Malware Analysis Report

2024-10-18 23:12

Sample ID 231211-a2xvnahgg2
Target 0x0007000000016cba-119.dat
SHA256 59101b7b237d9e3247b87892de8d7204b178ddf2fcef9930990d51b66ec0bdfb
Tags
smokeloader eternity glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59101b7b237d9e3247b87892de8d7204b178ddf2fcef9930990d51b66ec0bdfb

Threat Level: Known bad

The file 0x0007000000016cba-119.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader eternity glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan

Glupteba

Glupteba payload

SmokeLoader

Eternity

RedLine

Smokeloader family

RedLine payload

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Runs net.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 00:43

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 00:43

Reported

2023-12-11 00:45

Platform

win7-20231023-en

Max time kernel

70s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe"

Signatures

Eternity

eternity

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5958.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\A43B.exe
PID 1204 wrote to memory of 112 N/A N/A C:\Users\Admin\AppData\Local\Temp\5958.exe
PID 1204 wrote to memory of 112 N/A N/A C:\Users\Admin\AppData\Local\Temp\5958.exe
PID 1204 wrote to memory of 112 N/A N/A C:\Users\Admin\AppData\Local\Temp\5958.exe
PID 1204 wrote to memory of 112 N/A N/A C:\Users\Admin\AppData\Local\Temp\5958.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe"

C:\Users\Admin\AppData\Local\Temp\A43B.exe

C:\Users\Admin\AppData\Local\Temp\A43B.exe

C:\Users\Admin\AppData\Local\Temp\5958.exe

C:\Users\Admin\AppData\Local\Temp\5958.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\620F.exe

C:\Users\Admin\AppData\Local\Temp\620F.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-LNLN5.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LNLN5.tmp\tuc3.tmp" /SL5="$70156,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6C8C.exe

C:\Users\Admin\AppData\Local\Temp\6C8C.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211004424.log C:\Windows\Logs\CBS\CbsPersist_20231211004424.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\B0BD.exe

C:\Users\Admin\AppData\Local\Temp\B0BD.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/1728-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1204-1-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/1728-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A43B.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/3016-12-0x00000000001C0000-0x00000000001FC000-memory.dmp

memory/3016-17-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/3016-18-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/3016-21-0x00000000749D0000-0x00000000750BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5958.exe

MD5 a85bd987524dc977d8ff8c22fbaaabd8
SHA1 4f5d3b108c094141e9c04fb48b4e2c59dc6ac950
SHA256 536ef1dcd7a4dc35027f747bfb82c188f065a06d8a3a3335f5200796d7c4b47f
SHA512 51abc78b2b02ebb22113973d05f427300b999411615347044439b51f98e83f741bae988f8d3435d26e60e25a6e4f3da8f703c148e0adec4849646d4bb4aa906c

C:\Users\Admin\AppData\Local\Temp\5958.exe

MD5 56ab898ccef044dfe657da9d3a23b9f1
SHA1 2f64af713481c583b1bf13b517d2600c7fdd4d8b
SHA256 1d68627012ca239d2f9b10dfcb4c22b07881a0ac7732089cab1ccaaa358dc0ea
SHA512 50c301e0f2e4074c8bf3c17d2ca7fa5af49722aaa74bccd532cfbba698599958b4198bdec0b5177be458acb5072bdbc503576bf6618472c34f1728c48e7bb68c

memory/112-27-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/112-28-0x00000000003E0000-0x0000000001896000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 7c7b101f7562046736028c4d4c4a10cb
SHA1 518a7209c5519ca6a1ab6fc4c1db697bd49ddcd6
SHA256 a2885df18afa9cb37135cb79a4c1ef17c4126a7adb95870e3892b6ff4a3aa994
SHA512 167ad8ab7fe3aebba6d3bd1523fb0f68805c380479934304c96efde61347bece35d566c13188d49e3124fdec8bff37cb51a7da06038d80810aa9e3d2aa4426d0

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 69af79a1f980d8904b70d45a47a0562a
SHA1 2cca5bda1f5ea8a1711752a26c05bf6b5ea5c6f6
SHA256 4765e5e3a054be40f34bf30359e80753a75b283cdc84ce6af05c4fb39e7b3b94
SHA512 d288e50d5817e88ed1f8822eb4c981209bc9005b82c3fd95399cdb5903b2177105003e388b0326959e455a92c9878f2482b3ffc48121c3642f468b3c45d1fb24

