 4384 set thread context of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4980 2844 WerFault.exe gweqg.exe
5072 1688 WerFault.exe KadkaDK.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
4980	2844	WerFault.exe	gweqg.exe
5072	1688	WerFault.exe	KadkaDK.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3748 schtasks.exe

pid	process
3748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

RegAsm.exeWerFault.execonhost.exeWerFault.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
2256	RegAsm.exe
2256	RegAsm.exe
2256	RegAsm.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
4980	WerFault.exe
5112	conhost.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5072	WerFault.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
2968	conhost.exe
2968	conhost.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exeKadkaDK.exeawsgfasg.exegweqg.exeWerFault.exeWerFault.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2256	RegAsm.exe
Token: SeDebugPrivilege	1688	KadkaDK.exe
Token: SeDebugPrivilege	1884	awsgfasg.exe
Token: SeDebugPrivilege	2844	gweqg.exe
Token: SeDebugPrivilege	4980	WerFault.exe
Token: SeRestorePrivilege	5072	WerFault.exe
Token: SeBackupPrivilege	5072	WerFault.exe
Token: SeBackupPrivilege	5072	WerFault.exe
Token: SeDebugPrivilege	5112	conhost.exe
Token: SeDebugPrivilege	5072	WerFault.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeIncreaseQuotaPrivilege	5036	powershell.exe
Token: SeSecurityPrivilege	5036	powershell.exe
Token: SeTakeOwnershipPrivilege	5036	powershell.exe
Token: SeLoadDriverPrivilege	5036	powershell.exe
Token: SeSystemProfilePrivilege	5036	powershell.exe
Token: SeSystemtimePrivilege	5036	powershell.exe
Token: SeProfSingleProcessPrivilege	5036	powershell.exe
Token: SeIncBasePriorityPrivilege	5036	powershell.exe
Token: SeCreatePagefilePrivilege	5036	powershell.exe
Token: SeBackupPrivilege	5036	powershell.exe
Token: SeRestorePrivilege	5036	powershell.exe
Token: SeShutdownPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeSystemEnvironmentPrivilege	5036	powershell.exe
Token: SeRemoteShutdownPrivilege	5036	powershell.exe
Token: SeUndockPrivilege	5036	powershell.exe
Token: SeManageVolumePrivilege	5036	powershell.exe
Token: 33	5036	powershell.exe
Token: 34	5036	powershell.exe
Token: 35	5036	powershell.exe
Token: 36	5036	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeIncreaseQuotaPrivilege	4140	powershell.exe
Token: SeSecurityPrivilege	4140	powershell.exe
Token: SeTakeOwnershipPrivilege	4140	powershell.exe
Token: SeLoadDriverPrivilege	4140	powershell.exe
Token: SeSystemProfilePrivilege	4140	powershell.exe
Token: SeSystemtimePrivilege	4140	powershell.exe
Token: SeProfSingleProcessPrivilege	4140	powershell.exe
Token: SeIncBasePriorityPrivilege	4140	powershell.exe
Token: SeCreatePagefilePrivilege	4140	powershell.exe
Token: SeBackupPrivilege	4140	powershell.exe
Token: SeRestorePrivilege	4140	powershell.exe
Token: SeShutdownPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeSystemEnvironmentPrivilege	4140	powershell.exe
Token: SeRemoteShutdownPrivilege	4140	powershell.exe
Token: SeUndockPrivilege	4140	powershell.exe
Token: SeManageVolumePrivilege	4140	powershell.exe
Token: 33	4140	powershell.exe
Token: 34	4140	powershell.exe
Token: 35	4140	powershell.exe
Token: 36	4140	powershell.exe
Token: SeDebugPrivilege	2968	conhost.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe
Token: SeSystemProfilePrivilege	3664	powershell.exe
Token: SeSystemtimePrivilege	3664	powershell.exe
Token: SeProfSingleProcessPrivilege	3664	powershell.exe
Token: SeIncBasePriorityPrivilege	3664	powershell.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exeRegAsm.exefl.execonhost.execmd.execmd.execmd.exeandvlr.execonhost.execmd.exesihost32.exe

