Analysis Overview
SHA256
f7d72c2cf94d9b4ff3ed9abec4dc6b3b10891f9e6a58d7db9de3a7debb473a85
Threat Level: Known bad
The file f2b05b334ede2a9df37cf699e7e6e137.bin was found to be: Known bad.
Malicious Activity Summary
Glupteba
Smokeloader family
RedLine
Glupteba payload
SmokeLoader
RedLine payload
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Unsigned PE
Program crash
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:42
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:42
Reported
2023-12-11 03:45
Platform
win7-20231020-en
Max time kernel
63s
Max time network
108s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A18D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407B.exe | N/A |
Reads user/profile data of web browsers
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 2832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A18D.exe |
| PID 1252 wrote to memory of 2832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A18D.exe |
| PID 1252 wrote to memory of 2832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A18D.exe |
| PID 1252 wrote to memory of 2832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A18D.exe |
| PID 1252 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407B.exe |
| PID 1252 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407B.exe |
| PID 1252 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407B.exe |
| PID 1252 wrote to memory of 1568 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\407B.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe
"C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe"
C:\Users\Admin\AppData\Local\Temp\A18D.exe
C:\Users\Admin\AppData\Local\Temp\A18D.exe
C:\Users\Admin\AppData\Local\Temp\407B.exe
C:\Users\Admin\AppData\Local\Temp\407B.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\4397.exe
C:\Users\Admin\AppData\Local\Temp\4397.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp" /SL5="$201E8,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211034350.log C:\Windows\Logs\CBS\CbsPersist_20231211034350.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\735F.exe
C:\Users\Admin\AppData\Local\Temp\735F.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 1555b5b5-3d6a-4c01-ae03-2ac75e5d5e7d.uuid.myfastupdate.org | udp |
| US | 20.150.79.68:443 | tcp |
Files
memory/892-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/892-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1252-1-0x0000000002190000-0x00000000021A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A18D.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2832-12-0x0000000000080000-0x00000000000BC000-memory.dmp
memory/2832-17-0x0000000074040000-0x000000007472E000-memory.dmp
memory/2832-18-0x0000000002040000-0x0000000002080000-memory.dmp
memory/2832-20-0x0000000074040000-0x000000007472E000-memory.dmp
memory/2832-21-0x0000000002040000-0x0000000002080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\407B.exe
| MD5 | c2496084b0091309a47a48cee7c37229 |
| SHA1 | 375882b33312a888870434ab5f6171b4888dc5a4 |
| SHA256 | d47db5b619a905807f50ac3df9fda40a028a8b2209522b1261b2fc758874452f |
| SHA512 | 0c8a1f27b618c3aed171618dd24b41edca55c0494cce28455ef57de2b597323c51802848906b2710ce98106b66db9e6ab83faa8c73221314999d0783c0ee4a90 |
C:\Users\Admin\AppData\Local\Temp\407B.exe
| MD5 | c22081e9065850cdda43899c2a9942f1 |
| SHA1 | d74bef56c10aa2d55d6d612a8e30e854711dbca4 |
| SHA256 | 145caeaf960c8d3cbbcf66e67e23d7e8f961c6097165f9c9bb5c11482e199774 |
| SHA512 | 60bf2e63abe65b68f34cb7831a5033b0bcfea77d4121a11c0f684f42b5f9077c07b4f46fd5d193a19b912b034bb7a5aa223b72a002a70ce681a55598e69c8ff4 |
memory/1568-27-0x0000000074040000-0x000000007472E000-memory.dmp
memory/1568-28-0x0000000000FD0000-0x0000000002486000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 21b413756f9c36e2baa957153b688061 |
| SHA1 | 33cc87ec09798b5cfba13349be85c43cc6121501 |
| SHA256 | 70d6f1113247c8ddc69324946fa71930af2d99424847e4f78139cf1d62f29f21 |
| SHA512 | 6da7cc071b6bf9ae8a1e8d5185aef3d830ae90c5a0492955e0f047e6c4df0a686f268577f1eedec946a3a0076c838b06bd2658b2f403d744b94e5e212e430f55 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 7f66beca7edae9e7479315c77c255865 |
| SHA1 | b56e1ba3b5b5a31168955c75ccec8c1263fbc8db |
| SHA256 | f0152d80368dbdaba94dc2d25da067bedcdd73299880c622c4102f0cd312fe9d |
| SHA512 | 010730bb9bb31ddb62665e062fe51ab819374a530d7a59b5f28a4a6df26725bcd8431e50e4f124eca104605a3e0a3b14eee3c219d59a7823e24dd5e48ea66b1a |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 1b8e907c57fb4813e4261d2a2728e5b7 |
| SHA1 | 64d5f87d1f82ab7f3ebdbdf119d007471f248ab6 |
