Analysis Overview
SHA256
8c490d6ddb6088af87d6e487397113a54d4e23ace17159fdd514b4a39849d929
Threat Level: Known bad
The file 0709c265fa8e91c4fc88c9b4ebc32747.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Eternity
RedLine payload
SmokeLoader
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Runs ping.exe
Checks SCSI registry key(s)
Runs net.exe
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-10 23:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-10 23:26
Reported
2023-12-10 23:28
Platform
win7-20231201-en
Max time kernel
146s
Max time network
128s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6345.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D653.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6345.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe
"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 108
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\6345.exe
C:\Users\Admin\AppData\Local\Temp\6345.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 532
C:\Users\Admin\AppData\Local\Temp\D653.exe
C:\Users\Admin\AppData\Local\Temp\D653.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp" /SL5="$50174,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231210232807.log C:\Windows\Logs\CBS\CbsPersist_20231210232807.cab
C:\Users\Admin\AppData\Local\Temp\E2F2.exe
C:\Users\Admin\AppData\Local\Temp\E2F2.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/3060-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3060-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/3060-1-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3060-4-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3060-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3060-6-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1112-5-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6345.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2560-16-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/2560-21-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/2560-22-0x0000000073AD0000-0x00000000741BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D653.exe
| MD5 | cbc72f4b45b1ff769d4eef31b3318b4e |
| SHA1 | beea755faeacd88e15deeb0cfd4edb376b4f251b |
| SHA256 | 87810c1011886126e40cdaa6dc3b4b9d5fa23aa052ed7c44cf9f87bbc2a02acf |
| SHA512 | 736cc642fa99446b87084720ffa3a54d865b2c1974bfef790e062df4c520a90f3619a46bbf592b7f5d6b7c148c16133eb016a85c00f1fbe3264090afdd4af6c5 |
C:\Users\Admin\AppData\Local\Temp\D653.exe
| MD5 | d94f1cac685ff84ef1ebc06baeaecc25 |
| SHA1 | cdac56b68cb417f2c38aa9a4c3f18cde36a32f22 |
| SHA256 | 23b2fea194c19dcf63ea84542117d81878e172d6baf73c8c3e821e9329c548df |
| SHA512 | c5158aa2e58155dab5bf0a29aa74cebac0d9f2404c8c46dacdbe233812b53b7279fabad9b53be6642ff594b3f87d24eb0bf2b61722136437b5de580c8a1c07cd |
memory/1616-28-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/1616-29-0x0000000000CD0000-0x0000000002186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4d8b4be7a03155a32383cde0eb31593c |
| SHA1 | 0135eeab435dcae613ad0eab820c0c202082e9ab |
| SHA256 | ec19d4756ebe4cef65e58a13383d511e6b6e77a02a739168ff297619ecf269bd |
| SHA512 | 8c560ea8ffdbacfaf7ee44ea2459e05c57efbd9029adc169919aeeeb79f9fcf26496a216ef1e6abd40e35e45e42d0a6d87a6de31aadb570f5e5d09b266794ed6 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4190cea4425c1784c6b723e339abb038 |
| SHA1 | 44659ba029a5d6a5b16e559b53fc805e178aea4c |
| SHA256 | 859f5532cf3f6a0aaa1ffd3f94b2aa85f5d50f7c74a27ede45d25d2e9870a751 |
| SHA512 | 07b92958c31e85b1e208672e853c98f8ad2e1065405e8aad59fa27d344bd99246ec4a24c7905ead8b41dd4fadf06b0be14b17bfeb404d26be836f2327080cbfd |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 58da96e1b7fa4ebc6c48fd50826f259b |
| SHA1 | 225e4f8e33c0f4ee294bf1d4ca3baa2706fb62ea |
| SHA256 | d6ce3c8b2375579946b4bb0d6f3b939ddc15c7c0e010255282174b79a9044a78 |
| SHA512 | ff4201be6802cd3b089497fda3deccf3d4450c4217744d4f39dc547da380d5b1a241a91701ec54fa3b499b0be931549e7ffc968efe134faf1fb2f961387f90e1 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8ceb654f11b77f58bbc7e69ea25b5073 |
| SHA1 | e465fbe119755d431eb4023e0c18fb0cf8e66c81 |
| SHA256 | d32aed69f1891f02dca3bbb0893fb6f19ed36b47c921ee1894c6da7b885b0f7f |
| SHA512 | 061672be6cf12bc964d89f02b6e8f0ac69e53ffd6915960f426defd238068b6d3834c6237fc02417475ded98c63b959ebe32071fd683584996a84930cecd0c36 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f41b392c88207cc19213d23d84f1a3f4 |
| SHA1 | 35e7e668080b53403c0cad155eeed3e364cfda83 |
| SHA256 | b6c037b7800d772012ea376998857f7b20a3b89f62f820836d52c0dbbe96df67 |
| SHA512 | b4ca87fd43fb489f84240d135d312385ca87f67955e1a2a80d0ae1e730b71009fe1d4dbb4021d3c48ae08c0d1a381ed04f40e78c2e0658e5afd6df1d49908323 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | a6b4307f17ddf0652911b970e6f19513 |
| SHA1 | 09777135736c2a4fa00c205ff33000b3b50e7101 |
| SHA256 | 35f717bfa252c1ef73fd6899b4779219fb9317636c0eb8871f67c3aec30d81f1 |