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d82929fcc545354d47b60e9f098fba08
SHA1 4a70ace1f5c98af856141d0eda8a855383045576
SHA256 3c35d3d8c80d36e8ae5cd5c0c3d8f4c3b91d53a534395148d245b81b1b860585
SHA512 540fc7da4db59813a3fca85a609d5fc407e7660cfed6e014ae6f311d1a22006675deab1bcc851ed7d89c4fc66a7c6eaec7ae4deff035ba3aa716d23f30f41fc2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d440dae242b11350d6ff91549705a3ae
SHA1 b3f8b0cf0f8652d1e2353fbe37ce45ffbb691db6
SHA256 a056294cb74666f97d5d30883f6eaf8b9deed4b49f34d721d64e1e7f708cc1f1
SHA512 11f73069f4dd9fe920dff05f1a76a471f54dfdd41b43425f2d69df82358932cb34ebb070abdddd7844f6f62ce16d9be527c33056186f78abd0c6c373e1b602df

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0d435c4af7984db3a5335e5df326e449
SHA1 d77166db0ace9ef72e53c076b8ef38f284cbd12a
SHA256 8a0c59d578a28914406c05ae8fe6df0ad8223d8042758ffe54008183f8258800
SHA512 65586acddc68a34589bed51f5f9ad1a8e3c3020f6375878676cfc10b6f595c728d6b53defe806356581edf67d4152adb57d7e22de410039a1dfdcd96fd834aa0

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7b80714b983fcb5e0609d602d79a6103
SHA1 9708ef6dbc0a5f80d772e0aafd0fc7d1a75d3abf
SHA256 6dba9f1361c70e6976540cc437cff09fafc9e67e66c28062a10f370719bb76a4
SHA512 da5b01d072c3a6dc1df08290c29e571f5ddc256880b9c3125b623341559193b70cc3f5409235f127db98425d38d9ed900c5af068f4c06333276b037bb7d2ff44

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a7af37a860a92e30ab8746f4f84eccbb
SHA1 822628ae37dd65cbfb06e79c7286d71b0eeb5713
SHA256 90775e2a64483319c59f760fccd4ea830e0b1391005ccd6780adab2b130a8e12
SHA512 f808e43af35b92780fe755e3d09082e1e81301540ffa81f97970fcc47829471c7a650d9d88a55c94efd45ddeeab506e5fdf8efba2807fba98ffbd3f4aec3ccd9

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 93f3d8776125a67b11607854de78bbe6
SHA1 8701a3f84e8b05f37a1ac8f790673304c423e6e7
SHA256 816dc1e658c58b361592a79c51751a7fbd4a4a4b6464b671c5b0d18a5fbd50ee
SHA512 92ba3fd910fd117196b131d7b84176efffe09bb795e0feab51381e331204c1c6e8c052e789ff262fbdd2497fab52c87ee0faee887f8cd5f8676c67ec6393df14

memory/1456-61-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e6b60d1beb863715b60c89365b16bdcc
SHA1 677f9f01cb494a0b96bd0f6fd1a873df8b0aa46e
SHA256 53c624726124a9de4c95cbf7c9ca3e5ac9a94121c0d0aae338e1b25d4402be95
SHA512 dbc84dc4bcd196cf09eaaff14c4f9782ac2fe3930a2b0e5e39ba4b0e6932d746407f64f550dd28026b1b5112ecedc5911bb5c98131d23894d8d731d8af5c881f

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 9c13cd8402219de7368e57fed861279f
SHA1 821b0d7e1dde243656b72506ff0a7b8ac08606d9
SHA256 93dea8b3ee6509b0fbd9cbf98149a2bc0efe3b225a67b97abe83b98d4f20546a
SHA512 ed9639a619568b480932ed94fc60f6c33dec34b1009df193f23a0cfaddc804fe7b7de9311b981d8d078d0203abb0f48f0000114e59d8490ca79e8caebd092d00

C:\Users\Admin\AppData\Local\Temp\620F.exe

MD5 0e940749a93c9bfc824305f1494b24d8
SHA1 d51d1c874e1310ae598953b2eb24421c34ee8e3c
SHA256 184126e25ed3510e24824accc37d98f7f2369a6f99e30470dbf742d7e8d07896
SHA512 f563c72a5bb3f40238b714d22238cfffda7f2e868b2e6b8ecdfafdcf67ba3ba99e78458ec96f9cd95b80a848f0802233809ab2d01e6feb267fce001d85855ca4

\Users\Admin\AppData\Local\Temp\is-LNLN5.tmp\tuc3.tmp

MD5 969681d5c78564fc404c551b4ec765b9
SHA1 6bc69f65f7f7bb6d9e2ba57ed05b6ef80d0af402
SHA256 b860b3b2e19bdb68de6202fe2b4ccf7866d90310c5db097f310958478731b393
SHA512 762652c5dd8506bb1ec43f6514195bc9f37b56b0812cd257ec095fc43d59fb43e0d99f5d3f46285d930fda4a4f73e5a27207f0af396b4c5353c94959cffd6060