| SHA256 | 807fa7e64dc59f1f708b021eb52ee8a92c77e173674a5443d13b008497f5de4c |
| SHA512 | 97098c5871b2fd9a882347e5a79c32e4413a35af17559a48d3f55b6e662b4abb736b2b0613338425d0d4c218d7f701ac181c852510028e0a17e7fccfed0ae3bb |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | bede382d95d90398b70eb5cedf620760 |
| SHA1 | e88169a7471a870806162f328c64f500d5f84bfa |
| SHA256 | 468b08a4e25132793ec388807d41a3ca76d3ca690d7df31139598b83e7305e6d |
| SHA512 | b841ba21e496f956dfe7e730f152181e540dfeaff0641cd8e07af4fded710e0879489d27e6ef86f984c9bf9e98bca3a5f75e479d58226c6284e5b8df473998ae |
C:\Users\Admin\AppData\Local\Temp\4397.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\4397.exe
| MD5 | aeadfa981ecacdc4e7812913b5403ba3 |
| SHA1 | 14a68f4d1dd7e7084a6760abbdd849e65aadc3df |
| SHA256 | 0fb80ea7d320ddd25f8d0ea377ab5fdca00861aaf3595292df43a8a13ccebfa8 |
| SHA512 | a821c2d3de629bb1e3339efb887d6b3d577a39351f9eb563fd658620eb9879665b97b8fe3434cbc4b803e947fbb338530ede329ce0a36feedbf87421306bd17c |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | dd8e66eef385bff9cc60f7a04a6a0994 |
| SHA1 | 9d144861dbab5cbaf589b80cf0eff4f263946ca8 |
| SHA256 | b25fe50b37cad831a4d6070b44f183115314ac1299fdad6f3af98b78b8b85acc |
| SHA512 | 0d9670c37bcffcdd6e31641183e68b0fb0e4718483655b15a6168e46e07b15cc3de04a54be92659bd764ef0a958aa7b637f1541a4110c8bbadd8a5b49fe8f606 |
memory/664-53-0x0000000074040000-0x000000007472E000-memory.dmp
memory/664-54-0x0000000000180000-0x00000000001BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e9ad100185218c9d8d07478f1ade00f2 |
| SHA1 | d3248f4f7209628f2b49cf1d2ba5e2a36d820fea |
| SHA256 | 3cc9f4b6bb4afd6a998b9be024578bb6444d261a5e667c320cf2b90d47876051 |
| SHA512 | 729555a9a7d913af29bbd8ae5bcd4ac6b6489e6229fd611029ba9c59acfbbae70b1ff9f76d8b3866e7c2dd7c5472c77edd6461b59b2983085a76fa8862bd9c8c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 67d91d7dfd2e3b4a538cb9332272e91e |
| SHA1 | bc44b3caee1c81096ca085f33b7cf50e631849c2 |
| SHA256 | a674a3e179fdad3f5818d36a8ba0f32b6baad27e563f2daddf1f27c4601537fe |
| SHA512 | 009eb7e14f9434e860a847e86ca79f5caa066a927389f0bae8885d8d2b19253338c51b26886c00e07aaf26f972c708de45588e571d830701e2bf6a44e19bc547 |
memory/664-64-0x0000000007090000-0x00000000070D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9d8f33c854882492d14d87cc724bba3a |
| SHA1 | 78778531a865a6b11fd3fcf21325174bfdbd13b9 |
| SHA256 | 78d99e897872b511a6923a1b8d1f67f2ea85212a9c274e161c86dee1cdea6e57 |
| SHA512 | c69cd6e2cda37b3234921965b2bb23a424b05797b90a1b9b22128e0cc20d751afd8f4e5501eabcdd3114b8c5abc230dead0e2ee888480337fdc4848e59443b0f |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | de8ba4fe7d3f0d7e393d58059b8ab4bf |
| SHA1 | 9b492b8e32c8650f58014273b0634ab7a8c153fc |
| SHA256 | af81230fea202c62a696616d39bbf1f796a1350ef340e926748d0fbe94bfd536 |
| SHA512 | d763e0dcf154998addc89a92f7b9735d5100e4569ab79dbe97b48475bcb9fe5c54505251181dfb87295538fcc0176af958b7e39e42029e6b4e5fcef71105f1c8 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 67440156c189e004c995cd311c01e524 |
| SHA1 | 3f85ca6bfd6cbe75048cade970bb594912aaf1ba |
| SHA256 | 9b02cfe45a1ef0f3de49a9408d2a21fb7a37a939576c32540282b27df47af597 |
| SHA512 | e16635466536db3e8f77fe168040d0c9fa8e8f4eab96cee1d5aaa82453b10455f5fae8e0340865f5b5c008eb266d55a7cdd97ab3d26ad0f3a35c0553579f4dfa |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 0d047ccea1d1718f1ed6e9a3b047059b |
| SHA1 | 7ef06026d39f30eb5d48004936d1236158d823dd |
| SHA256 | 618270cd66a8a532ceb28d8f3dfa35e290a6e0112c584017d1b1f653dab317b0 |
| SHA512 | f9de17024a40e3b6d169c5f6820d274c95f4a570cc1f90e0ddb1fc244771b882208e793b4467d573a3fe20393f5fd65c17448e26f98568b2019e1387abf0a12a |
memory/1184-73-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5a3179d15184b45850bf245e892f98b3 |
| SHA1 | c897b5644d8eb2b7a271c959bbd651509af1cc44 |
| SHA256 | b49e0cc77cacc82ebcf1cc86e57d3265915561fca32a72d42a60fd0253c6559d |
| SHA512 | 18bc62ac3b4a85bfa272c28763999741631e1e5da7df61aa85b6f9b9b4d381b9818e7b6dde3f1114dfe7f34a44e68eda016be6d69bc2a8ac40ecac0cb60da1da |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e444235e7e5bbe262dc9f4174f8b9112 |
| SHA1 | 9a43766d4dfbe849854274cd99962ac262e6c6bc |
| SHA256 | 188033fb56b41e1f3073d2f0e299a1571fdb26e27badd36f7c1a2ccab92eea6e |
| SHA512 | c7d0a1b7e1891544e811f9da4c02304e8c4cf64f00cc12177469d004d1f4403a32cd5990cabb042b8500dc73075de0843022398c458325e7fc1671893b0f03bd |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1a8e84170d6f3d504105da8950fbad7e |
| SHA1 | b27ad5efa7f3c11c08e54f4a765fc3e6c7eec04e |
| SHA256 | 3e534a25381885102d4d2bfd0e23de874cb8fa58bd02f3b421f9e019f9f0a80f |