| SHA512 | 300b42d8bacaae79e47c670d4fc577c5a49f8e510bdbfe98a47d61c64b5140dc1a9fe91aeee9db5793f1d45368156a72364d0afc3d491a4b770a19128474ffb5 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 1774e8bc852e0eeac688a5b46f3b7d01 |
| SHA1 | e19e6ceb9c1dd6df2c9dd468400da012d5c3a33f |
| SHA256 | 1a87f95f93bb45059ce76006ff27ff3f56863a336ecde1f72d0350b637024383 |
| SHA512 | 644bf9a089101940e372484ca5a5424b3aacc5240b787c707a5b25be2c0adb6129a40751de5b22f0a55c1e460e24053fd4f5f2b210432bce0533f67e33d28e6b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d530fddaf297837cdf5a4a4b3e250310 |
| SHA1 | 2e673bee84a603d6926887325ecc640b5bf96519 |
| SHA256 | 94285d2fe93348cd155473344d7791bc8108d6db2a875b3ff8bdf1fd1e32dd62 |
| SHA512 | 6c4be5eefe4a81b11e11e3acaf4bc01b07dea3f88bd577592d20ae00547454d289c811d5a8ea7a400b6322ca429654cd361533e446eecee065251e4f94289bc0 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | af7266153eff5f0e406d5811dc4df039 |
| SHA1 | b796fbfb51dbebe39f01307906c54d3b088b4519 |
| SHA256 | 6970ffb993312ad7d2bbbc32ee4b0e6f1627c8e7f7e654ea912ae1b4194a3f8f |
| SHA512 | fe8d9f8c08115e3e9779ec4f9a7c09035bf787bfb518ce15451892b27a7b9161d823ec4964f6b88f1042bed060750fb8d5bcf6bb08e7c5dd458a0992aed977d1 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | b9288e5304f2b2365bf76a82e0f62058 |
| SHA1 | 2a98962cd9a8f464360ddb45ae485eb0161e5459 |
| SHA256 | bb7c1b780d189fb41f4f6d0804d3789820f65059b4e380ca5772b998782eb09c |
| SHA512 | f0b8b8189a1ae61635c33a37f1c14b0ec1309bb28e1676596cee9c8a0aebe18c4e535dae2a595c286512799cc4ff56138daa2801a000e617a9c9f044f750cc3f |
memory/488-62-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 7edf8755e4321aab04bfa7b62f053f0b |
| SHA1 | e86de95a2fc1ef73f8ab1221a2e37545f0e2073c |
| SHA256 | 57a8d4a1e95b8fba1b6434c9437fb398b2f853c979d5807ff67748e4b10ecd4a |
| SHA512 | 9888cb1210391d60616cc5fa033dcde8b22ccd125df9d93e937649708801563a1ad3ee5e9aaf739356147a1f9e075f29b6a84ddeb8b19d6fe48126aaa4cba041 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | d0cf061ece987588f0a4b63d4751cc85 |
| SHA1 | 9b061b9a788e77724ca48101ba8c4b68d23e6b89 |
| SHA256 | a038dce990ab19524b19e6c57673258e20650f6b2a89139828f4bcbb65e77e0f |
| SHA512 | c210e7ae5baafa050418cab0e2585c5b59d596e9fbeb4261c90705d21ec0219781194b0914a1500757e82f1a90e71aaba0e720f3fdc4cf2cf5cdbdf395bd1b4a |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 245b877e3ae990f2b30829ef092f0b2d |
| SHA1 | 94c9056b706049a2774b4646b77d12967d9d070b |
| SHA256 | c16c590d336390b33b9d02796ce58a7924a171160f071699416c6b9ca5cb19a3 |
| SHA512 | 7a2c8b01fd6408e4936ec19b258730ab5ed530d4e41994c52c22748579b0663e706e3a2ac841105d13aa2958cb787bd627c2e0297050f781491a4b68510f24ae |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1e257fcf27b289ddaa33f5c07820f658 |
| SHA1 | 45f00d851d99ca3960185bf057401cf99e8d3ded |
| SHA256 | e7136bdc895b87e2a0a3f9bf3b8eafccb6a782db46f2b1f2c15f528118376925 |
| SHA512 | 8290d8b380c5bf966ce63b47a2936c553b8d06c24b161d7202bb75fed67c1456b70edfcb0d27eb08e22540103d3aedbabb52cc0319d9a5e581ab78af7df2f887 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | dced17fa66f96e2203a31538969ffbbb |
| SHA1 | e25f5dc2e0f457826214164043a76087eaccca22 |
| SHA256 | cfd9fd5653cab5974eaca9910cc38ea777d09c3ed8156f5e284b7f3767336322 |
| SHA512 | e79f4f40af3ac1c30d286fc4e868201117fa52353ae9f17bc7f7a5b718da8724a658565c65103d1c77bbb82df7a4298b824e827e051a83ac85271ac6b310a46d |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 840da75f2f27c989809cee05b061531d |
| SHA1 | 4d1f6f718e2d399d7bededd1334912ab14f869e8 |
| SHA256 | 9a063752fef4cddce7f0d4809830453a707f0a44d990d71be93083d7bf934221 |
| SHA512 | 721c4eb366f144603af996618170187a7aa2152d7695d08ae0ef8983b102a149bd0be1d8e04193b88655c0f692e7107a2091be5153603df8ca2d7aaa4f9981ea |
C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp
| MD5 | 37a43af1e7ccb15b02b5b08fabadb95e |
| SHA1 | 416a108d04dd09921066bb6395bd168bfbbd392a |
| SHA256 | 282d7e3f41fa563d077a431e028f164e3451023ded76070ac135ed1b3d43d046 |
| SHA512 | dc4aa8ad187d103e68bc9e3928763d0be38dfd44130ecf5a8fb9de19f62bd3f56ffa78070bac05e2ecca4be249d60dab73c3088cdeaa2fa28e0c3209141d59ae |
\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 8404cfb7a73b1877e567165b96f13278 |
| SHA1 | c4aa20a5a958e1a810c02cac9801b0cc80f0cf10 |
| SHA256 | ad56e458f1143e352ac24797995f04c7c9ab5b8c345e1e51ac70b58c10a2f427 |
| SHA512 | 1eaf8be061b6086b42d189bc9d897f8e99bcbe0a30ce151e42b0e8cde6931ffc9fd5cbb197a4f1b0ffa541e426e1d051fba7762196fbfad382543121728878e9 |
memory/1224-105-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2516-106-0x0000000002840000-0x0000000002C38000-memory.dmp
memory/1616-104-0x0000000073AD0000-0x00000000741BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 69703ec573166055f9f5b1b5fbd0ed57 |
| SHA1 | c1e693627e9c82830e328e2625b8fb98d3a545f9 |
| SHA256 | 40ba219077d3392b1e362f2597f9a397c34832860745fef062c074aa43206c44 |
