redline | 74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-12-2021 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
Size

299KB
MD5

a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
SHA1

e5d892d8c416d2768f12e7f45c8588a0c98f5987
SHA256

74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
SHA512

041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9

Score

10^/10

redline smokeloader 1488 noname backdoor discovery infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

redline

195.133.47.114:38627

Extracted

Family

redline

Botnet

NoName

185.215.113.29:26828

Extracted

Family

redline

Botnet

1488

80.66.87.52:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/828-65-0x0000000000E30000-0x0000000000E98000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\97AE.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\97AE.exe	family_redline
behavioral1/memory/1700-95-0x00000000001C0000-0x000000000022C000-memory.dmp	family_redline
behavioral1/memory/1672-136-0x0000000001F60000-0x0000000001F8E000-memory.dmp	family_redline
behavioral1/memory/1672-137-0x0000000001FF0000-0x000000000201C000-memory.dmp	family_redline
behavioral1/memory/1500-146-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1500-147-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1500-148-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1500-149-0x0000000000418FB6-mapping.dmp	family_redline
behavioral1/memory/1500-151-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

761A.exe97AE.exeB4FF.exeferrari2.exeUnderdrudgery.exeKnots.exeKnots.exe1B51.exe

pid process

828 761A.exe
2032 97AE.exe
1700 B4FF.exe
1672 ferrari2.exe
360 Underdrudgery.exe
1628 Knots.exe
1500 Knots.exe
1956 1B51.exe
Deletes itself 1 IoCs

Processes:

pid process

1200
Loads dropped DLL 11 IoCs

Processes:

97AE.exeKnots.exe

pid process

2032 97AE.exe
2032 97AE.exe
2032 97AE.exe
2032 97AE.exe
2032 97AE.exe
2032 97AE.exe
1628 Knots.exe
1200
1200
1200
1200
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

761A.exeB4FF.exe

pid process

828 761A.exe
1700 B4FF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Knots.exe

description pid process target process

PID 1628 set thread context of 1500 1628 Knots.exe Knots.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
828	761A.exe
2032	97AE.exe
1700	B4FF.exe
1672	ferrari2.exe
360	Underdrudgery.exe
1628	Knots.exe
1500	Knots.exe
1956	1B51.exe

pid	process
1200

pid	process
2032	97AE.exe
2032	97AE.exe
2032	97AE.exe
2032	97AE.exe
2032	97AE.exe
2032	97AE.exe
1628	Knots.exe
1200
1200
1200
1200

pid	process
828	761A.exe
1700	B4FF.exe

description	pid	process	target process
PID 1628 set thread context of 1500	1628	Knots.exe	Knots.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe

pid	process
740	a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
740	a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe

pid process

740 a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe

pid	process
1200

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

97AE.exe761A.exeKnots.exeB4FF.exeferrari2.exeUnderdrudgery.exeKnots.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2032	97AE.exe
Token: SeDebugPrivilege	828	761A.exe
Token: SeDebugPrivilege	1628	Knots.exe
Token: SeDebugPrivilege	1700	B4FF.exe
Token: SeDebugPrivilege	1672	ferrari2.exe
Token: SeDebugPrivilege	360	Underdrudgery.exe
Token: SeShutdownPrivilege	1200
Token: SeDebugPrivilege	1500	Knots.exe
Token: SeShutdownPrivilege	1200
Token: SeShutdownPrivilege	1200
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeShutdownPrivilege	1200
Token: SeShutdownPrivilege	1200

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1200
1200
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1200
1200