| SHA512 | 4d9431beaafc82e0c98aebac7bf5adfcd1412ec2c9e9e18bd25dcdffc3d8f62ce1cfa15e762c6a01ad7f9bfaacd079afa8d96d560808d8ffe3e81c0e4e15c504 |
memory/320-78-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1460-80-0x0000000002700000-0x0000000002AF8000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp
| MD5 | 4f90bbab05684e79f8c3506a1120a3b4 |
| SHA1 | 8553f777f6b42635b7913d307c0cbe0674b7aac5 |
| SHA256 | 2c4c605e0d6e4ce4f36cd2ce70d2c569d8372204c0ca77eb57bb1729c5eeba42 |
| SHA512 | 5aa0b76db11fa2cb2c76e43a883261b534ec9c8c3f39a9dcf2459156b1f5c7d7fb234d4e60ebc0f2e322b25bb0e4d4ba53278279520fbb871490dc7fdbc10577 |
C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp
| MD5 | 1174db328d775861aedadabde26c9c06 |
| SHA1 | d42819f5b37e9a86180ec36be9d83410e88c8d97 |
| SHA256 | 42f6af9b4c924792262b473ced55877c0a391a444a7415c77a44b8ba9d7a714b |
| SHA512 | a4a24a0a7c83130aa29f4d9560cf519774a7bb5918118c6871ebc900fc332a5dba127dbc54a87c8ebc19361728899dddcfdf9f4fe80c86e579c948bb787c0250 |
\Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1216-92-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-47AA4.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-J7P5O.tmp\tuc3.tmp
| MD5 | 2b18b7be3421f88babd79d276d03a388 |
| SHA1 | 035e7cac0a9fef80ea0d628e4b54eff6071e5815 |
| SHA256 | 3b4781d78a633f6ad455271d144d28b9fc940a194bbe283229dc7a4905ca467a |
| SHA512 | 454e1755547fb7c324032d7aca25b4bbe793ab7b07e12f0afe72d0c726a1c10d6843d97292dbfbb67cdaf4c91a0247501a32201add21e38cde6616da717416ae |
memory/1460-110-0x0000000002700000-0x0000000002AF8000-memory.dmp
memory/1460-113-0x0000000002B00000-0x00000000033EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 81e588841e6002a5f0f76babb3eddaa8 |
| SHA1 | 9b697d9c31cbc296625fd7c7a74a3e949e78125c |
| SHA256 | 4218c89256dd9df5461cff9db484f72c9bde6787c735fe2347ad576a6fc5064a |
| SHA512 | 63b3b78c1599ca98725137401860d851af10b72e6d59bced10b8f865d979097f3a6847fc29c96154321138d3f29afbc4caff88054d65fbbbe0fe64aadbb8a4fe |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 96101dce8e6a49c5c5db044a5bcb3294 |
| SHA1 | fafc7470b37b18a77111baa300032461539be149 |
| SHA256 | 79b80e398a1220af759558fd69b83155dc33338c45a986fc0c9811220044a376 |
| SHA512 | 0043c79044ebacb3f0700a8bbc2ee20157a601dfa2eb02bcc9567477feed3c6451cbb682775114fdba6c487498646409bc6583e5fed96198f01e2958cebdd16f |
memory/1568-115-0x0000000074040000-0x000000007472E000-memory.dmp
memory/1460-116-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 01df719676856e3e1b25431cc6abef5d |
| SHA1 | d4b99a91762f44798f3a6e6a2afc022b0067b5d8 |
| SHA256 | d4a1eaa3eee2549271a682840812243a2260a0b5f68496cbb196b5d3a31a5b8a |
| SHA512 | 85e214957c04da0839fa67a14a1f480facc091fb9a1961190365b3188e4b99f6669608ecdd5e8532097dadb792075ff2e06e7e1f323024e45b281091d2581f18 |
memory/928-127-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2224-126-0x0000000000270000-0x0000000000370000-memory.dmp
memory/928-123-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2224-125-0x00000000001B0000-0x00000000001B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f47354f5f5b41a08668690480f143c82 |
| SHA1 | 09d10d77cb09a624cf795952b7a5959299a5d0e8 |
| SHA256 | e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d |
| SHA512 | b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590 |
memory/1460-129-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1460-130-0x0000000002B00000-0x00000000033EB000-memory.dmp
memory/1460-131-0x0000000002700000-0x0000000002AF8000-memory.dmp
memory/928-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 89c6bcfc5cdfc721da6449cb0e7c20a6 |
| SHA1 | 42c1bcefb941993944c32f83368c3de6bbfb1f50 |
| SHA256 | 21d81cbf8cc091679f9c2c4326618859b1a485adacf2b1ce053146e2d7184ddc |
| SHA512 | e168159742e3f84c2485c7ac3dfc69dcdf2302ed4a0bcfb6a85fc42ee2dc2f28cdb13f058fe2dacdf00001909a5ea8ab31f666406eb8c7a8874a0a5c38e0235e |
memory/1648-132-0x00000000026D0000-0x0000000002AC8000-memory.dmp
memory/664-133-0x0000000074040000-0x000000007472E000-memory.dmp
memory/928-135-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1184-138-0x0000000000400000-0x0000000000414000-memory.dmp
memory/664-152-0x0000000007090000-0x00000000070D0000-memory.dmp
memory/1648-153-0x00000000026D0000-0x0000000002AC8000-memory.dmp
memory/320-151-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1648-154-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1216-155-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1252-134-0x00000000037B0000-0x00000000037C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\735F.exe
| MD5 | 37538ec36382843b0cf173e0ffcf6ffa |
| SHA1 | fbe115339744b574d153d4345bf17888c8adbdea |