| SHA512 | 9e7998890ec815e52489aa0cd023ea21af348857798c93e1471b9e09f783df2d56db5e21c83baf5622a55cab80f859b5d771ea49a0130697a8d33460276a2dbc |
\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1832-76-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp
| MD5 | b94fefeee801315f57f3b44a86e0a972 |
| SHA1 | 6b934f1bc5df39d60b974a143e5de8c42f4c2b86 |
| SHA256 | 773f3d55c7acdf9e78a7e4d93611973a33a63d94ed334372af22d705329b2566 |
| SHA512 | fe36f9596451b36e1ec73ba902138433bb1430b3dd96f7fe2e8e3a1646bbafd273db03667998cc1a601c7d95223c53d1db26b3a837a2f65487e9a265733d0bfb |
\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp
| MD5 | e84743205ca9cd1fc87595a6e9120da0 |
| SHA1 | 8f684e0c64609959f5ad773bc8fb22bb4020234c |
| SHA256 | a730fd83e20a9f50fba802602b51bf4ce69e948384201e12362b514489a376da |
| SHA512 | b042b14c671c8a81e246b3610f806f89c96625435da2d616e8aac72c0aaa8fbe6d8cd321f63aa8d5cc8d3951dee81a6d06cc63935f7de42f46c5dab29a2b67bf |
memory/2516-108-0x0000000002840000-0x0000000002C38000-memory.dmp
memory/2516-109-0x0000000002C40000-0x000000000352B000-memory.dmp
memory/2516-110-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | eb8e7dbaccf3e1eb654a7d5a59886249 |
| SHA1 | 2ad5ac61b3b91156c2ef34f1bbedb98a3a36637d |
| SHA256 | 7c977af7c92811910443b2871e6256130dfda3309ce3e60d8b7906e85963fd84 |
| SHA512 | a382927ec4ea00237755fe4a6a1e1436b30c58eeb03267ba917c1a93230ae0bd281c00b6236e687b79a5007978412c86df4ef00037e2721f007b6c7ab5a1a3e3 |
memory/2160-114-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/1580-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a8b8a92f34d019f4b1c69ae77ba50d3b |
| SHA1 | 4c0db805804266d34aa814837b39889ba608aabc |
| SHA256 | 6ab302ad5c0d61bd29b1581808051733abad0cc943aa3ebc4317d9dfa21fa719 |
| SHA512 | 0759f837fe39171d731da24e34cf65d72314d1f37b4236d2709a3749f46cc523fc93f21cefea8f0422cbf3c52480bb4ae04be7431fec705fe9500912c71499a7 |
memory/1580-119-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e4d1cd833b1825f370a60f381353b414 |
| SHA1 | 7fa4a76a65372efce9c50c41a999ab50bc8f5185 |
| SHA256 | 3c73128cda575df8a55adb355984cb6d8d66b832d3edf1932427c2cf6f4ad45a |
| SHA512 | be4a28bafe3ff7162f88f11fdb5b769f9fc7bd43f11eff23d6c7ec459e5e0dbb63e288690fca62c84318db37946669281dab005a2700dccc94d6d4fe19af29c7 |
memory/1580-117-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E2F2.exe
| MD5 | bf25d617542994eb0b10af8bb65d40ac |
| SHA1 | 4bbdbac82ead50d235835287f289b61e79ab198d |
| SHA256 | 9e758ff5360157f33489a47ff1354112af20e778a9ac3fb98ce275d84118f851 |
| SHA512 | 6f9293e40c4b97c9b02659874d092b1aac135f42668fcab6f0c5969a21f650ab29751815586008aace88bf0da09b5e6409811f4f363376fa5d95f6bab095edf3 |
C:\Users\Admin\AppData\Local\Temp\E2F2.exe
| MD5 | 6a8b3c0fb5cf44f9cee87832464634b1 |
| SHA1 | 7611ff3e8f059cb27c7d806ba9c3dfcb513d7534 |
| SHA256 | 1967688d1af42ada2582dad05943a3269a9750b324c686b8cc82a5ea4066eba2 |
| SHA512 | c6ec7bcc4ea7b605fff2b42031a984e3d3f0835b22ba30caeb75dc018e3eea0d802b168ca27330f0ea32d5d04126235279840fdf21d74b2061e1373939a8bbc7 |
memory/2160-116-0x0000000000220000-0x0000000000229000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/2516-128-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2516-129-0x0000000002C40000-0x000000000352B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
| MD5 | 426b99aad86bf49deb3d41f63156b1ad |
| SHA1 | 8641bab37f64fe40d5e530f83a8de7f1b07e77b8 |
| SHA256 | d5ec3187f05ca7d9c57ba1fa3e09be372cccc16e0c2d073f18bae07127784904 |
| SHA512 | 3c26cd45098abe4922222a5452ee6bb6442dce34af770fe24aaac0dd2c7ce6be9ba907833d8b3d2ad29d9ddd672ee9e3bd0a44d66337580e019b9c18fb48d077 |
memory/1536-136-0x00000000003C0000-0x00000000003FC000-memory.dmp
memory/1536-135-0x0000000073AD0000-0x00000000741BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
| MD5 | 32626afc5d6644d531ebe44caa9a6bbd |
| SHA1 | 66b2a75ee482f98158c12b7036ae8ea34a8b97d4 |
| SHA256 | a936065b524714d449df52f35236c1b131301791eabb0d34d57d15d2472ed1fe |
| SHA512 | fb28c0dfc23a6a163fe60dd688af53da904f8e30c38a6e510d0f73e98e8f73d4ec2de90e8b29e458feb551249eee3f6a4e7b049bcca560ade5887c7b37e4e5fa |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3a9954506330f8b1441465be83a4dd46 |
| SHA1 | 4c2084170286d9f23366b2654be6f8ebae129379 |
| SHA256 | 7cf6c99269ba2556547f227707c97d36468e5e6a206879c0b1105381f7e16d5e |
| SHA512 | 48524e18d23391d4e7966f647fb5cb227773bbdbabc3f8b42643be84e24632a1cc88ae26a9cabd2620dcd156260eed91d0ae3ff2565d783ee008adbbf9aab37b |
memory/1536-137-0x0000000000AF0000-0x0000000000B30000-memory.dmp
memory/1672-138-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1672-140-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/488-141-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1672-139-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1672-150-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 27934bf41664b72b5e8c99b0bad0d3cb |
| SHA1 | 64463737b49e216163b917977cce2a72888168ec |
| SHA256 | 93c3eb07d2dad65b69e2c2296cccc39655bc0655c754821375179f3f87c9eb81 |