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 a5454c4d09174a5e3ec802430616f166
SHA1 fbbe8740de7ef6d763587c1daf36ad57e8db1902
SHA256 27be1f35b2acbf3d4046f45745ca3406914b8e0919a43eee5a8b8be5bf9a31cc
SHA512 6472773377ddab42d91ee48e64599e2b3eef755bc097a949e7b174e003ae2e9a1d581cd6eee5a1b080d799fd15bdfd25077cbb0c5b509b1d00511e4bedb448cf

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 83eda04232b7c2b011547173df9cc69d
SHA1 45c74c39ddad3a9a01dbccb9ec35b1d173cf3684
SHA256 e9d89b6430fa65ef7c144884e4eef66f9b65131faf3f5a108ee07a8c15d58a1e
SHA512 0d8806bad0385ca28e25ff06d50f0306bbd3f215929033ce638b3ebffccc1ebd4ae7e97aba9f93f30dbac42f217ee11e751e8c362e0b9c7bdf87baba5af78e48

C:\Users\Admin\AppData\Local\Temp\is-LNLN5.tmp\tuc3.tmp

MD5 115f08fa058b59153f65c59b205158e4
SHA1 c6ee446e8128c2d3d3e063f71c64c40ca1261f6c
SHA256 fcc45c73460a337db82b6e7c8a201371a235c77dc3c7e6550a72e85e0e70fa0f
SHA512 2321f4b6794169fedc7fec7308beec6db6b4653898e54616bbb30262e7406fc68c3db3cf86bafa2b7ab3fc1ddb06013d9657c3c7b185104ad4665f656706910a

C:\Users\Admin\AppData\Local\Temp\620F.exe

MD5 e81915a6e699305423689dfa1d59888c
SHA1 3736284eec6258fa5f77d6fd08c39fc33fe35a02
SHA256 b96f763fb5cdd10febc46326516266cee3453b97aeebe1598d39107ec1a27ceb
SHA512 64bb81a1b4d1d70843ffc11e2050c275c2a6292620f91990199f8e5ba6bf3109a183d08669324dfe369a97c25072d2d87356416163b65fe0802d406ef1549113

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/112-83-0x00000000742E0000-0x00000000749CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 91f0f4b39290cfa675e274ace9ac5981
SHA1 0b95418584671e0c958a324ae771588a62e25674
SHA256 f154a8c039d6e24808d4e4b75d98b116652683aee17e29ab43e1e5c13f8ab2bb
SHA512 7241af9b7d01f8ac1fa266f0cfd967d558c835de00c4e4a8ff07aee94005fa147b90d847027eba6fca8b1c410586195c88bc457ddaf7328280b4d02d5aadc96f

\Users\Admin\AppData\Local\Temp\is-983K9.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2880-110-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1288-99-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-983K9.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-983K9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-LNLN5.tmp\tuc3.tmp

MD5 ea3600469f6b04d1ee1735c4232feac7
SHA1 4914219180c15121d2ec6abf9045196d88924e71
SHA256 b6f318ead75d904f109b7c5caf81855d086772d6954b05b19f63f8863d5274db
SHA512 d3ea3c5cd61d4012c53e1cd19ffee13314dfa97ed83442305b8daecab4aff36239ba6492ec2fd54ef2a5722f6c5b1a5f830fa321f2710c1214677e17a6e75592

C:\Users\Admin\AppData\Local\Temp\6C8C.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1700-125-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1700-123-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1700-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1624-113-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/1484-114-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1484-112-0x0000000000290000-0x0000000000390000-memory.dmp

memory/564-127-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1248-129-0x00000000008F0000-0x000000000092C000-memory.dmp

memory/564-131-0x0000000000400000-0x000000000040A000-memory.dmp

memory/564-133-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/564-132-0x0000000000400000-0x000000000040A000-memory.dmp

memory/564-134-0x0000000000400000-0x000000000040A000-memory.dmp

memory/564-130-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1248-128-0x0000000072C60000-0x000000007334E000-memory.dmp

memory/1248-135-0x00000000071C0000-0x0000000007200000-memory.dmp

memory/564-137-0x0000000000400000-0x000000000040A000-memory.dmp

memory/564-139-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1624-140-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/1456-142-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1624-143-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1624-141-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/564-144-0x0000000072C60000-0x000000007334E000-memory.dmp