| SHA256 | a0311e71e97f9b98078dfd364e37688ef2efbae3b55306da6909026dc6f2756d |
| SHA512 | 01223df75febe07036d2fcd4b99e5c3fd40fa2a30db58d03e4c0f7ad078727544a029221be3ba226655a352b507d8fde30a0322184dfbd2e0176767606e828f6 |
C:\Users\Admin\AppData\Local\Temp\735F.exe
| MD5 | 8b104f66ed5e09a360531b4bb0e2a51c |
| SHA1 | 02114bf12bcac0d1d2a9aa13699a178bccdad0bc |
| SHA256 | bbc198f94875706e7a4f44bd4a4194febf73ad47474dd189746ecd203ed7a7a6 |
| SHA512 | 6e7415c3f4cc98022ab0e84d8f456fb22dceae0ebe9ed8aafc1183f27dea072b7ab06412ea0a8ba42c7502d9de8fb251ae1b78f31edd8b68115f298674ab1e6f |
memory/1724-162-0x0000000074040000-0x000000007472E000-memory.dmp
memory/1724-161-0x0000000000060000-0x0000000000612000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | f47387d57ee88e5f84f102af3460d919 |
| SHA1 | 60f3dbcfa56d34cf4b7c7b29433dc89ad3924aa0 |
| SHA256 | b40d8c050edcfbfcd22fa8b65cdd62f7345984b4d959311bcefb1b04bf8b25c8 |
| SHA512 | 1b577d4e52d9d55ffc7e2d87d7ae146ed4b2d57a56231abf5b9fe34e49dd4e1c9e52714e3ac5d58c58aea7944a17869bbd79ecdda76102c51fc53a76549be116 |
\Windows\rss\csrss.exe
| MD5 | 80e6191ae7c782fae9544c8945ba806f |
| SHA1 | 12a148d1ece9f446d33ee6e2f1246f8bd3b31d2e |
| SHA256 | 695f97004ec815bae89661ef92d23988cd54c751d8727a561a6d0eddbf0fad4b |
| SHA512 | c2ec53a9a0cb20cdf46fc46dc0c574b6d21122840b8a600afc74f0e43c230783b885b9acabc92fecac414b0e8af7d6fa0f033844fea8e6e0b20be53a27f99b42 |
memory/320-171-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 5c956541fb9e4988a6bf6727621f0915 |
| SHA1 | 89e432a390e4cbdada26e38cfba88241a17ba526 |
| SHA256 | 026761c6ec9d3852cf898ed3d0866e74f03584b737447a7137fbc94e7f526428 |
| SHA512 | 73527602fdda3b70ef958fd40cb8c56011c7dc9aae36ebd5445bedec65ae3c14fc1b6504a35719dd237364f5e93262d4fc57d45b9c7b526c5ed1fedae951fae6 |
memory/1648-172-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1724-173-0x0000000005420000-0x0000000005460000-memory.dmp
memory/892-174-0x0000000002650000-0x0000000002A48000-memory.dmp
memory/1820-175-0x000000013FA00000-0x000000013FFA1000-memory.dmp
memory/892-177-0x0000000002650000-0x0000000002A48000-memory.dmp
memory/1216-176-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/892-179-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 2264d77194cb550fd290c9b334abffe4 |
| SHA1 | d6f85c34ac3cb7a181f3418c2d6cdcd6c72c3e90 |
| SHA256 | 518a62a9fedebb7cf95872e1caf4e6178b91ec6f6449b7eb7176c9cbea413e14 |
| SHA512 | adbefe28cbb918d4ec971e1c2133d2baf347e41326f78fd11ee204ddb9c4a4a075c28c7b5aac2db312e2a758d3f9be4c57a9eec5d973f49aaa19b7b462c4191d |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 82327680509e772853237cf86fcb4417 |
| SHA1 | 75a146ea57d8464d69b590bf36d6446f153ace20 |
| SHA256 | 21c07b7889f71a8d7fa80fe553b70e4ae98f2fe083561499315828c4d759319f |
| SHA512 | 51bbd865fb1bc0e5d58222a13e4e20a4d350c10b7ba641de23458da7c28ef03b17c0716204f25ce67d41258755f0d1f26077d20850434121ca6b75a543bb02dc |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 576d592aead0bcc402d5caecd94e9f21 |
| SHA1 | cbafd8f0cb211d30a77ae46b1810f77bd7570f69 |
| SHA256 | de0d22c01d83027bd02ecd2b4f148d3e43a9226e70ef1840a4ef58a670295dfe |
| SHA512 | 642a928a2f38cc5f8ca5ddabab6b1f0050d4092f174562e6e2dfbda422310893e5b66448c52341104ec6861a42ffe8218e4eb78d09f3a50256ee5c4e55bc7b90 |
memory/3012-185-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 087a521e8eb51c16cf8a8e7240baf281 |
| SHA1 | b156a5aa37170a84c7f72473f5fd4e9ae265302a |
| SHA256 | bc7a213751eb5c5ad997c051a97d06c4a968578d2c6ca62610266a5928ac49ba |
| SHA512 | 9f5600d276bf18ffbe03f2173872f2a4443376716fbcce0ae4d0e60a15af6abe5def081e66e7988d11e4cb695cc0bd2015d2f0e03e6aa3e7eb0da40f597a45a9 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 99a0ddc602051d534da340253d497b6a |
| SHA1 | 8b2ed02fad938d0a610cee25b2ad2a12e8a40437 |
| SHA256 | 600fc8c2215daaa79f878cecfb4781eeeb41bdce021fdd5c19b4ccb5d9ddb26f |
| SHA512 | ff2a5650ea6875b03b3cdd938149e208194fdd733e91450ad8a1853a0df9e53c5736e949a61a2f0de64b5d1bbceac22462663286a7ef8840d04d007b89166e37 |
memory/2224-199-0x0000000000270000-0x0000000000370000-memory.dmp
memory/3012-200-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 8a3db489279c699b376a9f288bffca66 |
| SHA1 | 4f350ac5cdeb0ea5d286d1892c12923ce1e1eb43 |
| SHA256 | 0f03e23f82fa561aed651283ae3aab5a6ea2bf71b901495b7f57c7dc0a101fea |
| SHA512 | fff900c0159e5d73a75286e91e61151c00d429e9372745ad534bde5ffdd59071298c8a91dff2f02d7ca589885520f405f761bde27b3fdb8d5078ae70d548dfba |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0848c4ad6dd36449a7c2342279193672 |
| SHA1 | e39d4ba5b6d94a61aa50d96486af82d5de92b38d |
| SHA256 | bec9c78c42cffdfcbcca1247f6806b85dc0a48b0c56c3ce7816c4f04c374bb2e |