| SHA512 | b6b6e08e9e494a388ddb33adac0fbe5173701a851b5b01b99b42bda09776c15311d05fe4093ecce6a17fdd6d1d1a5b09cb060eaaadbec47fc42f82fc8ddc25ee |
\Windows\rss\csrss.exe
| MD5 | 1b8008ced56c08fb6d25714cb846dd95 |
| SHA1 | 97c12c4086efc8fb7c3133221d1d92c419573c96 |
| SHA256 | 43ae1cf6232bf75ff9b16c99ec12b6a4ca2460405b01211dc5bb52856cf7ed20 |
| SHA512 | e01dc1b314bead2629bd4e259634180836e541196bb1b90a39733b7c62d0a593f1ce7a74f93222b07b386050d29023956af950c16d10e5eae801bd43fe965497 |
\Windows\rss\csrss.exe
| MD5 | 3d62e0ca5b29ad8f99f0b813773bada2 |
| SHA1 | 3db448d288e33752e249f4ae308debf9e7023458 |
| SHA256 | 226ff8a33cb616d883cff988adadd26d742584adfd76fb56562ffc06dbedd205 |
| SHA512 | 59f16da13cbcb4e11f240ca5b054fa2e7bc830947a93e5f20166b8fc8cfe77dd87264e8d8b7089a224302366e2ce75448c62d28d30979234d8fa1b83fea78e00 |
memory/1672-151-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1508-152-0x0000000002620000-0x0000000002A18000-memory.dmp
memory/1112-153-0x0000000002F00000-0x0000000002F16000-memory.dmp
memory/1580-154-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1832-158-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1508-160-0x0000000002620000-0x0000000002A18000-memory.dmp
memory/1508-162-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b563144d971349cccf6e2b19985a40d0 |
| SHA1 | cb82cce8bb3a7b29c9e9d7b5ea746e2ac6e6ed49 |
| SHA256 | a13534398553b27a76a2e840641526fc4e7e380b406769b9b24796b8da8ec088 |
| SHA512 | cda8a722d18e50fee30c2accd57f423e61c8aca004fc38f8cd620d1270957b57ab0d30eef80ec619e700538df38c36e43361623deba7fb562db85f9ec7794ccd |
memory/1224-159-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 064751c1e9126a04a7ca9be19dcc401e |
| SHA1 | 8c5e646c12350b67c5c883921cd0277494dc5457 |
| SHA256 | 8a1b2e204d4d6b73a08654564368abfb1d787ecdf455ce9af2eff5d165fb3f86 |
| SHA512 | fe0e4aa652bfd9598e513752b0896c77be220bba7691b2c1161de09a7a1f6c053f7c4241f1bd15d06186efb92bafe3336f51b351d857dab936b979235dd63a08 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | f305bbf6897afe4633311de8120182bf |
| SHA1 | 2a3dc597ae1fab42e965e0ff9bf196c4722453b4 |
| SHA256 | 3e287720350bb9bd9edf77673ab363f1a592a53a576394eaef4a077735ea59b2 |
| SHA512 | 14582bd32b9ea0bf03289a0f29f5e4a446abe92aecef87f0fef21918ac6c3be73643b8e242bf0cf4637290f04bc651e81bf5ab72b16646ba9cf2e39a37eeeaf2 |
memory/1656-182-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1656-180-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | df51333900748b4c299edf07dbf3edbb |
| SHA1 | c35253224154b06dd983292734d246cd8073f7bc |
| SHA256 | 14ab5a37fcd1d34ee410afc7f5b5e0e5128230e61be08c03a05dcaead1517daf |
| SHA512 | 1d7e40ae185047d49610fdd57fc59399ad329f80de98501fbc99a8d8cd28a386379ca18e3b5d112aaca32e4675fb35d69b6605cb3bf73c3d108733010aa33f52 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 90d592272c6e5a8717415ba4f21a64ab |
| SHA1 | 33a60bd81f9b8deb52bc27eb2129d2cb7e37ee10 |
| SHA256 | 8d12ae4c194fb1ef853117068a17816da6ea635848b019a316c43c6e5bc04b71 |
| SHA512 | c746d445e1485db7903e41fee0c14717b8414df4d3293029a6409aeeed7b82f16adba39d1e90df360d82b34e1b38c1c8f9863f6b563c0e8470d126d1294a7637 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 7893bfdb8afa9389c719d5299684d288 |
| SHA1 | a43ff0a7b687b6bd22e323cc6e1bd46cd5bb37f4 |
| SHA256 | d977dd09f49b163c14aca86079667d825e2a599bd9ba724969a87b5da1121670 |
| SHA512 | 46f19b5dc38581abd8bd369096307a16033f3dbd97274f08483643c7882764707a8436a4b0a3db53be5e32457e79be1a7e4d169a2b14fbc7e08207a4c148059a |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 7f8569257c33eec9cceb921b26074820 |
| SHA1 | 980b4a5923860e8566ce1ce4a321457aa55a0505 |
| SHA256 | 4f1d94ab312feba0574c7eb206194a0dc5df2781677fd85e2b94886454d4f0e8 |
| SHA512 | eb1546cc7ce12c4d3d7b38dd19d546f0b1b659822a01d98dcb121d55d31eab5c6a70ca3dca9fb70cb64420568fccda19cc0782c5bc77f6b76341bfcf5b5a4cce |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 55a23f1716d797bdb16d391e0c059b65 |
| SHA1 | 514f5bf0c0c171c5505d09546a4140266bd99b1a |
| SHA256 | b2c7275dca0a6575f1bb4de035d50ac83883fe042583786726748690a656a047 |
| SHA512 | f498fe00266ede5e93a5f322eef2c62f5ebc55129326df6bb0303cf7a22c2bb08b1e4c5f8d7e61bfa89df8fc2f9229bf8fb76c88eabd2238a4266525515b3565 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | a5c923ba6dd7970384e9c93a87180560 |
| SHA1 | 65991ff468b34545e1c8e11ae86c1dd7d11f6795 |
| SHA256 | 481b874ecad314c25b71746bb736547f11b400bbf6de886ab62b51578d2643ad |
| SHA512 | 9e45dc031437ea09934acf6e31f3fcc5c351e08c27705be9f6bfb6888b93a2f2d2587d6e4face832c0472844be4f4d139334fd97fce67ecb76436743e9b692bd |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 4dec58496214f01b60d85b370d21837c |
| SHA1 | c3588a14d832e5348ce0d023a9488335d6c90f73 |
| SHA256 | 84bd856bc1fdd43c539631a4ced5a108c26ae6a476a53d5464f3beeaf1d4ab0b |
| SHA512 | 28fba07f008a0f0d487a4770afd3c1baaf3d342cf1b8d6c0b1e5105ad36e0c48b37d0e24293ccf3f86f889d94d1baac2f2988a8d77548e399c4a33a0efd41094 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | e85844d8177b20a03c45a8417d8bb251 |