memory/564-148-0x0000000072C60000-0x000000007334E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0785dd5ff5aa0c9bcb315ecb64ef3e7a
SHA1 c95f9cbaa0e403353dd8fc27a0bddf527b37d49e
SHA256 d954da4e321dba383d71b5fea6bfdad054f783fbeb1bc1bd485e99bdfed6264b
SHA512 7bea114bd0c6235c2c739e23ec35674f7d3c8d1b340bbfebae63536b3942001abbb3b5041888c321d861c7d91974fbe0f70650b61df549ebd4bf7d0faa747514

memory/2880-149-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e7c4c812ccd3e3c2ec7786efac0e5dbd
SHA1 3ff0389c518878c811aef27eb6aa464072025f88
SHA256 95d2725caa16b67e0281fa18f413d6f412524478d50434b0615cc4f2ef1e0534
SHA512 4c7c3d5078d0add4f98ba94fb886ab54a1181c5c8651366e275e50ef18d93e713e16da6be42eef8f85a4114313348f16c8473f85a2dcd148f1178facf23519c3

memory/1624-151-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1624-152-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/1204-153-0x00000000039D0000-0x00000000039E6000-memory.dmp

memory/1700-154-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2228-158-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2228-160-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2228-161-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 f88387b54f65e9f26ec43f668b2d550e
SHA1 59d5b19071dc28a67f30416b33210f9185cb6649
SHA256 15f7be07308bcaa52a16eea507138c3a17081b37e68b5b01ea239fb2c20e2b9c
SHA512 a2ad18724d2ad1319e1036d22bf4578abb7ab13754813fbe9bb7c5b3c596f5c3c8e9372d4729fd41d4ff72a0162117daa09802fc57f85a73e123f9f005c60951

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

\Windows\rss\csrss.exe

MD5 651f1858bc6218da424a756454bf99b7
SHA1 2554626295d3f5f1e71cd7f34f9dcae5a353085e
SHA256 213fad6ee00072b84f66a71121ad9cc0f237010db2d585a5d44be04d42e50d24
SHA512 543281f4868ca7fb7b91f30103c525a3f4fdcc3cc3237a567fd5e205a487e2ee8323d34958eabcaec3538a40618b5c207a10eb516f9000ba19f6103901274fb6

C:\Windows\rss\csrss.exe

MD5 cc84ad78448e65a2a1e1d75ddc08f3c0
SHA1 34bc3a17d1d769b2da1607e6fc38a2d2b1789abb
SHA256 ae04880281e2de66ed6dbeddb4c23f713c21865b406828261ebf18257efca565
SHA512 63778c7c3b68ed387b793b8e5668a046dfd1131a6f44d1731f001f7e3b3141078ac953200585a330f1671596ad252e483a51132c672f219dc3d3f9ce06836839

memory/2228-173-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 2a301af33558298cdfe68116399c1237
SHA1 0eb8646d8a4146ca818f551f01fcf659fee8b2cd
SHA256 a6268ed681d6d39fd3a30fc13fcb2537ad5164af085d7e6445fce5c6539aa0eb
SHA512 1b81fea7dfe7e67758dedcfb518f04d2d2a94fce4ab4a8d4f12852210fd066e62cdc3b856d61658f03a49c61030615ed8c484ae7d75c3f42147229ebe8926a43

memory/524-174-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/1288-175-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2880-176-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2888-177-0x000000013FC20000-0x00000001401C1000-memory.dmp

memory/524-178-0x00000000026F0000-0x0000000002AE8000-memory.dmp

memory/524-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1248-180-0x0000000072C60000-0x000000007334E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 894d080a42dc24128d5c0a5b445c291c
SHA1 a3c932e589a7a69d7cfa9c74c3fbc2fa55d841c5
SHA256 63f24c85aec930963aa4006f8a6a54ba3e61647b118100640545f991cdbc0877
SHA512 7815809a7c505417272f33227228344688532c14366ed4ae30f2e82c38590cc64d97f4576a2b0fd6c2309ad0b9f05a74fcbd3a4340a8a74f1007371a65327a10

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 037e5fef3c1f1d1ae44defebc7c0b36c
SHA1 615cf9221c91038f557a0caaf63b0db123c5cff2
SHA256 e3f381dab3354fa7627797aa55bc38d3a77f4af3173b9f03747e77ff122d4ab3
SHA512 3a3adb6718a35e55210d447bc3166a34ec9740cd2838537065f29afa4bc6bdca347d9bc6dd064722d3cfd48ab97324621e1a5136fb5c9aa25cc27a61969e981d

memory/3068-187-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 36cf49d35463a22f6371992184594b43
SHA1 a7f7be6758821e8524a44779f11746d15cf4b04f
SHA256 cd63999252936dff342dce018145b8d1677bb709948d5c8bb90a2866c4ba0888
SHA512 07fe30931b4782666d263f3a0b4fb58524531f2b3e94f1b888b07d47e5052363bfa59c045fe0e77e967df427ffc91eedeacf27159335614a11a0f7b63d81fa4f