| SHA512 | 8f83b0299308ae0c44a09946777a389deee9ad471f33ec3f7161d850f43cc470386a4a85723561d73ca4421f65fbc5855f09d4f82c67bf8d985177a5f0da012b |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | ef8e510e5d1270e3aa1fdb50a07326cd |
| SHA1 | 77b97ddfef358bd56cf55f2692e83290af69cc8b |
| SHA256 | 28b9fa5929518dd6a30daebbefe6e0c04a947e932fe37ceeb84e21266be2815e |
| SHA512 | 8f4c91952d06c26ae321a3e18134e3442e9778f185e179d0d4d054503fd0f21ddcd7083c751e8852b13e35ee663e6c05df380649689b80729d6a9b83ae38fea5 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 41d7cee863594deea47967d498d893f2 |
| SHA1 | 72f7e570a9513fcc817869a5e16e3820260e4090 |
| SHA256 | 92501612e5b0c8b08b030987630206fa1139ac5a5897d8acb79281901c7a6b64 |
| SHA512 | ac2445bba21d430301000c22d3f3937759c6c542b56002e7e012a70db577858a4f834aebd9f6ff8c453bc9a9b9527bfcd1007748778601c1fc476b9c74e577dd |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 0d12ca33de92f37d494473ad881f6a5a |
| SHA1 | 4e0397d1906673c93554c95b99639f045c735cb5 |
| SHA256 | 7ddc32174078e915c81d2a0a836eaeae67fa5914e5ee8d30da132121fafed789 |
| SHA512 | 2ba154304544248a9d0f32caad2cdf87b4be62e4f1b5ebc94274dadf78c2518e4fd0c4ae56423e89d4e0b4c7486bb50fdc1f7655b1cd8727876614a62e5d9e75 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | ed64aa1cec486f16cc01015952d060d3 |
| SHA1 | db190a8e9b15e4b60739f4e5b9ee29b6eb9eae3e |
| SHA256 | 6bec3bcc47420dbc3c4f44e844ff7f3469f5a6f14b8af96c25f84731227aa13c |
| SHA512 | 4e1334168e60105f6bcc27d13b58e9f5f7cbd969370dca903ad0ccdc7f0bf3f29d2ac74934b80fb29db6938541b4c45f87d43efd8dd0fbeb8fcce8eb9b69604c |
C:\Users\Admin\AppData\Local\Temp\Cab8AD4.tmp
| MD5 | 6a85480f7ad7293592bd27ae118ba590 |
| SHA1 | 0dad2b6b50b27837b3f67cb183b533808e9d100f |
| SHA256 | 8ea5efc85d666c13e1eabbf31bb13a86cec83825005d2364e0b73f7651d14cf5 |
| SHA512 | f4a4ad1eadae7a4b3a22f6819f4351187f838f6f23c742fd6904058aed210d8da79f4bf657aaf4bff9634b36316d72873f5a4bb52a71182b68df42d13ad1ec35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 59cd089ad94f50e3eae8d8fb97826f09 |
| SHA1 | c7d43c3d25163676a121f6c2b92901073e57be6c |
| SHA256 | 7b6e8ff305543727cf59c9bdfb7662d41b8abe3af552639ce306321236a952b9 |
| SHA512 | b6c67722a30eb193d1b9c77b732ef97fd3af25565527ca96e734e549078615232b518cc36c57b2299ba1300541452a1e2302282cd3d6bbfe6f7fccdbfe6de9f4 |
C:\Users\Admin\AppData\Local\Temp\Tar9095.tmp
| MD5 | f93c08f88904e8712e169f4e1974a764 |
| SHA1 | fcc6851595ac816bed58ca284eeef80c9133cb6f |
| SHA256 | 22342ee5f573ddc4b4665d979dda0820c5fb24c09d2a717e53195fe5a1f55f52 |
| SHA512 | 489525d3ad33ea03ef7257bac57360b11baf27968e6c4cd4b1919f441d6324b4611bb8e58dc4c9ad4a5ee5bfa415b3e15fa46053278525b34c2aa546d15c9741 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:42
Reported
2023-12-11 03:45
Platform
win10v2004-20231130-en
Max time kernel
70s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96E1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5408.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3308 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96E1.exe |
| PID 3308 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96E1.exe |
| PID 3308 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96E1.exe |
| PID 3308 wrote to memory of 4916 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5408.exe |
| PID 3308 wrote to memory of 4916 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5408.exe |
| PID 3308 wrote to memory of 4916 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5408.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe
"C:\Users\Admin\AppData\Local\Temp\f2b05b334ede2a9df37cf699e7e6e137.exe"
C:\Users\Admin\AppData\Local\Temp\96E1.exe
C:\Users\Admin\AppData\Local\Temp\96E1.exe
C:\Users\Admin\AppData\Local\Temp\5408.exe
C:\Users\Admin\AppData\Local\Temp\5408.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\5B0E.exe
C:\Users\Admin\AppData\Local\Temp\5B0E.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-7M9K0.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7M9K0.tmp\tuc3.tmp" /SL5="$D0022,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4204 -ip 4204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 332
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\8D88.exe
C:\Users\Admin\AppData\Local\Temp\8D88.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IE | 20.223.35.26:443 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/348-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3308-1-0x0000000002550000-0x0000000002566000-memory.dmp
memory/348-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96E1.exe
| MD5 | 8118259269cdd54ecc123739c2242444 |
| SHA1 | 11ff5b288ceb7600531fae336457bab126da4842 |