| SHA1 | 26be8fa590178c0fad0a1c022df3522c886aa58b |
| SHA256 | 63958a62b4f3ae562a9e2bbbcd246a69ec31c2f710a4d5f49b1825f723a3a1e4 |
| SHA512 | 39432edf49f84902d336b85a197ba56605426ad5ab51c2f14fd8e8b3d0d2f2f48410eebc968b8b48f114479186915a0a81d49d9dc9910184e34934331672ac0d |
memory/1832-201-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1968-203-0x000000013FD30000-0x00000001402D1000-memory.dmp
memory/1536-204-0x0000000073AD0000-0x00000000741BE000-memory.dmp
memory/1224-202-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9B3.tmp
| MD5 | c6fe7807f2ce1c9d62523472ec75187f |
| SHA1 | 4630669dd842049473aec1da0caa789f729c1f98 |
| SHA256 | 89c15c64d5e6fb9a94698ff32cc53d401b655328f3236ee1629fee3ca041de95 |
| SHA512 | 89378e5d7be452652595d48a3409170da371d5673cb36e5cb0576ff9303c76304a7ae3c87e39149d319d17b9cf2ad3726493b2cbfd38b5c17b2c51111f2d7cf8 |
C:\Users\Admin\AppData\Local\Temp\TarA43.tmp
| MD5 | 0bc9a8930efc520c6653d2305672c652 |
| SHA1 | ad99181d2e0e453feeb159c58455e12105944d8f |
| SHA256 | e489b0323588eb85e254045eb762e8c0149c221e395ba42ba1ef80bcadff7a52 |
| SHA512 | 0ba71d9909baf061ec0fe26360cdab544d54c14ccae3839a8c0d0a00a1563e67fc9a8ad9469c28f4ce1d039df1e6ec901e733615fc5d6443f70cacb1bda0d536 |
memory/1536-255-0x0000000000AF0000-0x0000000000B30000-memory.dmp
memory/1508-256-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4435.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-10 23:26
Reported
2023-12-10 23:28
Platform
win10v2004-20231201-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Eternity
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97BC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33F8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3376 set thread context of 512 | N/A | C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe
"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3376 -ip 3376
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 324
C:\Users\Admin\AppData\Local\Temp\97BC.exe
C:\Users\Admin\AppData\Local\Temp\97BC.exe
C:\Users\Admin\AppData\Local\Temp\33F8.exe
C:\Users\Admin\AppData\Local\Temp\33F8.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp" /SL5="$F0058,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\4791.exe
C:\Users\Admin\AppData\Local\Temp\4791.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4700 -ip 4700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2560
C:\Users\Admin\AppData\Local\Temp\4500.exe
C:\Users\Admin\AppData\Local\Temp\4500.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1544 -ip 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 332
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
Files
memory/512-1-0x0000000000400000-0x000000000040B000-memory.dmp
memory/512-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/512-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3464-2-0x0000000000850000-0x0000000000866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\97BC.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2328-13-0x0000000000780000-0x00000000007BC000-memory.dmp
memory/2328-18-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/2328-19-0x0000000007D30000-0x00000000082D4000-memory.dmp
memory/2328-20-0x0000000007820000-0x00000000078B2000-memory.dmp
memory/2328-21-0x0000000007950000-0x0000000007960000-memory.dmp
memory/2328-22-0x00000000078E0000-0x00000000078EA000-memory.dmp
memory/2328-23-0x0000000008D50000-0x0000000009368000-memory.dmp
memory/2328-25-0x0000000008D30000-0x0000000008D42000-memory.dmp
memory/2328-26-0x000000000A610000-0x000000000A64C000-memory.dmp
memory/2328-24-0x000000000A6E0000-0x000000000A7EA000-memory.dmp
memory/2328-27-0x000000000A650000-0x000000000A69C000-memory.dmp
memory/2328-28-0x000000000B260000-0x000000000B2C6000-memory.dmp
memory/2328-29-0x000000000B560000-0x000000000B5B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33F8.exe
| MD5 | e76072f64f46e1992356238a24e5de03 |
| SHA1 | fffbda973a6961279119a80aaf9109bb9980b1da |
| SHA256 | 5b3481a94cedc402458a3a7c2c7f727b0ba15e4c6e776552862cd30903bfc5e7 |
| SHA512 | 97f4cdcb203b9b2958dd13a5f1d497da5398e53f7733d088ed2af1c52b02f6a35b3b727136553c44fc2c4d76058b4887b24f0c4dfe11ee53c189913d15740105 |
C:\Users\Admin\AppData\Local\Temp\33F8.exe
| MD5 | fa96456f4faef64e9c9801582ccf6755 |
| SHA1 | 90cbbd97996154029e184f40cff373b5841522b3 |
| SHA256 | 8ba6704edc59e53ad33fc5aca03e22c8e2ba58abf57dc5428eddd5f189430f0e |
| SHA512 | 5c2f0c647945fdb36749ac222acd151de6581860be9f12c3890413cdb163f9904b7df244589b0e552e8b6a4dfc90cc6936d860577b25e59f11e1649c52979574 |
memory/3004-35-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3004-36-0x00000000009F0000-0x0000000001EA6000-memory.dmp
memory/2328-34-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | ac70208e89d877e38017aa87dc35ddb6 |
| SHA1 | 85429b3462fe2034a8b5089b79da3d7736784c94 |