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 c2a35050c3b8210aab3d814549666420
SHA1 701abffc6dafb7ee3efa9da4b40733dcc77754f8
SHA256 5958f44f93726c96fd8d4d707ea0f0537aa5fa3f4316e79d408c26aa45fd472c
SHA512 f6cbb446fcabfe12bacb611bb4a99b3091a5dd43ad97207efb5c2e5a3c9655d12837f633bf86174825409a0d7d513fb15988b5d93b4237b2a222629512bb1c00

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 17433103dbe7e93b162e76125b1ece87
SHA1 c77c87675e98ab14773c0f9b56c61adac0415c04
SHA256 89f6ee308245728d733e403ee9dce3ff35727bbb55a40018dc6667a678226a2d
SHA512 01caa4ce7dc1069dd6dbcad03efe86bfc777aca388aae4b9af0234e1041d0e61875766601b734ee89f4d954786eaac70631efaeb76ab1470acf3e16e4807c6e2

memory/1248-200-0x00000000071C0000-0x0000000007200000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8cfbf6701faafa4af1d5588a116acf97
SHA1 6db5ec744677013af9e507c50273975b356a47d0
SHA256 34eff134a1d42844a61928802adaf790dd508a46c8dc6ff0146ea1dd5d29438e
SHA512 09c4eb1642667c49f1a06cf75bd62f9685c2ce071a044c18c44ec527a2c1478c889db0275a7d7d891f33f34716cb1f4d27fa428b903960aa162a4df2f4f06925

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 75729123854d3895bfcff8fe59cfe6ff
SHA1 be8b99fc54e177bd4f4edd5c56129d3b93188ac5
SHA256 fafbbd3d4fe5ef1a20a2c74364617c7e36821926424ebbfb26f203d3197effb7
SHA512 8cb5139409ff55a1b9e9248712c32db930887f1aac48ff0b395330a2d767cba31a111bb6bd3f9964bb906406796607e58feab48cef7a5defe0b0ebb545951219

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 30c49a7af81433b71ad82ad0847aa7ee
SHA1 ba967bc83764eab2e05c9237978b7aae0fb5128c
SHA256 fb4754df6f24d83cd09ed86eda415bcf41523244e49e474c0b71728d20434463
SHA512 4f98bf6e080366c7aaab86b4a4f6bba1ed2123979a9e5bd7387584c9f25ad193ea17a89e5159f64706b76e1c62ac3397a0fd3dc6df5f0a39a0ecf7d6d83d19b5

memory/3068-202-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8f4f1234deccb2698e5c6132d6d32294
SHA1 135ed72de79b05b9e0ae73eccc6f350f82c70292
SHA256 10b59813b179cf1327bcabee490e468d1923ed75c30b37b1f7cd1100b1f04aae
SHA512 4e8fbff890c4b1114665d0f0311c80af1d98863f7942781de50f6e5c57c8e92709db5afc13374778f6b4b83812230862fc29bd676a190dc1439dd46db187d277

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 102e850cef5d987da10e7ca8e6484442
SHA1 8340609467b5704e56f6031e297c336994044d9d
SHA256 27d925fe8423a71d546028deddbdd913425f9984315152e5ac7d3e9d435fb1ff
SHA512 6b4cf8d55cacbd3639c9758699ae62849e86f4bf24543c691a69b4ce9559ce9f1c06cf93596a063afb4d296da64a24601f574e8bd02a1d602c84a107ae087f3d

memory/1248-220-0x0000000072C60000-0x000000007334E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabACA6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\B0BD.exe

MD5 9cce111a2f5a8b2c68e1a05151789cc7
SHA1 53ae530bbf0c57781ee4e9ee3d8f54499ee80342
SHA256 a39c8564c3a045f3d4f93d66f6bf640dc26eec7b4455a3408571b662bdcf4ac7
SHA512 3a6d70884db616fa192cfee5e7ea5a09a508a2d49855f07e7e98c459a6ff57864bd1f486d675f049b59ecf78824741a55b2a27d2bb176801db4c7e7b19b962b3