| SHA256 | b9454061905aff47a1a8b6c104706328c30bd74fa51245933e8ccd1e87604ea3 |
| SHA512 | 0feaaaf7931ce5cb5f064df183e2c4c7af316a1d72cecfe9ce0cc259fd42dae5409f3118082b638c27c92a009a024f8ca7fa5c8df6f8f9596a13445d54d7fe63 |
C:\Users\Admin\AppData\Local\Temp\96E1.exe
| MD5 | 03a90ab86fb9acd673799e29fd2d25fb |
| SHA1 | 315c213c501f4e3449ce73cb617d052bad8440a6 |
| SHA256 | 12a718320903ea148c54b2e233eec08c2fb4369a4c9a73a9b3ef1ca63d127440 |
| SHA512 | 689a31206c58c874a8632fc9a73246a81f4a58806bc26313e87dfd2fe17a6deeebfa602b8f4f17847d1da2b30a8d44d6e4d8be695cc2aa41f92c549cde44892a |
C:\Users\Admin\AppData\Local\Temp\5408.exe
| MD5 | 7f800d9c50fc736d25ea0566d0905169 |
| SHA1 | 782b9cba612551830bff48962042a3fd609a12ec |
| SHA256 | 7a96853e72f4282a05109c249f2a994ef60c1514f3deaa23f9b6a1dcd208eb0f |
| SHA512 | 33e081f98b6817d8b1f2bf11aa34ae94b070a4a2c6ccbd5ba53b9d0ad655ddead1e40ecbf7f77302ffb5d71ba63441af26ed9b7841ad1d7d828abd55136e093c |
C:\Users\Admin\AppData\Local\Temp\5408.exe
| MD5 | 4e21fedf35e1c7e4344b720bcd8048e7 |
| SHA1 | 4b7b7d3edef401b8c1866e09a0f2bf3e77c55a7f |
| SHA256 | 32084714bf42088331a3abc34f0290ea4da960e78d704a6c8e71c58a70f8a259 |
| SHA512 | 1bd76d440799a98639f901ccf700e82c07ecb8affb7eb3865b9fe04c0dfcde3b7e2d22a7d10933c0177ed8f329a1994eb80970347b0a06dd2ce48d7355991e05 |
memory/4916-16-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4916-17-0x0000000000400000-0x00000000018B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f5d123d24d59b50b07a0424d732921c8 |
| SHA1 | 7b73abcb4d766a6df5b4be28ec69fa1f40dd1b4a |
| SHA256 | 5f7b38ebb1e3b10b8cd981eeb43dc30367e66322b097099cb32d20bfb65a02ef |
| SHA512 | 1caf8a989b2beb1e12bb2eee2d130603c3b19dbc15f6b14edf886b029b133d9d2612401d2a751ee0a62f4d3567701ad844f3180181dc3edd08388dd9616d3bb7 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e88995f64f8589c138b5fb816f253b16 |
| SHA1 | f4fabb637808012621d653a42ea5d8000b296072 |
| SHA256 | a95ff8db909850df8ef37b09b964d66ade6222dc62479edc2ed3b4a37b5ad1d1 |
| SHA512 | 2d511f8eb9030bf257a14cff5a9c18a200bfaa055fdcb7ebaeff6f587af2bf022e11438a45c333087cd8ae6dc187c4fd9bbc9d4f88d2e92fc5081a45d7d2a544 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7c9d4d5a6bc5a619a17c67beb24a662a |
| SHA1 | 321ad913f126b2479954f4daa8e9aee62c8d7402 |
| SHA256 | d79da89a1e1e28cd68a51425a99c2b8f0634746427854c561997a0345418e6d3 |
| SHA512 | 1cf5a1b7cc0d907fb624c98772a0f310b1f8f0724bb2f8126d3bcc9c502a47b9485fe682a565eab105c6e4fb9674256c191e465b3fc75ef281d235e372b4240c |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | ff467c77f54807d5edc89d72ac0499e7 |
| SHA1 | 03d573a9f85c75ac08c2211d2c6a470191a5749b |
| SHA256 | 2a5b6631f02d016176aa7ffdd7a2382facfeb4a50d0d29196e806e1959deeb96 |
| SHA512 | 60177af2342ceccc2435de61e7a638248fca46f2016b48465eaffa6ac796623c438d701a66275d4c09868da8c9019c8a01646af2c72b30e11f93ae061cfa5ebb |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6e423858131ca4a1a5193fb9837d8cf8 |
| SHA1 | df282275b5db64a77ce3d611dd3605d90c405de6 |
| SHA256 | de1c816ced1066e631e755088c40b10c80d766cde63fe566c0362d710227bf7e |
| SHA512 | 3e14efc1b6a4b4f7655dd9a09417f793a11aab98288918c58a9fba039e645e284048b0d423b847f18f5a39b5f363a4da733c4c76a091de3fb28132c63ad2afaf |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 1050cfd90e587a9db88bcbf2c8a2dac0 |
| SHA1 | ea636343ff21fb16fac8068b73f98687148af9e8 |
| SHA256 | d65ae19983f7c53dfc15c98b9d8807233950df64ff6c0c30bdf0645488464386 |
| SHA512 | 4e819158acd6ffcd0e716ccbf1d4ee480d1969aeaa91522dc4a7f35d3a6964a2a76d50e05b39cc3a55caf3bc55d627e709d5d9a0c2f01ba4231bd9b111a771e4 |
memory/3392-57-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/2596-63-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3560-75-0x0000000074540000-0x0000000074CF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 1b159fee94f49e50da540d2c70bdb412 |
| SHA1 | fa8b6fcfe71f716bb719b038cb400d7bcc29b26c |
| SHA256 | 88b132ebf36bd0451f56345998cb52145f45d4d3b0ba7dfdb05fc147afb891a0 |
| SHA512 | ad7424efb79f84acd287391d4f69a0d11ddac676853abe57b49f2612a703dbf5b72d0ea515a8933bf7c97cc3bc23c95cbcbda8d934c9a45b5b4a0e6cadfa15e7 |
memory/4916-82-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/3284-98-0x0000000000530000-0x0000000000531000-memory.dmp
memory/3560-100-0x0000000006E40000-0x0000000006ED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8S74E.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | e0876183964fee81399852ff17b83d9f |
| SHA1 | 2b5e11112920cf534504aec04216088391d77cc9 |
| SHA256 | a7806bbd46d430792c5a79fc645acbd1318ecd620b6fbdc46c42f80403b6266c |