description	pid	process	target process
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 4384 wrote to memory of 2256	4384	4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe	RegAsm.exe
PID 2256 wrote to memory of 1036	2256	RegAsm.exe	fl.exe
PID 2256 wrote to memory of 1036	2256	RegAsm.exe	fl.exe
PID 2256 wrote to memory of 1688	2256	RegAsm.exe	KadkaDK.exe
PID 2256 wrote to memory of 1688	2256	RegAsm.exe	KadkaDK.exe
PID 2256 wrote to memory of 1688	2256	RegAsm.exe	KadkaDK.exe
PID 2256 wrote to memory of 1884	2256	RegAsm.exe	awsgfasg.exe
PID 2256 wrote to memory of 1884	2256	RegAsm.exe	awsgfasg.exe
PID 2256 wrote to memory of 1884	2256	RegAsm.exe	awsgfasg.exe
PID 2256 wrote to memory of 2844	2256	RegAsm.exe	gweqg.exe
PID 2256 wrote to memory of 2844	2256	RegAsm.exe	gweqg.exe
PID 1036 wrote to memory of 5112	1036	fl.exe	conhost.exe
PID 1036 wrote to memory of 5112	1036	fl.exe	conhost.exe
PID 1036 wrote to memory of 5112	1036	fl.exe	conhost.exe
PID 5112 wrote to memory of 2956	5112	conhost.exe	cmd.exe
PID 5112 wrote to memory of 2956	5112	conhost.exe	cmd.exe
PID 2956 wrote to memory of 5036	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 5036	2956	cmd.exe	powershell.exe
PID 5112 wrote to memory of 4188	5112	conhost.exe	cmd.exe
PID 5112 wrote to memory of 4188	5112	conhost.exe	cmd.exe
PID 4188 wrote to memory of 3748	4188	cmd.exe	schtasks.exe
PID 4188 wrote to memory of 3748	4188	cmd.exe	schtasks.exe
PID 2956 wrote to memory of 4140	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 4140	2956	cmd.exe	powershell.exe
PID 5112 wrote to memory of 2288	5112	conhost.exe	cmd.exe
PID 5112 wrote to memory of 2288	5112	conhost.exe	cmd.exe
PID 2288 wrote to memory of 3496	2288	cmd.exe	andvlr.exe
PID 2288 wrote to memory of 3496	2288	cmd.exe	andvlr.exe
PID 3496 wrote to memory of 2968	3496	andvlr.exe	conhost.exe
PID 3496 wrote to memory of 2968	3496	andvlr.exe	conhost.exe
PID 3496 wrote to memory of 2968	3496	andvlr.exe	conhost.exe
PID 2968 wrote to memory of 744	2968	conhost.exe	cmd.exe
PID 2968 wrote to memory of 744	2968	conhost.exe	cmd.exe
PID 744 wrote to memory of 3664	744	cmd.exe	powershell.exe
PID 744 wrote to memory of 3664	744	cmd.exe	powershell.exe
PID 2968 wrote to memory of 1764	2968	conhost.exe	sihost32.exe
PID 2968 wrote to memory of 1764	2968	conhost.exe	sihost32.exe
PID 744 wrote to memory of 2820	744	cmd.exe	powershell.exe
PID 744 wrote to memory of 2820	744	cmd.exe	powershell.exe
PID 1764 wrote to memory of 4264	1764	sihost32.exe	conhost.exe
PID 1764 wrote to memory of 4264	1764	sihost32.exe	conhost.exe
PID 1764 wrote to memory of 4264	1764	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe
"C:\Users\Admin\AppData\Local\Temp\4cf15c857663476ccfe09612dc9a785d914c8c7abe270b87959584a63ad6cb7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "andvlr" /tr "C:\Windows\system32\andvlr.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "andvlr" /tr "C:\Windows\system32\andvlr.exe"
6⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\andvlr.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\andvlr.exe
C:\Windows\system32\andvlr.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\andvlr.exe"
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
9⤵
PID:4264

C:\Users\Admin\AppData\Roaming\KadkaDK.exe
"C:\Users\Admin\AppData\Roaming\KadkaDK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1208
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Users\Admin\AppData\Roaming\awsgfasg.exe
"C:\Users\Admin\AppData\Roaming\awsgfasg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Users\Admin\AppData\Roaming\gweqg.exe
"C:\Users\Admin\AppData\Roaming\gweqg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2844 -s 1728
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b0dac73e8b1e0cd7b422a525ea0d16c1

SHA1
7247f5560e43a0cab9f9599e21974c17ff05ab6f

SHA256
040732c0f76b2bb9078135c7f78377eae8f703d9de74c3ab156344bfcead7471

SHA512
fe1d198a06974c7575da95f92cef787fb46f59c0815d6e5fe99ae9c725edd24fa34c972873b5f13999998899d271d075cf5a974848416d41e95caa8e0427cd16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1c4c02cf178edb4fcaf3141b2f588be9