pid	process
1200
1200

pid	process
1200
1200

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

97AE.exeKnots.exe1B51.exepowershell.execsc.exe

description	pid	process	target process
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 828	1200		761A.exe
PID 1200 wrote to memory of 2032	1200		97AE.exe
PID 1200 wrote to memory of 2032	1200		97AE.exe
PID 1200 wrote to memory of 2032	1200		97AE.exe
PID 1200 wrote to memory of 2032	1200		97AE.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 1200 wrote to memory of 1700	1200		B4FF.exe
PID 2032 wrote to memory of 1672	2032	97AE.exe	ferrari2.exe
PID 2032 wrote to memory of 1672	2032	97AE.exe	ferrari2.exe
PID 2032 wrote to memory of 1672	2032	97AE.exe	ferrari2.exe
PID 2032 wrote to memory of 1672	2032	97AE.exe	ferrari2.exe
PID 2032 wrote to memory of 360	2032	97AE.exe	Underdrudgery.exe
PID 2032 wrote to memory of 360	2032	97AE.exe	Underdrudgery.exe
PID 2032 wrote to memory of 360	2032	97AE.exe	Underdrudgery.exe
PID 2032 wrote to memory of 360	2032	97AE.exe	Underdrudgery.exe
PID 2032 wrote to memory of 1628	2032	97AE.exe	Knots.exe
PID 2032 wrote to memory of 1628	2032	97AE.exe	Knots.exe
PID 2032 wrote to memory of 1628	2032	97AE.exe	Knots.exe
PID 2032 wrote to memory of 1628	2032	97AE.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1628 wrote to memory of 1500	1628	Knots.exe	Knots.exe
PID 1200 wrote to memory of 1956	1200		1B51.exe
PID 1200 wrote to memory of 1956	1200		1B51.exe
PID 1200 wrote to memory of 1956	1200		1B51.exe
PID 1956 wrote to memory of 1776	1956	1B51.exe	powershell.exe
PID 1956 wrote to memory of 1776	1956	1B51.exe	powershell.exe
PID 1956 wrote to memory of 1776	1956	1B51.exe	powershell.exe
PID 1776 wrote to memory of 1992	1776	powershell.exe	csc.exe
PID 1776 wrote to memory of 1992	1776	powershell.exe	csc.exe
PID 1776 wrote to memory of 1992	1776	powershell.exe	csc.exe
PID 1992 wrote to memory of 1196	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 1196	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 1196	1992	csc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
"C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:740

C:\Users\Admin\AppData\Local\Temp\761A.exe
C:\Users\Admin\AppData\Local\Temp\761A.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Users\Admin\AppData\Local\Temp\97AE.exe
C:\Users\Admin\AppData\Local\Temp\97AE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\ferrari2.exe
"C:\Users\Admin\AppData\Local\Temp\ferrari2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\Underdrudgery.exe
"C:\Users\Admin\AppData\Local\Temp\Underdrudgery.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Users\Admin\AppData\Local\Temp\Knots.exe
"C:\Users\Admin\AppData\Local\Temp\Knots.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\Knots.exe
C:\Users\Admin\AppData\Local\Temp\Knots.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\AppData\Local\Temp\B4FF.exe
C:\Users\Admin\AppData\Local\Temp\B4FF.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\1B51.exe
C:\Users\Admin\AppData\Local\Temp\1B51.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cekumdvo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D03.tmp"
4⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B51.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\761A.exe
MD5
77ce7ab11225c5e723b7b1be0308e8c0

SHA1
709a8df1d49f28cf8c293694bbbbd0f07735829b

SHA256
d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496

SHA512
f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\761A.exe
MD5
77ce7ab11225c5e723b7b1be0308e8c0

SHA1
709a8df1d49f28cf8c293694bbbbd0f07735829b

SHA256
d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496

SHA512
f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\97AE.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\97AE.exe
MD5
3ba1d635fed88d8af279be91b7007bae

SHA1
62a1d59c746cdb51e699114f410749384a70cf73

SHA256
3151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a

SHA512
83254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4FF.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4FF.exe
MD5
f80418f12c03a56ac2e8d8b189c13750

SHA1
cd0b728375e4e178b50bca8ad65ce79aede30d37

SHA256
cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716

SHA512
e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D04.tmp
MD5
9b3cce05e8afc0ee99a3c27f421ffc7e

SHA1
f9c15cd6a585478a327198284d393a71b588f79b

SHA256
131a7f8e2c857693b6e0b29d2211fb54f0d4cea17d204b331d949383fa406d48

SHA512
615e8edc1e942519aefe96d3ed60d115e267a30a510a7e3668ef7f77a0e5f3d6f983cf0c3bbe8afeb338149a4c6aa9f6d06123c0a286065337cabe04cfc84e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Underdrudgery.exe
MD5
2ffa5d1b7d1413ef62fbf4a563fcb2cd

SHA1
39940d9a1fcc29358f95225322120edf40d07c74

SHA256
b9c5f232e24751cae00ba80f54bac968e97354a810eeb97d93365f8dfb089502

SHA512
386b5faa1d4b0c8317e21bd63ea2e88bbe77eaf513ba385087f2d37b6d10a8fce6358fe829f7ead6aea18a010b5887f0cc1ecc7ca20019c2395bc9f51d4b0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Underdrudgery.exe
MD5
2ffa5d1b7d1413ef62fbf4a563fcb2cd