C:\Users\Admin\AppData\Local\Temp\B0BD.exe

MD5 529379c3f1f87d60620e42326234dfab
SHA1 77fbdfa6ceb0404e1a2732677a6d04d13e389f39
SHA256 1bac3ad40dc5b4b55822adf7b0b38a13fdfd3b8032d54218b8efbd7b30455314
SHA512 1e31eae67b62aa7ef5ee20cd7cceafe2a0e85d2bd224bc34e6d333f472e9097b6521e1340a6867bc46fa0bdc1a7a29dae6088ba29fe056c3c6824ec3b25244b9

memory/1060-237-0x0000000072570000-0x0000000072C5E000-memory.dmp

memory/1060-240-0x0000000000CA0000-0x0000000001252000-memory.dmp

memory/524-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1060-241-0x00000000051B0000-0x00000000051F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarB95A.tmp

MD5 56f5f1937e495aba3881ad48bedc3a45
SHA1 2a95b245fbb5f17fa30eab3d066c73b809380c09
SHA256 a143af915e5e155ca73890ea3c0ead2f1280c7add9f3bfe51affae32d5a0839a
SHA512 c7087b5acd58bd35cd3ffd749e348f722cebbd26b80ce7672cc187768650898605557c731cef5da5ed3db82c4ba1fea2f50182c9acb7000d6be135bfe18c00d9

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 00:43

Reported

2023-12-11 00:45

Platform

win10v2004-20231127-en

Max time kernel

91s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe"

Signatures

Eternity

eternity

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3344 set thread context of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A6B.exe
PID 3408 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A6B.exe
PID 3408 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A6B.exe
PID 3408 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D79.exe
PID 3408 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D79.exe
PID 3408 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\5D79.exe
PID 3408 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\Temp\652B.exe
PID 3408 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\Temp\652B.exe
PID 3408 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\Temp\652B.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3344 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\652B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3408 wrote to memory of 3576 N/A N/A C:\Users\Admin\AppData\Local\Temp\721C.exe
PID 3408 wrote to memory of 3576 N/A N/A C:\Users\Admin\AppData\Local\Temp\721C.exe
PID 3408 wrote to memory of 3576 N/A N/A C:\Users\Admin\AppData\Local\Temp\721C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000016cba-119.exe"

C:\Users\Admin\AppData\Local\Temp\7A6B.exe

C:\Users\Admin\AppData\Local\Temp\7A6B.exe

C:\Users\Admin\AppData\Local\Temp\5D79.exe

C:\Users\Admin\AppData\Local\Temp\5D79.exe

C:\Users\Admin\AppData\Local\Temp\652B.exe

C:\Users\Admin\AppData\Local\Temp\652B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\721C.exe

C:\Users\Admin\AppData\Local\Temp\721C.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-DR1HQ.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DR1HQ.tmp\tuc3.tmp" /SL5="$A002E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\B9C5.exe

C:\Users\Admin\AppData\Local\Temp\B9C5.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\E6C1.exe

C:\Users\Admin\AppData\Local\Temp\E6C1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp

Files

memory/2452-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2452-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3408-1-0x0000000002730000-0x0000000002746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A6B.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\5D79.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

C:\Users\Admin\AppData\Local\Temp\652B.exe

MD5 0de1d0372e15bbfeded7fb418e8c00ae
SHA1 6d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1
SHA256 98df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
SHA512 7b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67

memory/3640-20-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3640-21-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1584-22-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/1584-23-0x0000000000B60000-0x0000000002016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\721C.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/3576-28-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3576-29-0x0000000000070000-0x00000000000AC000-memory.dmp

memory/3640-30-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/3576-34-0x0000000006E50000-0x0000000006EE2000-memory.dmp

memory/3576-35-0x0000000007000000-0x0000000007010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

memory/3576-43-0x0000000007120000-0x000000000712A000-memory.dmp

memory/3640-53-0x0000000074A60000-0x0000000075210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 62390c72f2b0f1a0e2dd75159b7d6c30
SHA1 06186e727be396a616820ae73af78ee7af780a1d
SHA256 1bc0a283fa451fc06085ec610454bfdec2b2487dbd4b61b70a0d6835c5239d42
SHA512 46eb6818062a5842b4358ef6a8ab0266bec7cd2506c7bcd721a8a50ef5f2930176dcc1bb2c7963a2eced722544a1f4226f85bb719a33df84eeea87e62e117c83