SHA1
c28dd53f026b43426cbba99364d3b7b435d30593

SHA256
5a206fba4bbd0eadf267e4e63c552506ba95b2a7c7796b60fb44b8f95b3d9dd4

SHA512
32647741a41820a6d4fd7772be848e5b992c431207b9cec4d71c0d89cc361d6c0e2b6a58c8bd0bdfe6d6a2af02c224e3ef51cd65a4f14653a1672f100df10bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f41b2b2b638ddde80382af5070cf071a

SHA1
50e077b9d8614ca35ce719091c408f244a0de32c

SHA256
173c4bd32c4afdad2275e504da4f3701674093465fd91141620d901af2c071af

SHA512
69009620485372d31ff6b9dc2c15bef9bee60f574373beda336236e3707f3195aa476c784495f156f3abc09cbd9b51e5ffc9b2decb37a7d0133fc482bb38b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
0035b34512dad0ef44809110112a5cc2

SHA1
3b446191399501fe9a29f6a96d7d156848bab473

SHA256
8dab74b2ead2cdf0e96331d78000755d71b17e9c42f526c719d3c305212fe7e5

SHA512
0ca5636ad2e0b1b1524a90d4727055958f9427561ab90cc3d86532484823f3597bdfa22bce7b48bfabe6459ba0d296ae7c9246307a19152fcae7f1ba30768078

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
0035b34512dad0ef44809110112a5cc2

SHA1
3b446191399501fe9a29f6a96d7d156848bab473

SHA256
8dab74b2ead2cdf0e96331d78000755d71b17e9c42f526c719d3c305212fe7e5

SHA512
0ca5636ad2e0b1b1524a90d4727055958f9427561ab90cc3d86532484823f3597bdfa22bce7b48bfabe6459ba0d296ae7c9246307a19152fcae7f1ba30768078

Download Submit
C:\Users\Admin\AppData\Roaming\KadkaDK.exe
MD5
eabb876f62eff390575fdefbf1610b77

SHA1
77eb326354b51c47c365e6f962ac13927151c931

SHA256
4eac12423a78201d89bf682621b5be5409f9667140f853115ed151c4af89abcb

SHA512
29b3be38eb22c036e09d7547db8d8e448fd77d674a85b3054ff428c6f28c57353e3980b058f976314836c07b544735383d3da48dbf72c33acf29ed37ae5fcebd

Download Submit
C:\Users\Admin\AppData\Roaming\KadkaDK.exe
MD5
eabb876f62eff390575fdefbf1610b77

SHA1
77eb326354b51c47c365e6f962ac13927151c931

SHA256
4eac12423a78201d89bf682621b5be5409f9667140f853115ed151c4af89abcb

SHA512
29b3be38eb22c036e09d7547db8d8e448fd77d674a85b3054ff428c6f28c57353e3980b058f976314836c07b544735383d3da48dbf72c33acf29ed37ae5fcebd

Download Submit
C:\Users\Admin\AppData\Roaming\awsgfasg.exe
MD5
bc10fe4be5e059a43d1e3f011a954887

SHA1
80c4bfd50e61e2a26b627b7408665e1780235f76

SHA256
a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3

SHA512
1174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a

Download Submit
C:\Users\Admin\AppData\Roaming\awsgfasg.exe
MD5
bc10fe4be5e059a43d1e3f011a954887

SHA1
80c4bfd50e61e2a26b627b7408665e1780235f76

SHA256
a164764cbb99eecc87860d4b8e8be71bc2e6094b243cc36946eaa573f2d34dc3

SHA512
1174fe72eb161e2c1f31c4e6dbe5e6bb45585e34c68b38db122d83b47b0c34ad4d763703bd5606bf07d7d0e1b43b51f5447a480915633626898e26c4026c679a

Download Submit
C:\Users\Admin\AppData\Roaming\gweqg.exe
MD5
eb8c7dbf71a662e3771496a956e6a973

SHA1
e6badc656d030610c6135e46f93078d67c49a61f

SHA256
86ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a

SHA512
5fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42

Download Submit
C:\Users\Admin\AppData\Roaming\gweqg.exe
MD5
eb8c7dbf71a662e3771496a956e6a973

SHA1
e6badc656d030610c6135e46f93078d67c49a61f

SHA256
86ceeed4cf1642869ac16d1089e68244bb2b7612f943519e0adf94e284fdd99a

SHA512
5fe92baee6ef14491d3771330dc6f591d0557adb7b616b32838819ba738cf7c4351546e6a693c37c23079f18c7ca7a45c10e6a07708bf4c4c0ca86419af57c42

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
ba579b12c264341c6edf148a73cbae57

