Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    79s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 02:57

General

  • Target

    b846f0bb8a677991d85807fded1e9007.exe

  • Size

    37KB

  • MD5

    b846f0bb8a677991d85807fded1e9007

  • SHA1

    38e24fe6301cf2426bb90ea635676c87a860c21f

  • SHA256

    62f28fb67834679ed133e70158c6b89327de331af2e89ee895da8f43d2bb13a2

  • SHA512

    890b9b0f691064c81e53fcff4235ac382c06713d4065d0e68bc7ea18867a5b883a8f09a8c3e54be9b8f6ed82cd997fc7b3154d9305751f5983cdfd6fedd3a96c

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe
    "C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1100
  • C:\Users\Admin\AppData\Local\Temp\9451.exe
    C:\Users\Admin\AppData\Local\Temp\9451.exe
    1⤵
    • Executes dropped EXE
    PID:1752
  • C:\Users\Admin\AppData\Local\Temp\729C.exe
    C:\Users\Admin\AppData\Local\Temp\729C.exe
    1⤵
    • Executes dropped EXE
    PID:3832
    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      2⤵
        PID:4928
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
            PID:2852
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            3⤵
              PID:4736
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                4⤵
                  PID:512
                • C:\Windows\system32\cmd.exe
                  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                  4⤵
                    PID:1724
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                      PID:3060
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      4⤵
                        PID:4440
                      • C:\Windows\rss\csrss.exe
                        C:\Windows\rss\csrss.exe
                        4⤵
                          PID:2152
                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                      "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                      2⤵
                        PID:1832
                        • C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp" /SL5="$601CC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                          3⤵
                            PID:2368
                            • C:\Program Files (x86)\xrecode3\xrecode3.exe
                              "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
                              4⤵
                                PID:5008
                              • C:\Program Files (x86)\xrecode3\xrecode3.exe
                                "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
                                4⤵
                                  PID:3376
                                • C:\Windows\SysWOW64\net.exe
                                  "C:\Windows\system32\net.exe" helpmsg 1
                                  4⤵
                                    PID:536
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 helpmsg 1
                                      5⤵
                                        PID:3372
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "C:\Windows\system32\schtasks.exe" /Query
                                      4⤵
                                        PID:4560
                                  • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                                    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                                    2⤵
                                      PID:1480
                                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
                                      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
                                      2⤵
                                        PID:2416
                                      • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
                                        "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
                                        2⤵
                                          PID:4188
                                      • C:\Users\Admin\AppData\Local\Temp\75E9.exe
                                        C:\Users\Admin\AppData\Local\Temp\75E9.exe
                                        1⤵
                                          PID:4988
                                        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
                                          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
                                          1⤵
                                            PID:1488
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 328
                                              2⤵
                                              • Program crash
                                              PID:3120
                                          • C:\Users\Admin\AppData\Local\Temp\Broom.exe
                                            C:\Users\Admin\AppData\Local\Temp\Broom.exe
                                            1⤵
                                              PID:3300
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1488 -ip 1488
                                              1⤵
                                                PID:2808
                                              • C:\Windows\system32\netsh.exe
                                                netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                1⤵
                                                • Modifies Windows Firewall
                                                PID:4616
                                              • C:\Users\Admin\AppData\Local\Temp\BED9.exe
                                                C:\Users\Admin\AppData\Local\Temp\BED9.exe
                                                1⤵
                                                  PID:4364

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                  Filesize

                                                  67KB

                                                  MD5

                                                  1e01a8b59c9004e06988208ad09f8cfb

                                                  SHA1

                                                  dc6d336b324fa15dee2a904e7563e9900e9ec2f7

                                                  SHA256

                                                  9d04a88a17c4d4b3cfb33ee91466b41e150515621b910ea64557307c06262e10

                                                  SHA512

                                                  44317208e0a93c7c4eb2b59fa36652cdaff98a042d4570d9873c6a26c58c9f1f4edabde2319c354921d679f8f17b806d05d30f49fcbe05134c4a2cd6018fdfbc