| SHA256 | fb396223b6b90ae62ebd970f6ae74e27c9197a67d668842739cc414ef7bf5170 |
| SHA512 | 82993c3e541a6335e7497eee92d86498fcf7ffdc1af3131c7a01c886f0987d1df9d7abc5e205bd6417690f4a37954da70dd3665d1259b01302ddcc9b71ceff46 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 816a765679bcc369e43989ccc23d1013 |
| SHA1 | d99b3da1ae7af9467a6adbc23cf109f530624321 |
| SHA256 | 1ccaa134c505ae9afc4793f47515f3434976afe291d731bc64627f5b14858086 |
| SHA512 | 9d9fde553b84173a9691845f360914502bf5d6382cdc95e42fb0d18e614d89f513299d60df03c0e2d34b81bfae1e38d0fb7b866ddaa8f89dc7f2ef7643cda1eb |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 882ea3c91a8419d368f0a099f5306639 |
| SHA1 | 902bede9542a531cf0f5f5010fe008af695f95d2 |
| SHA256 | 69765c4953ec498627e45511ce69426472e095059822186062360cb050304bc6 |
| SHA512 | 80e4f147d2d3ccb0e75259bc930e43685a286cc280dffacaf15fba7ac4d04a4a86d9817bc95f3542aabcc5dd94a0281c54af576e6dd5d6d767f2d2a235582457 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e3355326a5b0176b1eeddb041b8450f8 |
| SHA1 | 77da2215f4e92da4fcd0c6618a630f4e601f02ec |
| SHA256 | 23aaeeea936039a7586f13a69eb86ec19c604b80b2d2bddb9f1eec2fd86afa1a |
| SHA512 | 7fe683c8bd82d96ff771dbacafc7078d2bc683c42d6313840ef5ee5c7e9d657a86afc206de62abd40de4f8b765ee9269fc9cde13ae90ced19a2ec2d5c3d52a16 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5a3110379903bd8d9ac9696703ed549a |
| SHA1 | a2a97641cd16867be9d8386cc1faa96a7571ff7f |
| SHA256 | 621d20ee0a160a55521fa834f22fd4a93275314406da357554b4562b6718cd22 |
| SHA512 | 2b6adb6f0b3a563ec3603215dc47264b0a6f7c0bbc4c951dec6c9ac1ee4fb1a37262b6c17147b1bda865e7a8b9adcc3b8dddc1b2e4a9a50e234595507df26b5d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 16879ee8a51ab934d7b9a36b0d9a6290 |
| SHA1 | 1d5325273172eb91427cadd4c0336e8009bcc414 |
| SHA256 | 3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b |
| SHA512 | 7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c |
memory/2916-79-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 4ccd6ba28c60242ff6e79b48dc85bfb9 |
| SHA1 | 5b80348f7cf70e1d6746a6d12a8f953763ae2cab |
| SHA256 | 9f510126449f42015e4695f725a4536f40fb37f2ae546db69df4aab42803221b |
| SHA512 | fba08b7a4f3531a7d7e204870248a4312df7ae03480b53af250d3f7b3f62da61ddade56d9c0d6fd5a41ad1dc3379e14aee98ba611cb0d870145cb77e57977497 |
C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp
| MD5 | 4da268755795e3a4229b3bdf6badcc16 |
| SHA1 | fe73949f896a416932309a1c14a9db1e61fbf095 |
| SHA256 | 69ad2da38613101bf61ab8884dfac12cc641182d057aeb6be4a33cbdd8a32ea1 |
| SHA512 | d37a96e3e705386fa74a18535db52f678c27e380ea356a72154ba74ea9c0897437e16798a4ac07f997606c34c7dc281b4e91786a1a9ac0b0e73d20929be8a9ed |
C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp
| MD5 | eca99c637946bf9065619b32442830b1 |
| SHA1 | 38cc3e9e2f0297bcb2a22b9160076bc003628152 |
| SHA256 | e6fb9cd68f85ae05c2f1c9d7511dad870fe3cdf019fd3ddaade3bd8ba76a4418 |
| SHA512 | b2b5834f40f1c3026393fc7146e53e6761253a9497149e6ae0c2eeb4009f4d9ba7446d4d733472c71bca68629d2328046aee90a2481e563592e18fcfdf30d865 |
memory/3004-92-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3120-110-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-A2V8I.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-A2V8I.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 8ad12620fa676b985656d3da685e6422 |
| SHA1 | 48b42192f293965a85edd2ed6a9c80ba69d7e63d |
| SHA256 | 72ec3d6558759a21cf7316fbb1bf13c5722c3c005a3de46b59376db647953e02 |
| SHA512 | cfc88dd56f4290120be582de9b785d106fbd025d147e0711d702e14147c4e088bc3fd1c1237f5fa1fbe600cad0f851f0f6930291149de9a8b36e11669410e2eb |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | f3ca66d8aac23dd6a6561760fd875923 |
| SHA1 | 5ce8c5aa6237ac178d504423f2cfbc647b80e57a |
| SHA256 | bbde57d4ad2bc862e0adfa9029a3a40d9c48ca055d27e1ffccb8f6ecfa2b0c4f |
| SHA512 | e7a38a378446567bc8248688de321bd422602577780b6e01f2af4250ea60646f1598605f262c1d5ccd226c0730de0022fe1404ccd0d0e20959efbb0ada09d5a3 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | a28fc63967f44deb0abe1755103f2605 |
| SHA1 | 19c6f153921050f4b31c22365963b6e3f43e88ac |
| SHA256 | 794aa3635f79f22ebb345af34261393eec50a4318f0e494e9a5735fb1e0b3b9a |
| SHA512 | 52c22b0fe655533c645c599f201142e77ce40e97d602878c3360ea382a7337da3a5afa037b84afebda9c6b03615e4be8d5c594ac48cecf0781520003920963a8 |
memory/4440-239-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 68eb05685c5b30672ad2f95cd2fcc3c7 |
| SHA1 | bf203302b7b937b528113f0fd1fa16c90d142b45 |
| SHA256 | 20f88f95f7c2891bc342a56c37a612c682748d1c4ee04814ce66e61fcf461690 |
| SHA512 | fa82d027df1a2c0ceb8b3bbb03957ff0ceb0d3c88411199d2ac992068cc725ffd8e356ba762a8c70d7dfac52c1275eb954202e52b48f2d1b30ec0abbf21b408c |
memory/640-246-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4440-242-0x0000000000400000-0x0000000000785000-memory.dmp
memory/640-248-0x0000000000400000-0x0000000000785000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | 17ffe9e8583ec0323daf1ffcd1c398b0 |