SHA1
7307f4322c415f179e6bcf9769efd44697d2c0c6

SHA256
8bf830a0830a5197edf51158e6b9fb039e86de3d0126595b87f20768efa4cc8c

SHA512
67ac6f10d5aa568c5ac0c752fa7c7e4277191f828cd51e00800b3ad06f738d058e091281465066d08d665325d4c315885f9f5db6ee9c0b70e14e0d5706efca2c

Download Submit
C:\Windows\System32\andvlr.exe
MD5
0035b34512dad0ef44809110112a5cc2

SHA1
3b446191399501fe9a29f6a96d7d156848bab473

SHA256
8dab74b2ead2cdf0e96331d78000755d71b17e9c42f526c719d3c305212fe7e5

SHA512
0ca5636ad2e0b1b1524a90d4727055958f9427561ab90cc3d86532484823f3597bdfa22bce7b48bfabe6459ba0d296ae7c9246307a19152fcae7f1ba30768078

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
MD5
ba579b12c264341c6edf148a73cbae57

SHA1
7307f4322c415f179e6bcf9769efd44697d2c0c6

SHA256
8bf830a0830a5197edf51158e6b9fb039e86de3d0126595b87f20768efa4cc8c

SHA512
67ac6f10d5aa568c5ac0c752fa7c7e4277191f828cd51e00800b3ad06f738d058e091281465066d08d665325d4c315885f9f5db6ee9c0b70e14e0d5706efca2c

Download Submit
C:\Windows\system32\andvlr.exe
MD5
0035b34512dad0ef44809110112a5cc2

SHA1
3b446191399501fe9a29f6a96d7d156848bab473

SHA256
8dab74b2ead2cdf0e96331d78000755d71b17e9c42f526c719d3c305212fe7e5

SHA512
0ca5636ad2e0b1b1524a90d4727055958f9427561ab90cc3d86532484823f3597bdfa22bce7b48bfabe6459ba0d296ae7c9246307a19152fcae7f1ba30768078

Download Submit
memory/744-288-0x0000000000000000-mapping.dmp

Download
memory/1036-138-0x0000000000000000-mapping.dmp

Download
memory/1688-161-0x00000000048C0000-0x0000000004DBE000-memory.dmp

Filesize
5.0MB

Download
memory/1688-141-0x0000000000000000-mapping.dmp

Download
memory/1688-145-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1764-309-0x0000000000000000-mapping.dmp

Download
memory/1884-160-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1884-151-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1884-162-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/1884-144-0x0000000000000000-mapping.dmp

Download
memory/2256-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2256-129-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2256-133-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/2256-135-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/2256-128-0x0000000005110000-0x0000000005716000-memory.dmp

Filesize
6.0MB

Download
memory/2256-132-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/2256-131-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/2256-137-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/2256-130-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2256-134-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/2256-136-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/2256-121-0x000000000041B78E-mapping.dmp

Download
memory/2256-124-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/2256-125-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2256-126-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/2256-127-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2288-272-0x0000000000000000-mapping.dmp