| SHA512 | 8d0f7a5ebce00f61c794c12bb6639663d1edb37cbf8d1f7e0b2392fd458532bc27dcc964ed1281c27a7b4983e4a0adc75b41cf7bff13ade24278b100ccf2581d |
memory/2852-230-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3560-235-0x0000000007F20000-0x0000000008538000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | da0d147771ecddcbec78efaf91a66952 |
| SHA1 | 5571bbb2ce569af0828e616e040c1b48284d7822 |
| SHA256 | 1c6d52c3eb571c4d38e519c957d21b6bdc6499da0c36f0578a3749cf4eda7e1d |
| SHA512 | 449cf99373f1e20b9f2b9cea29d99bd399904aea1446f02e568b009da8172ac4e61d28a7c89cf75c6dddd9bf98603e423cd487ca36b4dfc4c1889e25cb4a64ef |
memory/3560-237-0x00000000071E0000-0x00000000072EA000-memory.dmp
memory/3560-239-0x00000000070D0000-0x000000000710C000-memory.dmp
memory/3560-242-0x0000000007110000-0x000000000715C000-memory.dmp
memory/3384-243-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 94c8fb967b3b62d69d11cee72772ff38 |
| SHA1 | 18e418f0481c96350f14a7dfc8beeb17fa7e9b87 |
| SHA256 | e1f40811354ea9325afc8c35f4d5efc1922512ec9867716d55670837aba5c679 |
| SHA512 | 1ee0ed5271379c3a82cb124315e5a668541ac405540ca26756cbf6c8f64515ea37a533ee7fd1420f56f91bb824e937747d6f3d187b6614b25f3736d67587373e |
memory/3560-238-0x0000000007070000-0x0000000007082000-memory.dmp
memory/2852-234-0x0000000000400000-0x0000000000785000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | a252639f09591bc08e82aea36e92aa72 |
| SHA1 | 4c0ca2067556097fb262c7c1fb86476368e85e28 |
| SHA256 | 08587e65c801632ee4bc28c803a31e4e7fef4fbaff671ae30d03ebaedda78ef8 |
| SHA512 | 33c50b76dd1070065a4f909fb074e3084ff2a5b5a23ea96c90d52d89889c8fce46ea219985519fd4b29fdd2a353708f2a9c67732ab3008cb1828647db6dd90c9 |
memory/2852-231-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3560-128-0x0000000006E00000-0x0000000006E0A000-memory.dmp
memory/3560-101-0x0000000006FD0000-0x0000000006FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8S74E.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/3560-99-0x0000000007350000-0x00000000078F4000-memory.dmp
memory/3560-81-0x0000000000040000-0x000000000007C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7M9K0.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
C:\Users\Admin\AppData\Local\Temp\is-7M9K0.tmp\tuc3.tmp
| MD5 | 5b5b178e4080248788fb1e1741e7d39b |
| SHA1 | 170735b6e067d8acf85672b7355b0c7ec13cb5e2 |
| SHA256 | 50677457167d1319bbba30076989655952e45be8186b93139078b992ba7b972b |
| SHA512 | 1a35a1cb0baf346119e69a5311bd43cbcd762d4616d08147cda83fc4b17f0ec221184ea723634df06c42bc3682d52a58111af5d1c81ef42c6a71654ea610f3bd |
C:\Users\Admin\AppData\Local\Temp\5B0E.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/3392-246-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/4064-247-0x00000000029A0000-0x0000000002D9B000-memory.dmp
memory/4064-248-0x0000000002DA0000-0x000000000368B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e993fedf46874ba00c5255a4c2d6142a |
| SHA1 | c1bfa46a17684fa5893b8a83447e9b05c17474be |
| SHA256 | 25995fda77507be6812c5d278196a775cd1f4efdba60340cb6b870b79c81a407 |
| SHA512 | 55697762adf6daee924017381998b7762a116ce894c2deadb11e94a8816c5dac9043737fa592833e9fb7a130c6ff9ccd29624fbe1eabf90e913a123ba1b0782c |
memory/4064-249-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1044-251-0x0000000000A10000-0x0000000000B10000-memory.dmp
memory/4204-253-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3560-255-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4204-256-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | ff3ca662eaa22b501f923f9825ab6313 |
| SHA1 | 205f95f83a77206d204362cf5e38305259c082e3 |
| SHA256 | accfa115f7b188efb85d150e46206566e4a512df42cceda0b8216bdfc21a4843 |
| SHA512 | 116890bcd42bbc3797948a0dd1f9271084793ec5d1e7de4801a2a3d6f4a410cf9d33a34f253e0dfeec80aee5ec13e9e963a6a1526ff9716926cabe972d2e2826 |
memory/1044-252-0x0000000000810000-0x0000000000819000-memory.dmp
memory/2596-250-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 0de68c4b897405cd3703833fc8ad51b5 |
| SHA1 | df8e27640c63761d984d22a72c9bfa503723c4f5 |
| SHA256 | 14b89ae37bcce511e2b91c1fe0129e54e7436b28b28b1bd056962e82bc644b73 |
| SHA512 | 080d152fc639343424cc1c78aa42599c867f43bc316cdf42d3994e49181d196d1deec306deab93d2dff15fe500897b7b303fa03507f2010042aebf650c727856 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 8a32d905d1ec4133a2aa1590636a0276 |
| SHA1 | 4911ae6dd4842ba303ad874da628f9e5bbaadb09 |
| SHA256 | 1993a7215a0c8a4e40d9249b75c4bc006dc5bde3f9e9c124e0586cbe0d92bde2 |
| SHA512 | ab731d5475da76fe45c874d69e8646ba6ea4c555def3d3b302dbbdd5580c3d3a633006728ba981bac0ca3b9e43fb4037c82a2a244679cd5da3807df7c585a6a6 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | da884f3cb455132c4b82d81d5ac259c4 |