                                                • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                  Filesize

                                                  24KB

                                                  MD5

                                                  de917e5b08803c3af4c64bf7a59b7c4c

                                                  SHA1

                                                  59960fedf2117b33f50529893d53c98ca437759b

                                                  SHA256

                                                  d7a1b547ce2ba11f13cf57db709eb66478163c0d39663e3ae72d5c114a7f3e20

                                                  SHA512

                                                  e0cf30a924726dbeba06e813c4f630eb66173c1ceb040a66fd4e75730777d8aeb103d8b1df7ab5a761dd410b55494279285c4f4439e4793f2562441561e44267

                                                • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                  Filesize

                                                  16KB

                                                  MD5

                                                  db25f32c3da4a24eb2d3a2b914086c3b

                                                  SHA1

                                                  6d26643a644bc47bc77817183a9da5efc7715acf

                                                  SHA256

                                                  87b68b186fd253126681dbbb99c18ffeebab106563c7767f55d62a9bfa512e8f

                                                  SHA512

                                                  82a1e8f5671ec1a8f2d9ba8415e3da167efcffc7a0b4ac7607bcaa1379dd3a9f35af03feece785d3c39121c9b68a2a6b592ea2d2c4d1e87d2a28efd61a7b4a89

                                                • C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

                                                  Filesize

                                                  43KB

                                                  MD5

                                                  a9f2cac980ad1faf203e3abdedf4da8f

                                                  SHA1

                                                  a3bce8f22593ba96fa66599420fe71ea35299a66

                                                  SHA256

                                                  32286c1b0e661bc214365865ce9174b8aa62a290e1c6dfe0b9eff997f28e8259

                                                  SHA512

                                                  eb047fb04acf3990c8e244c917d69f29a06891bd27b2866ae419390846fa7fc232bdd088491eacea3c43a1ff458c810e41a10320a4a540f82a469b9a9cc02ad6

                                                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                  Filesize

                                                  57KB

                                                  MD5

                                                  16879ee8a51ab934d7b9a36b0d9a6290

                                                  SHA1

                                                  1d5325273172eb91427cadd4c0336e8009bcc414

                                                  SHA256

                                                  3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b

                                                  SHA512

                                                  7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c

                                                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                  Filesize

                                                  556KB

                                                  MD5

                                                  16af3551c222f6847d365b2a07bdad7a

                                                  SHA1

                                                  b0db2964261a78dbcafd83b4aa2c1f9651a23c58

                                                  SHA256

                                                  8a4df24b49f2087b66865dd360edccac935a7fc7fdadffcebd4e6c1d6daca2a1

                                                  SHA512

                                                  ce071fed772c971e3207552f52c08870be757883c1b5490ad3087eef92bfecea69d6a35f62b17a44fcb1f574d907d14805f2faf3e4d773ab7fd9923bd0fa69a1

                                                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                  Filesize

                                                  84KB

                                                  MD5

                                                  da69fe1ec72c66d6d5cb4660d2aa0096

                                                  SHA1

                                                  f4c9532bbcdae456d9b3102e01197e8032ae906d

                                                  SHA256

                                                  d12c519c7de09e7a7eacb8a9fcce77a8c49ddb249875e2ce9cbbb2d0e46eb015

                                                  SHA512

                                                  1e4dca9098cd5f8dc96216b9a618eabb59eea04bb3ba7e262d617eac8c3478c3911963a933a3693990f2ac17a65c7d4912d96bc1a7ddeb071eb1fe3a1ed45e80

                                                • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                  Filesize

                                                  40KB

                                                  MD5

                                                  a0516776a9453ef04e1930e9e932f8f9

                                                  SHA1

                                                  772c22f42ce2032d5efb573d6514f61da2b1ec8a

                                                  SHA256

                                                  445d5fe629e2f1085379b971e03252b3e27fc3bd49c6fd46deb284715e07102d

                                                  SHA512

                                                  f83fce7f92b48a5cc94b0a59d761bc03f19e933e06ee8ab9b7e424673bc50d6c19b34d5a474ee2b53ce35879e09a68de5f0ab4d905ce75c9d99619abf9638e99