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b91430f48b85af11e965a1df11fdb59c
SHA1 f1a49262009044f0e0fdbf0450dd718935152372
SHA256 1f0c9c42e7c4ccce9aed15ce33dbcab11e5482432f2df6e260ca7c1b0a9eb90f
SHA512 9dee8362c90632a04f67835e53c8563f6680ae43e52320f15d2ef3090d669a5e7d93248ce174fa0f1878aa4b6dd907494464a728a3e40ec943c3faabf2dd7cfc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ea8273f5c8007c970fe44c76797e6ef7
SHA1 440c194a1ecac6b57dd7dfaec170a61e283ce42c
SHA256 defd8fc95b61280b3c14b147a17325db56979588ca653ae6dcb0298788134380
SHA512 d5eb9f21002069d74441c7ffa07cee168f45286e30c3c489fee0cc3fb1746603d41ecb3ad17307178cf3611545d18436de1d850abba4dc146663cef69a05ec5e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 62a117accf1701d57d4d3b2e30daf6ff
SHA1 0ac915f51c25856b99d303aefcc516a06a8fae9c
SHA256 066c6c0b72add7e6ef1a9d0c1499fd91c9ef0a61e4aea41aedc70c253fa8569b
SHA512 7d05124016a176a9ed10fae15af24090598f2aa56444271462478decf6c682b18958ad07108e478e75bf23353392a633ae5e3ff86c7269884ecbfab3a7adb9c7

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 ba9dc6325eeeafad4c75b3bdbb7f76e7
SHA1 9ee06772ec6c46af86db163982a4102161e720c0
SHA256 9ea04c9acb03c65f634140ab244024fc41bfde3b6417d4e6573fc7b3bd803475
SHA512 fb65d1a7485ae84fc0f451a16229717620bd1ac03d17ee700261f9942a8bc5329616af9801455d66605de7ae98e3be417d0986f5c3be8ce4c53c7c78730597a1

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 1113ffc27b3d546df4c668f520876b8c
SHA1 c51c1d9f136dbf46a1b64ce259c10d070b822efb
SHA256 cacdefd1e504c2a475243ec093b05e5b1735850465dcfe4c98dabfb6f2c58096
SHA512 725b7dafd68922c451f2729412159f3906eaada07a16d0bbb892894b04bc591baaa8e67fff09407ba375187e8ca66413270e3b4203d7136bb5a2ba47dc61a620

memory/3576-76-0x0000000007FD0000-0x00000000085E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f673b327203f45d0c12815e59a175ced
SHA1 105c6133f8d4d05dd44ccbf2214210b2eb45be95
SHA256 70b4a85c674d6b17bfd114b2b97adafcb07ba97586b62d59bde8ad179d3d9be8
SHA512 de74814594a5405603ff38b3377ae84d1bf3c2bd7d737fa0160c6e4f45e27058de75115fba468ca0f3f7ab01ffa66689d193af29c451d3684bfbf925f62510e9

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0d20a5253d6047514e8d1fd41c684ec4
SHA1 6b737ec431ad97be9a87035c1093ebd2658d65c4
SHA256 fe8765126fe48275d33647f34480e760aef7d63fece8609229747230d6941139
SHA512 15db4de6977964d3838b6f31ed5a4d726ce34d08c0b47b3b46bc18f43cd91fcd55bc6b1c1a6dbd4ea4eda89ba1ed557c97642ea7d152fd3b3ea41a272923a15f

memory/3576-81-0x00000000072D0000-0x00000000073DA000-memory.dmp

memory/460-86-0x0000000002730000-0x0000000002731000-memory.dmp

memory/3576-84-0x0000000007200000-0x0000000007212000-memory.dmp

memory/4404-82-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8e7743d807112cd3b9e0e5aedaea9085
SHA1 f4a641c5fcf31677a7a14aa469bf2898b28aaa14
SHA256 28a6ac13a45e96a06a88d5dcd5ab66bec44a1a0ee87e3b9828cfd87ad8b37631
SHA512 952d645be27206ae50339ecb105613bc026d07503336b4adcbb716a6308f459552e92fa48b7e2ad0bb69141c6e8420028357a1393af5038bfa73858eec79715d

C:\Users\Admin\AppData\Local\Temp\is-DR1HQ.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

C:\Users\Admin\AppData\Local\Temp\is-DR1HQ.tmp\tuc3.tmp

MD5 d52700c3a47a01b552b7a54a3464a8b8
SHA1 716b45fbf08a79ccac15a2c62192abf2adbf48bf
SHA256 91e8bedfa4b71e5d6210b36bf3f90a0a4eb94e4144ebf7104f0ac0cf607cb67c
SHA512 385a676748908a6ebab6fc9213868d01877b4890de4679ce6970c4e483aa97b6f4b515a84959dfabae015758183e60fb1f5bd348eb3178614f3aed64b1fda960