| SHA1 | a3da3e152d711519836be45452316419c8230625 |
| SHA256 | 71a3d6d4b8f48e11c98fd8a6ce6ea49ad88460c0dc3894791c76f2a09053159a |
| SHA512 | f33ec3665daa3e028895674e9ed7a4a90cf905de648838bd2ca0887c5f4868171c1e0bb926f9c4c6a302e07f7cb692bcfe2ac32a7ae55e134d05be049d8a5f3e |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 4be2fab214040c359e45db19697cde05 |
| SHA1 | 34e9fc5c6146016df4d96f7248caeb06857921a9 |
| SHA256 | 5ec5dfd1d1c041af33c2d393f23975ad828648c52a5ea48372c0af10d4e5f209 |
| SHA512 | 7db0c87f222f151e25242556770e63bddc8d66bef1448ee97a89b393453d9dc9d25b7ab6e4183c50abaa1bba11f646817690a13bc62c628e9d370405b1c19284 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 63d9006d677a0fb0aa8a5ae6367382c4 |
| SHA1 | b44d078962fb6ca818a26676e21d7fd0ec4751c1 |
| SHA256 | df04a41b2dadc635cea208600b6f35c6ab053252f88e5947f9e1a5b3808af286 |
| SHA512 | fcbabc6145a0fbd2ebd719b485776c9092c178a700081d4fb2fcabdf70c342e2f0d9d58fe5ea324c748d1404ba255998c39f31e1d8ce417c4f514463299ff570 |
memory/1252-250-0x00000000029A0000-0x0000000002D9D000-memory.dmp
memory/4904-80-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/1252-251-0x0000000002DA0000-0x000000000368B000-memory.dmp
memory/2328-75-0x0000000007950000-0x0000000007960000-memory.dmp
memory/1252-252-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1544-253-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2472-256-0x0000000000B58000-0x0000000000B6B000-memory.dmp
memory/2916-259-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1544-258-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2472-257-0x0000000000A30000-0x0000000000A39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 49a1af290d6872907fa9a9b8f6063488 |
| SHA1 | 0b51db3a930dea02373001bc30386ba893f89004 |
| SHA256 | 586a47562027d3960e90f24b343e07a42f9e2847c7687153b295d55972dfb719 |
| SHA512 | c7e0c39d3ce392c0b65e8dfdb5a8bb718c5326642240c8378956026a90bbe566d1c4a49447075cb95452d8e411e0d998a9f1269ebdb99fd47dcca182a3af7fce |
C:\Users\Admin\AppData\Local\Temp\4500.exe
| MD5 | a2a5b44e78b4f5f40df8743585a229c0 |
| SHA1 | be91187a6141d5a0868519d56c8037c306f83aeb |
| SHA256 | 75d8db7f015279a0ab7a746a4f91dfb8672bb9807a3cf7bc9ac05bdd0bcb3d9f |
| SHA512 | 39c35ab4774d46cd2bd95da0498320e7cdb18c2f0dc0dab66655ea3f07e963f05ec782b11a5b157885058d1a31bd224973ca0a287be25550de1b59e141a688fd |
memory/1604-266-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4700-267-0x0000000005080000-0x0000000005090000-memory.dmp
memory/1604-271-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_samuq4sx.suv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1604-286-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4791.exe
| MD5 | 505f6ca1bd3e4f642d0df62e6d291ab9 |
| SHA1 | bb825500e3c3f4e7feb90d57884023647839969d |
| SHA256 | a0e5e8b955d2e65db41b355266074a2365801eb05312d54e3fa173dbe29db3c9 |
| SHA512 | d56edcc06cea88e526dbff830865d7e2e7d59d023a028aee660874e6c457e0256c2072252b6aca04845c25abd8215e624b3c02f33ca5d75fca51989537b1c4ae |
C:\Users\Admin\AppData\Local\Temp\4791.exe
| MD5 | b2b2e2458c84067ac965d7f4900fafef |
| SHA1 | c7324a16e6284b50ebf2900d28da27eff21cb93b |
| SHA256 | 343adb788608da289d770815895a118ee8f03d69fce7ca6cb94fcaf0102cce38 |
| SHA512 | 77d03ed244856ab0feb06525c72c832d44f9c058a8ff038afcf9696392797a8c340be1fc87cb9b6a410cc9dc0f2fddd325febdf086e8b2a154d565d7353f1474 |
memory/1752-293-0x0000000000480000-0x00000000004BC000-memory.dmp
memory/1752-292-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/640-294-0x0000000000400000-0x0000000000785000-memory.dmp
memory/1752-295-0x0000000007380000-0x0000000007390000-memory.dmp
memory/4700-288-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/4700-296-0x0000000006A10000-0x0000000006A54000-memory.dmp
memory/4700-285-0x0000000005FD0000-0x0000000006324000-memory.dmp
memory/4700-274-0x0000000005DF0000-0x0000000005E56000-memory.dmp
memory/4700-273-0x00000000054F0000-0x0000000005512000-memory.dmp
memory/4700-297-0x0000000007810000-0x0000000007886000-memory.dmp
memory/4700-272-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4700-270-0x00000000056C0000-0x0000000005CE8000-memory.dmp
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
memory/4700-299-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/4700-298-0x0000000007F10000-0x000000000858A000-memory.dmp
memory/4700-265-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/4700-264-0x0000000002EF0000-0x0000000002F26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4500.exe
| MD5 | aff0bef0a7f650d38cc5244b59b7d03c |
| SHA1 | df0f889d72d534c9ba8e0d4cadaa6ac8002eddb4 |
| SHA256 | 0b31552b3e88af7968d70a414056943ef509bd5f81c1908da3ed75bed2417b21 |
| SHA512 | 25ed635b2d12434c6695b14ef41f071c9979e9be77cd965916e1dc6db0408b61922fc85cf2a82b41e421ebc4b374d006e50c7f7f525033d4641aec784c63bb0c |
memory/4700-303-0x000000006D9D0000-0x000000006DA1C000-memory.dmp
memory/4700-315-0x0000000007AB0000-0x0000000007B53000-memory.dmp