                                                • C:\Users\Admin\AppData\Local\Temp\729C.exe

                                                  Filesize

                                                  204KB

                                                  MD5

                                                  e48f6d63e08545ebebb69a65348b520b

                                                  SHA1

                                                  4baaa7cdfae4715e841dc432a908c6db9a86cc8a

                                                  SHA256

                                                  3957108b4e53297db0322fafa6c59802436c0a43cf350deb3b409bd41d847723

                                                  SHA512

                                                  e0d11045e12da1c137e12e6744583cd75a1649b223cdbf513c72f354873f426bdd0c9854a87e427a18cf543c19ab77c48c2a735de89d0378b5912247a5396dd6

                                                • C:\Users\Admin\AppData\Local\Temp\729C.exe

                                                  Filesize

                                                  243KB

                                                  MD5

                                                  bb2020dbcc2c8bdea19bade91c4595fb

                                                  SHA1

                                                  5b18b608796b708b500b3007e6863b67bb33f95d

                                                  SHA256

                                                  fbe36e45621fea85ee0ab12e84529177993ac32be83c8c23e303813ff43bb5ec

                                                  SHA512

                                                  e268ae13efd03c09d66871a6b44e15f67d91e752a52e53e421bbf31aa880bfe31505cbd4f7a078cd32283b09cae3065b02775090a369a06eedde14d3ea2f8d3c

                                                • C:\Users\Admin\AppData\Local\Temp\75E9.exe

                                                  Filesize

                                                  219KB

                                                  MD5

                                                  91d23595c11c7ee4424b6267aabf3600

                                                  SHA1

                                                  ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                                                  SHA256

                                                  d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                                                  SHA512

                                                  cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                                                • C:\Users\Admin\AppData\Local\Temp\75E9.exe

                                                  Filesize

                                                  167KB

                                                  MD5

                                                  12604a75ffe9fe85b4cd9c1159ada9e6

                                                  SHA1

                                                  ab1b4205e30e3b8a2254bdb802d48dbd0717475e

                                                  SHA256

                                                  5ef1e8c54f031274792caf78292d4c84602e16cf1a668afef0e79e167ca29aa7

                                                  SHA512

                                                  a99f79bc16e28c58ac0a6659dc14ddcf7dea3356bbdfafc20d4f3e9904ab53e69b82bf0759de45e063aa68b9d67de20ece6224a06ffed01da92fd4342642b614

                                                • C:\Users\Admin\AppData\Local\Temp\9451.exe

                                                  Filesize

                                                  401KB

                                                  MD5

                                                  f88edad62a7789c2c5d8047133da5fa7

                                                  SHA1

                                                  41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                                                  SHA256

                                                  eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                                                  SHA512

                                                  e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                                                • C:\Users\Admin\AppData\Local\Temp\BED9.exe

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  aea4a3521885b37a1c8980c57b302a64

                                                  SHA1

                                                  5c1cd6f4fe19cb915eb3a9b3e1d9cab7ee6ff066

                                                  SHA256

                                                  3d1ece4cee96c27d631b70743ca0942df77d2a4803a2a51e415ae4a061889fec

                                                  SHA512

                                                  67445b50ffd4745bdd8d62cf05ee6c45dea641ec0eafd6802a9d94843a5c1282248c65bb69cb9653f220e163c98f256b63f56fdddc73f062b3d1cea11d170b01

                                                • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                                                  Filesize

                                                  251KB

                                                  MD5

                                                  a8e8188aeacbdda049680a6e01045890

                                                  SHA1

                                                  8e7550c10838f8fb8c3c110c7e592c920016af7d

                                                  SHA256

                                                  4899f4608a2cdeb7d09ad3aa499b5736a5e2457c7f22e3ce3a52436d1a709866

                                                  SHA512

                                                  580773e099612eeacda8b58a10805d9e61cbac5fb489519b1e86b6f6d6aacec0b956bfd6ab8e3e627ad7ae6173fa5cf84361d1e6cb9cdc0a705e958be372793e