| SHA1 | 9851e1ffbd14de621915e54dbf5fdab7a11f1323 |
| SHA256 | 03ee82f07536cd7e190f9c70567a9ff063c927e89664e837c2b46bec9102b9e9 |
| SHA512 | d15d00733fb3f48d518b2f224a043a6d06e9e61dec13a01388c07a2df2a1c6ff632c0bd03be7ad576834241b7f976b4044806328e5a0e334bf0e84e07f9f5824 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 1590b1e4bd7d7503fdccfca676cc1336 |
| SHA1 | 783842058e57dc72f57b9c5fa8b7324d406193ac |
| SHA256 | 9bcd3b786ccb5f7f1e400b6560c7cc9d6ba5959fa99f041d38437f60857d7552 |
| SHA512 | 8452f08da2d961de6e852f8f44e7064f004c2a3f232dc38e8d2751a089c241c3437e5911cfc8931e9f5b67d9b7c130e3ccb54ea18be09b8b878e9045a1c18c71 |
memory/740-257-0x0000000005120000-0x0000000005156000-memory.dmp
memory/3284-258-0x0000000000530000-0x0000000000531000-memory.dmp
memory/740-260-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/740-261-0x0000000005280000-0x0000000005290000-memory.dmp
memory/3560-263-0x0000000006FD0000-0x0000000006FE0000-memory.dmp
memory/740-262-0x0000000005280000-0x0000000005290000-memory.dmp
memory/740-259-0x00000000058C0000-0x0000000005EE8000-memory.dmp
memory/740-269-0x0000000005F40000-0x0000000005F62000-memory.dmp
memory/740-274-0x0000000006150000-0x00000000061B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pj1ckamk.q3b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/740-275-0x0000000006200000-0x0000000006266000-memory.dmp
memory/740-276-0x00000000063C0000-0x0000000006714000-memory.dmp
memory/740-277-0x0000000006360000-0x000000000637E000-memory.dmp
memory/740-278-0x0000000006C20000-0x0000000006C64000-memory.dmp
memory/740-279-0x00000000079E0000-0x0000000007A56000-memory.dmp
memory/740-280-0x00000000080E0000-0x000000000875A000-memory.dmp
memory/740-281-0x0000000007A80000-0x0000000007A9A000-memory.dmp
memory/740-284-0x0000000071120000-0x000000007116C000-memory.dmp
memory/740-286-0x000000006C4A0000-0x000000006C7F4000-memory.dmp
memory/740-298-0x000000007FDA0000-0x000000007FDB0000-memory.dmp
memory/740-300-0x0000000007CA0000-0x0000000007D43000-memory.dmp
memory/3384-301-0x0000000000400000-0x0000000000785000-memory.dmp
memory/740-302-0x0000000007D90000-0x0000000007D9A000-memory.dmp
memory/740-297-0x0000000007C80000-0x0000000007C9E000-memory.dmp
memory/740-303-0x0000000007E50000-0x0000000007EE6000-memory.dmp
memory/740-299-0x0000000005280000-0x0000000005290000-memory.dmp
memory/740-304-0x0000000007DB0000-0x0000000007DC1000-memory.dmp
memory/4064-285-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/740-283-0x0000000007C40000-0x0000000007C72000-memory.dmp
memory/3392-282-0x0000000000400000-0x0000000000965000-memory.dmp
memory/3560-305-0x0000000008A10000-0x0000000008BD2000-memory.dmp
memory/3560-306-0x0000000009110000-0x000000000963C000-memory.dmp
memory/740-307-0x0000000007DF0000-0x0000000007DFE000-memory.dmp
memory/740-308-0x0000000007E00000-0x0000000007E14000-memory.dmp
memory/3308-311-0x0000000002300000-0x0000000002316000-memory.dmp
memory/740-310-0x0000000007E30000-0x0000000007E38000-memory.dmp
memory/740-309-0x0000000007EF0000-0x0000000007F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d7a4e10b96616bb86833c87ff42e6b8f |
| SHA1 | 0dfaf37a5a34a1eb244d3adc9150243a7846e32c |
| SHA256 | caf2cf8775251f3879e132046dfd594cc8e8b367cf3995a9bf4764f80a5ed668 |
| SHA512 | b900a6bc0abc1d3b96754ef1207aef1275657d0c591a7612eda7a6335f1e5a7dbdf30e599b09e4651f49ae11a3b64d17e4933e9b5b458850fd900308645664f8 |
memory/4064-318-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4204-319-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D88.exe
| MD5 | 3a3995d4cb58af7aa602874d5d4eac58 |
| SHA1 | 86950df3fe94c81b37a2445a032d2b1f8ba94118 |
| SHA256 | e1c30ed6d3e0d4008b32c368cf725c53409ed467ba82d7fda67ff6bf94620a9b |
| SHA512 | 20390b1d43f5cbe212d3843d3e5d55e3fa4811cfd59879d4a6659d74df1e092765df7b56ad6723f3ad396322d82055471761d3cdc04ab96e00f4b0eb1824e983 |
C:\Users\Admin\AppData\Local\Temp\8D88.exe
| MD5 | dcc5159d5572687064ed6485f9c9d9bd |
| SHA1 | e35d8b3194c98199a33a84c7a65c9d8ab1900be3 |
| SHA256 | 786618896a897e764cee0d07326e3e0c2cbace97e1fd7485930ed8a00f021cfb |
| SHA512 | 09b581e07354927ce122f0ccbd9552fb61dedda33903eccaaff6423f89cdf4ab50bf728cf6e47b786d8b4c8f5fdd1baa9a2c4d5377ad635d37bf8e6d2ebe2820 |
memory/2740-326-0x00007FF6943C0000-0x00007FF694961000-memory.dmp
memory/3284-328-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3384-330-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4808-332-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4808-335-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4808-337-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4808-338-0x0000000000400000-0x0000000000D1C000-memory.dmp