Download
memory/2820-355-0x0000016819AA0000-0x0000016819AA2000-memory.dmp

Filesize
8KB

Download
memory/2820-341-0x0000000000000000-mapping.dmp

Download
memory/2820-382-0x0000016819AA8000-0x0000016819AA9000-memory.dmp

Filesize
4KB

Download
memory/2820-381-0x0000016819AA6000-0x0000016819AA8000-memory.dmp

Filesize
8KB

Download
memory/2820-356-0x0000016819AA3000-0x0000016819AA5000-memory.dmp

Filesize
8KB

Download
memory/2844-165-0x00000251DA3F0000-0x00000251DA3F2000-memory.dmp

Filesize
8KB

Download
memory/2844-164-0x00000251F44D0000-0x00000251F47C6000-memory.dmp

Filesize
3.0MB

Download
memory/2844-172-0x0000025183780000-0x0000025183781000-memory.dmp

Filesize
4KB

Download
memory/2844-150-0x0000000000000000-mapping.dmp

Download
memory/2844-168-0x00000251DA3F5000-0x00000251DA3F7000-memory.dmp

Filesize
8KB

Download
memory/2844-166-0x00000251DA3F4000-0x00000251DA3F5000-memory.dmp

Filesize
4KB

Download
memory/2844-169-0x0000025180A70000-0x0000025180D5B000-memory.dmp

Filesize
2.9MB

Download
memory/2844-167-0x00000251DA3F2000-0x00000251DA3F4000-memory.dmp

Filesize
8KB

Download
memory/2844-171-0x0000025180FA0000-0x0000025180FA1000-memory.dmp

Filesize
4KB

Download
memory/2844-173-0x00007FFC27FF0000-0x00007FFC281CB000-memory.dmp

Filesize
1.9MB

Download
memory/2844-170-0x0000025180D60000-0x0000025180F7A000-memory.dmp

Filesize
2.1MB

Download
memory/2844-156-0x00000251D9C40000-0x00000251D9C41000-memory.dmp

Filesize
4KB

Download
memory/2956-184-0x0000000000000000-mapping.dmp

Download
memory/2968-296-0x000002B89D040000-0x000002B89D042000-memory.dmp

Filesize
8KB

Download
memory/2968-297-0x000002B89D043000-0x000002B89D045000-memory.dmp

Filesize
8KB

Download
memory/2968-298-0x000002B89D046000-0x000002B89D047000-memory.dmp

Filesize
4KB

Download
memory/3496-275-0x0000000000000000-mapping.dmp

Download
memory/3664-289-0x0000000000000000-mapping.dmp

Download
memory/3664-299-0x000001DA50E60000-0x000001DA50E62000-memory.dmp

Filesize
8KB

Download
memory/3664-300-0x000001DA50E63000-0x000001DA50E65000-memory.dmp

Filesize
8KB

Download
memory/3664-337-0x000001DA50E66000-0x000001DA50E68000-memory.dmp

Filesize
8KB

Download
memory/3664-354-0x000001DA50E68000-0x000001DA50E69000-memory.dmp

Filesize
4KB

Download
memory/3748-202-0x0000000000000000-mapping.dmp

Download
memory/4140-270-0x0000023362C66000-0x0000023362C68000-memory.dmp

Filesize
8KB

Download
memory/4140-230-0x0000000000000000-mapping.dmp

Download
memory/4140-271-0x0000023362C68000-0x0000023362C69000-memory.dmp

Filesize
4KB

Download
memory/4140-244-0x0000023362C63000-0x0000023362C65000-memory.dmp

Filesize
8KB

Download
memory/4140-243-0x0000023362C60000-0x0000023362C62000-memory.dmp

Filesize
8KB

Download
memory/4188-201-0x0000000000000000-mapping.dmp

Download
memory/4264-391-0x000001EB3CA60000-0x000001EB3CA62000-memory.dmp

Filesize
8KB

Download
memory/4264-392-0x000001EB3CA63000-0x000001EB3CA65000-memory.dmp

Filesize
8KB

Download
memory/4264-390-0x000001EB3C750000-0x000001EB3C756000-memory.dmp

Filesize
24KB

Download
memory/4264-393-0x000001EB3CA66000-0x000001EB3CA67000-memory.dmp

Filesize
4KB

Download
memory/4384-119-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/4384-117-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/4384-115-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/4384-118-0x000000001D750000-0x000000001D751000-memory.dmp

Filesize
4KB

Download
memory/5036-192-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-203-0x00000241AE330000-0x00000241AE332000-memory.dmp

Filesize
8KB

Download
memory/5036-195-0x00000241C8A30000-0x00000241C8A31000-memory.dmp

Filesize
4KB

Download
memory/5036-194-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-193-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-205-0x00000241AE336000-0x00000241AE338000-memory.dmp

Filesize
8KB

Download
memory/5036-206-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-197-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-207-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-189-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-188-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-204-0x00000241AE333000-0x00000241AE335000-memory.dmp

Filesize
8KB

Download
memory/5036-185-0x0000000000000000-mapping.dmp

Download
memory/5036-196-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5036-242-0x00000241AE338000-0x00000241AE339000-memory.dmp

Filesize
4KB

Download
memory/5036-199-0x00000241AE0D0000-0x00000241AE0D2000-memory.dmp

Filesize
8KB

Download
memory/5112-183-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-177-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-176-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-175-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-178-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-179-0x000002C0D1CA0000-0x000002C0D1E8D000-memory.dmp

Filesize
1.9MB

Download
memory/5112-181-0x000002C0B7790000-0x000002C0B7792000-memory.dmp

Filesize
8KB

Download
memory/5112-186-0x000002C0B71A0000-0x000002C0B7391000-memory.dmp

Filesize
1.9MB

Download
memory/5112-190-0x000002C0B9033000-0x000002C0B9035000-memory.dmp

Filesize
8KB

Download
memory/5112-191-0x000002C0B9036000-0x000002C0B9037000-memory.dmp

Filesize
4KB

Download
memory/5112-187-0x000002C0B9030000-0x000002C0B9032000-memory.dmp

Filesize
8KB

Download