                                                • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                  Filesize

                                                  85KB

                                                  MD5

                                                  6c0f52a5d64d63342a75809dad01db84

                                                  SHA1

                                                  696201a40d3b0fd5d782d9a7ce72414ec572fb53

                                                  SHA256

                                                  0cd5e005d5016f47ccb32765a03e3ebda937f7d8d567fcff7e40729f17e0b508

                                                  SHA512

                                                  fdf4894ac2ace4dd902367ff5d501635befdc22c143ded4b0ac4efa5d6d0a6a9b35332a481a587500d5d301847cec8d1b4d96f0356a3c927db1e4e7ca431774b

                                                • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                  Filesize

                                                  199KB

                                                  MD5

                                                  eacdc697edea97484089d4785b4963f5

                                                  SHA1

                                                  c7eab58051c1b851b26216829bd05593628bfeac

                                                  SHA256

                                                  6d2d4445b1a0b9c6949020a350c141cc5e8bb7f15ce1a65cb3cdae92d77e2a03

                                                  SHA512

                                                  937c4c26bf1bee2e5b48325f48963ba1ca7e356226a4d134edea66caecc97ba448188323285ac483ba5831e2b12343d726e39ff24d3ff3474654435ffbfefb1e

                                                • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                  Filesize

                                                  154KB

                                                  MD5

                                                  325f0e75259426949c1e7e00704c4015

                                                  SHA1

                                                  dc3bb01728ac749d57e98bbb43bcf1d2ea5d3603

                                                  SHA256

                                                  ffe10958e9b757bb25efe72f0aa04c434530a4582e9d6946b0c977de97ea2d84

                                                  SHA512

                                                  cfc5e224b36d567f52de01bad7e9a39ab0fbfd1d6b5a8367b4ca4d0804db7a86fa68c2a3ca19e77006b08325eca888b820036b2784f63d7f859d018ac82ab214

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuq42npw.czl.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_iscrypt.dll

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  a69559718ab506675e907fe49deb71e9

                                                  SHA1

                                                  bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                  SHA256

                                                  2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                  SHA512

                                                  e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                • C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_isdecmp.dll

                                                  Filesize

                                                  13KB

                                                  MD5

                                                  a813d18268affd4763dde940246dc7e5

                                                  SHA1

                                                  c7366e1fd925c17cc6068001bd38eaef5b42852f

                                                  SHA256

                                                  e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                                                  SHA512

                                                  b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                                                • C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp

                                                  Filesize

                                                  96KB

                                                  MD5

                                                  21b22731aaaed5b39ee226ee1590ac84

                                                  SHA1

                                                  72dad7fb65a97a38fce0e8f73df7b1df5e014b97

                                                  SHA256

                                                  488dad1446ad7315106ad1dd5fabc1c0dc1ea762cb5854bb3628c417e2e1cf80

                                                  SHA512

                                                  a5caac6fd36085562dacbf8e3ae9bfb89622369f9f2cd09b423ebb12d2e91587c6aa421e492c175892bfc4f26dd46a7e6084f67a81bc697512dcd0b660b285b9

                                                • C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp

                                                  Filesize

                                                  220KB

                                                  MD5

                                                  2b49a33d1cc1b143882bfb7adb7fef9e

                                                  SHA1

                                                  f2852260d929b7a5cec513958e9ac69ad670ad56

                                                  SHA256

                                                  1b9c228b701dde25f89a134efc7cfbea5cf20f32d4e5be5674c2036ac8945041

                                                  SHA512

                                                  0c549846d63c29d284b70369752aa978917331e6e71ce0f9423716a3c0d0db7f2243aabf97ac8f613bccd6e273c7cd531bd35298eef72d0af721b1b1f9d86942

                                                • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                                  Filesize

                                                  106KB

                                                  MD5

                                                  7ac959499451f7a26df5179017c465c1

                                                  SHA1

                                                  f453852aa78c890293eee4523ea60a8aeaa4374b

                                                  SHA256

                                                  29d36952ba9b58e17f7384f9ea3d24ccc93f0d28a579dd1a96abb2c343fa77d9

                                                  SHA512

                                                  843e926a26a663878b82bc20b3002cea940924d2bf7ef0b06ed32c200a3fff477873fa4940e20e4bbb12d4df235dd89329df2640c9895a4acec029c3db5a25fd

                                                • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                                  Filesize