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e6398c572d3912e95d67990db42f7b65
SHA1 1caeb92853c065336109a4b63813aedcab048aad
SHA256 46d152bb29f8bff9153f8e357b8b06d56b865e3aadd43a67e5a5645878c1359c
SHA512 d6986cc29c6fac52959ab3945c398e28369dbd3a0654d8c3186227855dd5639685cd7ba3e308bc78189dfc5dd8aca894d30c4029b8d0c019b16080377346576d

memory/1584-101-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3576-99-0x00000000079B0000-0x00000000079FC000-memory.dmp

memory/3576-94-0x0000000007260000-0x000000000729C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-10KES.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3156-117-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-10KES.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2152-245-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2152-246-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 20992e430832c3dc9f2d5377528172d3
SHA1 8eaef9326c0ad87c48311e41328e002d23c906fa
SHA256 69b9872a3c1962b7378ca6dca3b84aa11802cc898cdc9361cb5f056dd15c2ec2
SHA512 d80c629eab623acb73fc461be7b0bf3bd64be26a77f6f14c522ce31cbe748a33a616c9ac022cb8a3d25030a6de5f201be7f5cc4e75f39cc60548d27460734e86

memory/2152-249-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 950328525b0af55ad797db64ca914d61
SHA1 7f5700b5e124e6f08cd949e3b73357bb1da768dd
SHA256 cd3f378a7666337bfeb874c137fe88f9e14ec93ecd834bef96d551bff28d961f
SHA512 84a04353c8b7ccbe1b7347271e40b869c5a6dfda3bd08278f89c76920af49ed901f96de7357204ada7d33ca2439f32b06b234f892f65c9de5f37986aa280b40a

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 0dc259120b2591cfed58dcafc5589410
SHA1 bf522e052d925c96d7028f8484e2dff20e25c23c
SHA256 3002bc73c9b5c853c67616c192584100dc89056a88652d19af6c388eb8fb6e1e
SHA512 d96151c8b99ab42c3203dbe330b496b375cda3ade5e87fe266e05dd486e144ddf95168225ba28d3c02accd9f31be6ef94f6ce11258a3b2be8dbe75953a23df2e

memory/1732-252-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1732-254-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3576-256-0x0000000007C20000-0x0000000007C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B9C5.exe

MD5 5f87c196dfc3e418fe0b4fd88b063e97
SHA1 892358dce25c4fe7f4d1a3996db2c4dce5d4ad09
SHA256 e5b8ca0e15bce2e8f3102f5fd553baa010ad5f0ecdc35cbb212219690314a0da
SHA512 988956fcfa2d0d8a4dffd2141c8cdd59c3e16570ec80d048b7b14ec2baaaad905f399e40c7e55f87657b86087e0c1e70633c4a0fc1fbe24dec9bf224a4c69144

C:\Users\Admin\AppData\Local\Temp\B9C5.exe

MD5 f46fcdf3b8d78523a59981d45ad725f1
SHA1 06507e670624f3a363ef4e1c1271d784e82e0d07
SHA256 e716d2e4f1d37f5d9be93b3ecc8a7c5e1621344988ddc34729f2ac2505f940d0
SHA512 1d765b8c013b26b636430f318f519168e5914734e999efffe4d5d7fa30e35d39adabd91f86192449e2a2b5e93bcf49d34f28995b5f56158725d3223969d14b64

memory/460-262-0x0000000000400000-0x0000000000965000-memory.dmp

memory/4404-263-0x0000000000400000-0x0000000000414000-memory.dmp

memory/444-266-0x0000000000820000-0x0000000000DD2000-memory.dmp

memory/3156-265-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/444-267-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3976-264-0x00007FF76DF70000-0x00007FF76E511000-memory.dmp

memory/444-268-0x00000000058C0000-0x000000000595C000-memory.dmp

memory/3576-269-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/444-270-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/3576-271-0x0000000007000000-0x0000000007010000-memory.dmp

memory/2156-272-0x0000000002980000-0x0000000002D83000-memory.dmp

memory/2156-273-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2156-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1732-275-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1720-277-0x0000000000400000-0x0000000000409000-memory.dmp

memory/460-276-0x0000000002730000-0x0000000002731000-memory.dmp

memory/3220-280-0x00000000008F0000-0x00000000008F9000-memory.dmp

memory/1720-281-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3156-282-0x0000000000540000-0x0000000000541000-memory.dmp

memory/3220-279-0x0000000000B28000-0x0000000000B3B000-memory.dmp

memory/3576-283-0x0000000008AC0000-0x0000000008C82000-memory.dmp

memory/3576-284-0x00000000091C0000-0x00000000096EC000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/3408-288-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/1720-289-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3576-293-0x00000000089D0000-0x0000000008A20000-memory.dmp

memory/2156-292-0x0000000000400000-0x0000000000D1C000-memory.dmp