SHA1
39940d9a1fcc29358f95225322120edf40d07c74

SHA256
b9c5f232e24751cae00ba80f54bac968e97354a810eeb97d93365f8dfb089502

SHA512
386b5faa1d4b0c8317e21bd63ea2e88bbe77eaf513ba385087f2d37b6d10a8fce6358fe829f7ead6aea18a010b5887f0cc1ecc7ca20019c2395bc9f51d4b0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\cekumdvo.dll
MD5
e7a967dc2cc05d4231f80b78a9aa8477

SHA1
444466516c9b3bfe91613d77fd2dde018eb23b25

SHA256
e0dc152ef3bc70a3f0163ac5e774128cb569f3af7c93b5ce1fa770dbdbae153e

SHA512
c1b26a0d5d5c91bf5ca45c20d7b1cf066da9ff8e7d1c310b256fc432399a265dfba62f9684738037f31f605278aa48b74126364fafffd9086ac514f38312dfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cekumdvo.pdb
MD5
6e7abf9fd88d08d867c679177d97516e

SHA1
51e40ac27e5506d5c5be8155f4120540da14b5b5

SHA256
1bb4d5347db11f652704f80469013a71d7b2c9fc8b6df9624e59e66ddb20df1e

SHA512
54f219936d284230e1625613f450b69672ce15fbabe8da3c8ec12e71b436b30a9fe9a2fda7d8ba41d8c71843e1913bdd43a1005112307ee833e424568c39230d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ferrari2.exe
MD5
5567e4051e60870b8a1f27067e50bc3a

SHA1
88b6e4b7b46445f73ef652e2666a7badd7dd617d

SHA256
f39390e7274e4ec51a6e807ded5e0807dfded064b5769d5d23bde515154cb16f

SHA512
03c721bb2f03dafc75e64573e157132d0f26b0af43336d6ce5458a7c10c1f9d9be59558e29b9665e15fd347a181b62e73f482f2d1329675b91ad5fbd1eb7caa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
MD5
854b2dfc0a28f2959b1d2fc363a4e318

SHA1
ce1753052c5bdad56708ec75d8085b2c597df6c1

SHA256
7135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c

SHA512
b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1
MD5
28d9755addec05c0b24cca50dfe3a92b

SHA1
7d3156f11c7a7fb60d29809caf93101de2681aa3

SHA256
abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

SHA512
891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D03.tmp
MD5
7cb010b04d7f3026ba1223a5c210d71b

SHA1
b407c704aa4ef9677ada5322971148511bb3bf35

SHA256
9e79420e829433553e45d77db73d6e90c9d708931cfd6ea08162f947976550e2

SHA512
980b59056384e611da1d0411e8b4ddeb2d491dd03941008aabb40159bd9a352054035b9009291b09fa762de1d479a22cc4d9fdb12b3a65a64f3bea32f734e3c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cekumdvo.0.cs
MD5
9f8ab7eb0ab21443a2fe06dab341510e

SHA1
2b88b3116a79e48bab7114e18c9b9674e8a52165

SHA256
e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

SHA512
53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cekumdvo.cmdline
MD5
988cd8717266034530a8a5e6a84eb522

SHA1
f7c26647a19974861f8ff3c3e385efbeb5a76a07

SHA256
bad2ea4c05fa6b25abafd780fb803b8ec14c0a35d296ee3ffded2cd33adc10f9

SHA512
3b205360bf831ae7399c935f62294914e930e116b3bcd6da61c8411864375368204e8213719c4d67ffa52ffd800981fccba34d47fa80c885142eb0a90219ed77

Download Submit
\Users\Admin\AppData\Local\Temp\1B51.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\1B51.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\1B51.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\1B51.exe
MD5
5dec7029dda901f99d02a1cb08d6b3ab

SHA1
8561c81e8fab7889eb13ab29450bed82878e78c9

SHA256
6a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b

SHA512
09e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca

Download Submit
\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
\Users\Admin\AppData\Local\Temp\Knots.exe
MD5
e1c9ff41a69e7b381d498c56243e3f19