                                                  264KB

                                                  MD5

                                                  8ef3f23097b21e33afc41b74b37a9637

                                                  SHA1

                                                  f5507d6eb0c921994399516d4cb26084cee76f32

                                                  SHA256

                                                  3e9756d1fc8a51ac35a84222c5687d553e38a0077a4212893547a0a53222340b

                                                  SHA512

                                                  38b32a8ca8ffe5149c9f7597ee418b25fd0f2c59220e38d5de8bd3e6670aa33bf1818c77182efa1c382695b222799cbacca26ca704fde07ea2e343026a8f624e

                                                • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                  Filesize

                                                  134KB

                                                  MD5

                                                  d024c5050ec8b9873965c0488a6c3d6a

                                                  SHA1

                                                  1c32a24d1db43cc0d8c9567150f6a62428e4da1a

                                                  SHA256

                                                  0c7399c9bb7a539bdec5ed0313b073398c51a632937ab866e1ae05a63ae58c37

                                                  SHA512

                                                  34fe95efe9ef2ec83371f1d11078ca0bb07bb05469807a23914fc1a1b841291e68fd3b140d150349b197345a797a72d78f9e34b4bbb2c61e8a402358ca774e7f

                                                • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                  Filesize

                                                  291KB

                                                  MD5

                                                  cde750f39f58f1ec80ef41ce2f4f1db9

                                                  SHA1

                                                  942ea40349b0e5af7583fd34f4d913398a9c3b96

                                                  SHA256

                                                  0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                                                  SHA512

                                                  c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                                                • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                  Filesize

                                                  171KB

                                                  MD5

                                                  2c54e350d78801b5c8b812d43763f5d8

                                                  SHA1

                                                  0773a7069c9e642dd18dd0782644db62c7f88721

                                                  SHA256

                                                  add2b419000589b279d5ad6ad65eaf1e524117eeccd68e277bdcb8338d99eaeb

                                                  SHA512

                                                  46c9c758754ad54c18fdfae933c0847ba78491077d3d0f7df8207c107008d2f7990b76b48712b577a75c24c43c6a4b4cd09ac21627c77ee5307035157b121cae

                                                • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                  Filesize

                                                  232KB

                                                  MD5

                                                  d1738894304dbfec20865c0f6c3e5476

                                                  SHA1

                                                  5ba51bf18b55b65d927c9f5f1245baecaad1f131

                                                  SHA256

                                                  601e730369184de36a4ccc1a489786404fb2cac1674807b945f7b1d2e6d0dc12

                                                  SHA512

                                                  ebc07d2c55f4d67bf7cf55610696c75b410e566a539325e24fbccdd60d4482c608c6bae1bffc0732074f597aaa7eddc823f527155356e34a2cc6c1c27839942d

                                                • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                  Filesize

                                                  391KB

                                                  MD5

                                                  f6d782cd811b9d321a80c5e106b81aec

                                                  SHA1

                                                  33f0ad05b9fd11778b3056be69928e8c2b132f3b

                                                  SHA256

                                                  7b7d5dbd9a4edd21885c11cc77f7130cb732dac41c4fb6401cc87e1cbcf383a8

                                                  SHA512

                                                  f0148aac5f5fa0090432bcec152eb19838f02ea6a75db2fd0213402a74de34b34d12d361cd5350ba93879e0e2d44ecc99924481ebbd5f2b31cb72f2234952691

                                                • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                  Filesize

                                                  453KB

                                                  MD5

                                                  61ae590d86d99d5dbc950d6c71a2879b

                                                  SHA1

                                                  87df214d2ae251fcea9940b69121d2b50b44391d

                                                  SHA256

                                                  7a8586dab123346ee9ec8fd0d51e8c02238873529cd08329f4336e62375bc5cd

                                                  SHA512

                                                  a3db59df7071dd8eb81826148a8fb031ff8666803f72f5de3cab6a25094543b61effa50dfb8e6a7c9bad6a1c08fca8ef60d461e08a502f4f4676289544295ee6

                                                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  968cb9309758126772781b83adb8a28f

                                                  SHA1

                                                  8da30e71accf186b2ba11da1797cf67f8f78b47c

                                                  SHA256

                                                  92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                                  SHA512