memory/4700-316-0x0000000007BA0000-0x0000000007BAA000-memory.dmp
memory/4700-314-0x0000000007A90000-0x0000000007AAE000-memory.dmp
memory/4700-304-0x000000006C080000-0x000000006C3D4000-memory.dmp
memory/4700-302-0x000000007F230000-0x000000007F240000-memory.dmp
memory/1252-301-0x00000000029A0000-0x0000000002D9D000-memory.dmp
memory/4700-300-0x0000000007A50000-0x0000000007A82000-memory.dmp
memory/4904-254-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/4700-317-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ac9afc0ca17e46ce3be94e70c1161bba |
| SHA1 | 851d5829e9f1a9ef499d44b9b5b562f7f886895b |
| SHA256 | c6eefc2f87a8c7acfca5c1ccd48c972ffed073dc9f05ca7e5d92665b0195ce27 |
| SHA512 | 92e8302e5b9498a441c0d8c074f761f05b4ee18c5f32c4c9491610ac62302ea6c75cf9954b229e7ae21418e34d5eabf4d2f3a7866e157d9ee31b89138be3669e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 69b86cb944e2d865b33c2e839b4e10b3 |
| SHA1 | 65163a313a7509fcc8a72cc9fd8b8e57fe1dd122 |
| SHA256 | 12ef8f48d296d1d1f2377a004c422d07f8d1a60de075c1241bfd1e126a128b06 |
| SHA512 | 34380e12443c6e094d64736668759ab61e4c38f670118eba668f81f96f3ee66166328f40196c6081b19b8cff9ee9b5888b24a8cad75de6d523e03fc1ea05c72e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2264d77194cb550fd290c9b334abffe4 |
| SHA1 | d6f85c34ac3cb7a181f3418c2d6cdcd6c72c3e90 |
| SHA256 | 518a62a9fedebb7cf95872e1caf4e6178b91ec6f6449b7eb7176c9cbea413e14 |
| SHA512 | adbefe28cbb918d4ec971e1c2133d2baf347e41326f78fd11ee204ddb9c4a4a075c28c7b5aac2db312e2a758d3f9be4c57a9eec5d973f49aaa19b7b462c4191d |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | a05631fca833b127898a82c242f72e7e |
| SHA1 | aed3d548b98b67908e8341a78043097beeafb7a9 |
| SHA256 | cc18048e5a858ee4b94c2c2b8e2de047f457e6e1679e9508bd52fe9dec911230 |
| SHA512 | 50a2bfacbbf72f0f172a7e7b1e207221e1c8174d55bba59c971f6ad499d4e7db3a7128f5ee79a3cf4b9de3fb8bc5a3b69338ff78882752c0fb68b40964640268 |
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
| MD5 | c7df2f4dd646f87d3a65918890ce6dce |
| SHA1 | 02c87315015bf0a1fd5faaed52640f833f250cce |
| SHA256 | caf0fc38dc3acfc3a7108a262d03dfc49d6b2670108d1087c780c67482fe101d |
| SHA512 | 823eb67e289a89fe1d6f26cba281d1ea8f86c4900dfa8719612371039b3680c8a8d104d628c283811d1bea14358d1b259458e0dfc7888769144b463bf30cdee7 |
memory/4496-324-0x0000000002A20000-0x0000000002E25000-memory.dmp
memory/1252-325-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1252-323-0x0000000002DA0000-0x000000000368B000-memory.dmp
memory/3464-329-0x00000000023C0000-0x00000000023D6000-memory.dmp
memory/1544-343-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4904-369-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3120-373-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1020-372-0x00007FF6EDD60000-0x00007FF6EE301000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 299a9d80721b5dc5f712c254c7705b5b |
| SHA1 | 1003c343c0cf286d7c8e9d4c0868025d398888e0 |
| SHA256 | 5620d2181debb6794c826be5cb31f9cb0001eaff392b7845ca2df9610f1187e5 |
| SHA512 | 662a1e1176164a3cfb5ebf3d48f449be40ab1a5a272cf8fb1c827c537133543b8ec338b629d1142fcd1fdbc3a419398a367d249c773c0e1698c9200e61ffc1d9 |
memory/640-403-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 54c61dcae59e5bd43179642d39557ce4 |
| SHA1 | 2260624e7d7c9e65f4bba8721bf13bd6efd7d043 |
| SHA256 | 53581ca8f352c455a1311df47428d7cb62623e67d2d63f0db66536dd057c8585 |
| SHA512 | 7fb48be505b7995663a2335a5a40e32357be5bf6a29e3e371ee442601a11d0dad1542d22c60409d7a06b2250010f4ad8ccba32e62ed67dd77f86079da4253715 |
C:\Windows\rss\csrss.exe
| MD5 | d8b7898c06a6cc78aa5103bd70e5ba2e |
| SHA1 | 7e1c883a8470253d92d2457ca0ec0ea8a3b2591e |
| SHA256 | b7fbd17d55b98015b9a2d06c33a6221bc00c8b29389413c5b9889d0701cad7ef |
| SHA512 | 1e9ea1f7f5987b829b924ee2ef98c5a6b4f09701cd64bc0d5d707e0d1012b1e3ca2bbc4ab931327e960b907c675f1d8ef3f1187622b6a468ea1439876586e555 |
C:\Windows\rss\csrss.exe
| MD5 | 7329de6715c2dd524d128ce0207963df |
| SHA1 | 00c03d310f2200f712e0b9a97a5ece4dd4641f4c |
| SHA256 | cc2b8d8809c2fae7eaf174db10446e61edbd1b591a2ce838c15221a8584d9a43 |
| SHA512 | 0e461b690150c2be058800e7c1f8793ade8dae72b95a1c2d1484f31c11f3f711b29913a576d1905bd0b3576a9b5b600c71773e5110e1a9f00c36ef557e0b19d4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e07fd6b1fe48ce20913c7b762a895dad |
| SHA1 | c55182b0c5ecaa34b7e579304b497a9dd6d13c18 |
| SHA256 | cd10f4ff1b6fd4ebcffc844dc254ed983737904d4f162678f63e38bbc34b5bb9 |
| SHA512 | 61aa7622f286d54bf40dedc3019cb4eb55e93cb4f43d88b7bb91340355a519f3b0e0fa23768daf26b57cc24d10a730e200550be8f88c4466edf2d049e6edde23 |
memory/4496-471-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6f7144d14767ffc1c3389ef4634e2c0e |
| SHA1 | 5db51b63e9fe93959b17167c2d1759d424f0cee4 |
| SHA256 | 4b93bd67065300a8ee6fb7fe0d6dcd18ce83b6a9942d7776269a7f73bc9f57dd |
| SHA512 | 6efa7068cb158af25a3000d65491fcc39eef6e89720fe05d70ce94a20aa4506482ab310dc812370c2ddad520e1569813cc7204b6eee0ae4918d3ea1a76819e38 |