SHA1
b09e041a9d71ab8bc5965ffb3dd14d74ea932bce

SHA256
1482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc

SHA512
a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e

Download Submit
\Users\Admin\AppData\Local\Temp\Underdrudgery.exe
MD5
2ffa5d1b7d1413ef62fbf4a563fcb2cd

SHA1
39940d9a1fcc29358f95225322120edf40d07c74

SHA256
b9c5f232e24751cae00ba80f54bac968e97354a810eeb97d93365f8dfb089502

SHA512
386b5faa1d4b0c8317e21bd63ea2e88bbe77eaf513ba385087f2d37b6d10a8fce6358fe829f7ead6aea18a010b5887f0cc1ecc7ca20019c2395bc9f51d4b0476

Download Submit
\Users\Admin\AppData\Local\Temp\Underdrudgery.exe
MD5
2ffa5d1b7d1413ef62fbf4a563fcb2cd

SHA1
39940d9a1fcc29358f95225322120edf40d07c74

SHA256
b9c5f232e24751cae00ba80f54bac968e97354a810eeb97d93365f8dfb089502

SHA512
386b5faa1d4b0c8317e21bd63ea2e88bbe77eaf513ba385087f2d37b6d10a8fce6358fe829f7ead6aea18a010b5887f0cc1ecc7ca20019c2395bc9f51d4b0476

Download Submit
\Users\Admin\AppData\Local\Temp\ferrari2.exe
MD5
5567e4051e60870b8a1f27067e50bc3a

SHA1
88b6e4b7b46445f73ef652e2666a7badd7dd617d

SHA256
f39390e7274e4ec51a6e807ded5e0807dfded064b5769d5d23bde515154cb16f

SHA512
03c721bb2f03dafc75e64573e157132d0f26b0af43336d6ce5458a7c10c1f9d9be59558e29b9665e15fd347a181b62e73f482f2d1329675b91ad5fbd1eb7caa9

Download Submit
\Users\Admin\AppData\Local\Temp\ferrari2.exe
MD5
5567e4051e60870b8a1f27067e50bc3a

SHA1
88b6e4b7b46445f73ef652e2666a7badd7dd617d

SHA256
f39390e7274e4ec51a6e807ded5e0807dfded064b5769d5d23bde515154cb16f

SHA512
03c721bb2f03dafc75e64573e157132d0f26b0af43336d6ce5458a7c10c1f9d9be59558e29b9665e15fd347a181b62e73f482f2d1329675b91ad5fbd1eb7caa9

Download Submit
memory/360-154-0x000000001C490000-0x000000001C769000-memory.dmp

Filesize
2.8MB

Download
memory/360-155-0x0000000000DD0000-0x0000000000DD2000-memory.dmp

Filesize
8KB

Download
memory/360-130-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/360-120-0x0000000000000000-mapping.dmp

Download
memory/740-56-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/740-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/740-58-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/740-55-0x0000000000568000-0x0000000000579000-memory.dmp

Filesize
68KB

Download
memory/828-80-0x000000006FAB0000-0x000000006FAC7000-memory.dmp

Filesize
92KB

Download
memory/828-64-0x0000000074FE0000-0x000000007502A000-memory.dmp

Filesize
296KB

Download
memory/828-66-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/828-68-0x00000000763E0000-0x000000007648C000-memory.dmp

Filesize
688KB

Download
memory/828-69-0x0000000077380000-0x00000000773C7000-memory.dmp

Filesize
284KB

Download
memory/828-70-0x0000000077320000-0x0000000077377000-memory.dmp

Filesize
348KB

Download
memory/828-71-0x0000000000260000-0x00000000002A5000-memory.dmp

Filesize
276KB

Download
memory/828-73-0x0000000076710000-0x000000007686C000-memory.dmp

Filesize
1.4MB

Download
memory/828-65-0x0000000000E30000-0x0000000000E98000-memory.dmp

Filesize
416KB

Download
memory/828-79-0x0000000075320000-0x0000000075F6A000-memory.dmp

Filesize
12.3MB

Download
memory/828-89-0x000000006D400000-0x000000006D417000-memory.dmp

Filesize
92KB

Download
memory/828-76-0x0000000076F30000-0x0000000076FBF000-memory.dmp

Filesize
572KB

Download
memory/828-74-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/828-88-0x000000006E5A0000-0x000000006E730000-memory.dmp

Filesize
1.6MB

Download
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/828-81-0x0000000077010000-0x0000000077045000-memory.dmp

Filesize
212KB

Download
memory/828-78-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1196-179-0x0000000000000000-mapping.dmp

Download
memory/1200-59-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1500-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-149-0x0000000000418FB6-mapping.dmp

Download
memory/1500-153-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1500-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1628-125-0x0000000000000000-mapping.dmp

Download
memory/1628-128-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/1628-132-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1628-133-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1672-142-0x0000000004913000-0x0000000004914000-memory.dmp

Filesize
4KB

Download
memory/1672-114-0x0000000000000000-mapping.dmp

Download
memory/1672-140-0x0000000004911000-0x0000000004912000-memory.dmp

Filesize
4KB

Download
memory/1672-141-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1672-139-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1672-143-0x0000000004914000-0x0000000004916000-memory.dmp

Filesize
8KB

Download
memory/1672-138-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1672-137-0x0000000001FF0000-0x000000000201C000-memory.dmp

Filesize
176KB

Download
memory/1672-136-0x0000000001F60000-0x0000000001F8E000-memory.dmp

Filesize
184KB

Download
memory/1672-135-0x00000000006B8000-0x00000000006E4000-memory.dmp

Filesize
176KB

Download
memory/1700-111-0x0000000077010000-0x0000000077045000-memory.dmp

Filesize
212KB

Download
memory/1700-95-0x00000000001C0000-0x000000000022C000-memory.dmp

Filesize
432KB

Download
memory/1700-108-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/1700-117-0x000000006D400000-0x000000006D417000-memory.dmp

Filesize
92KB

Download
memory/1700-116-0x000000006E5A0000-0x000000006E730000-memory.dmp

Filesize
1.6MB

Download
memory/1700-90-0x0000000000000000-mapping.dmp

Download
memory/1700-96-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1700-94-0x0000000074FE0000-0x000000007502A000-memory.dmp

Filesize
296KB

Download
memory/1700-99-0x0000000077380000-0x00000000773C7000-memory.dmp

Filesize
284KB

Download
memory/1700-107-0x0000000075320000-0x0000000075F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1700-110-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1700-100-0x0000000077320000-0x0000000077377000-memory.dmp

Filesize
348KB

Download
memory/1700-102-0x0000000076710000-0x000000007686C000-memory.dmp

Filesize
1.4MB

Download
memory/1700-98-0x00000000763E0000-0x000000007648C000-memory.dmp

Filesize
688KB

Download
memory/1700-105-0x0000000076F30000-0x0000000076FBF000-memory.dmp

Filesize
572KB

Download
memory/1700-103-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1700-106-0x00000000744B0000-0x0000000074530000-memory.dmp

Filesize
512KB

Download
memory/1700-109-0x000000006FAB0000-0x000000006FAC7000-memory.dmp

Filesize
92KB

Download
memory/1776-169-0x0000000002860000-0x0000000002862000-memory.dmp

Filesize
8KB

Download
memory/1776-170-0x0000000002862000-0x0000000002864000-memory.dmp

Filesize
8KB

Download
memory/1776-171-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/1776-168-0x000007FEEB900000-0x000007FEEC45D000-memory.dmp

Filesize
11.4MB

Download
memory/1776-172-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1776-167-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1776-174-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/1776-166-0x0000000000000000-mapping.dmp

Download
memory/1776-185-0x000000000288D000-0x000000000288E000-memory.dmp

Filesize
4KB

Download
memory/1956-162-0x0000000040DF2000-0x0000000040DF4000-memory.dmp

Filesize
8KB

Download
memory/1956-165-0x0000000040DF7000-0x0000000040DF8000-memory.dmp

Filesize
4KB

Download
memory/1956-164-0x0000000040DF6000-0x0000000040DF7000-memory.dmp

Filesize
4KB

Download
memory/1956-163-0x0000000040DF4000-0x0000000040DF6000-memory.dmp

Filesize
8KB

Download
memory/1956-160-0x0000000041140000-0x000000004140F000-memory.dmp

Filesize
2.8MB

Download
memory/1956-158-0x0000000000000000-mapping.dmp

Download
memory/1992-178-0x0000000002020000-0x0000000002022000-memory.dmp

Filesize
8KB

Download
memory/1992-175-0x0000000000000000-mapping.dmp

Download
memory/2032-87-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2032-85-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2032-82-0x0000000000000000-mapping.dmp

Download