                                                  4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  623c6adef0ccf0148227d52201b422c4

                                                  SHA1

                                                  c8905c734c8e0f9c3e61386f4605059c2a677c20

                                                  SHA256

                                                  630eb97ff99677084eb6842d87cc2f01e1466c15b5b9226195fef6d205a40b0c

                                                  SHA512

                                                  ccb5255c72c51f11b17730e6c976d97a2a98de256aa200830e428e2fe8b5a83a4ff97cc4bc25d437abe346d1276eb9a8d22adcc77c45595c560473ae7768d004

                                                • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                  Filesize

                                                  19KB

                                                  MD5

                                                  47e9e212f6b2f89bb4c68312d944b3f3

                                                  SHA1

                                                  31efc7fbb5e6279fc46165ddaa15262564d0b0e7

                                                  SHA256

                                                  3850b510d5ce3de0e6a4706ae358e36c9f49a17406d51c22152c1d9cdcaabc21

                                                  SHA512

                                                  0457ab49ace23ac68db196ee72578ba3f57ff7c98e3d174b49b8e6900c6fe64d3d885eec46ccbbdc90651f05d2c16ee31473d6e24d7e65535463ee985fd7591d

                                                • C:\Windows\rss\csrss.exe

                                                  Filesize

                                                  137KB

                                                  MD5

                                                  53bbd25330d69c35def552abef17c727

                                                  SHA1

                                                  d33e31b708892c76da146c283b806e1c301a1199

                                                  SHA256

                                                  10c74d04d16111135e5b82f5f507d652d5b4d72b99ff26071d28083e1ce671c1

                                                  SHA512

                                                  56966fbd3784f93dcf47fb5e0f39515ad65577c3a2ce01a5e8d5f54bb4b50c07ef97ebf7c9811d230954ce26048449635404558fdf1c28276f4ca4f39a57311d

                                                • C:\Windows\rss\csrss.exe

                                                  Filesize

                                                  283KB

                                                  MD5

                                                  de0dd35b3899dae68747a9dbbd934d34

                                                  SHA1

                                                  35d84875b44b556b97f6f745ca8295e143cd1fb5

                                                  SHA256

                                                  35932ee4f0b02fc344fd732693ade07c3555d1e69b3e80f4c1d951768a1fa230

                                                  SHA512

                                                  4a870ba45c16be213a9d6b2b02b069639a3352201290edb02129a1d1f5c355b3fda876cb987f4e18785ec803039fddb8aa6fa7f369e34395abd96278a4ed7cb1

                                                • memory/1100-2-0x0000000000400000-0x000000000040B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                • memory/1100-0-0x0000000000400000-0x000000000040B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                • memory/1480-319-0x00007FF769EF0000-0x00007FF76A491000-memory.dmp

                                                  Filesize

                                                  5.6MB

                                                • memory/1488-255-0x0000000000400000-0x0000000000409000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/1488-250-0x0000000000400000-0x0000000000409000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/1488-315-0x0000000000400000-0x0000000000409000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/1832-256-0x0000000000400000-0x0000000000414000-memory.dmp

                                                  Filesize

                                                  80KB

                                                • memory/1832-69-0x0000000000400000-0x0000000000414000-memory.dmp

                                                  Filesize

                                                  80KB

                                                • memory/2368-191-0x00000000020B0000-0x00000000020B1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2368-320-0x0000000000400000-0x00000000004BD000-memory.dmp

                                                  Filesize

                                                  756KB

                                                • memory/2416-253-0x0000000000A20000-0x0000000000B20000-memory.dmp

                                                  Filesize

                                                  1024KB

                                                • memory/2416-254-0x00000000009F0000-0x00000000009F9000-memory.dmp

                                                  Filesize

                                                  36KB

                                                • memory/2852-283-0x000000006C410000-0x000000006C764000-memory.dmp

                                                  Filesize

                                                  3.3MB

                                                • memory/2852-275-0x00000000067F0000-0x000000000680E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                • memory/2852-302-0x0000000007F30000-0x0000000007F44000-memory.dmp

                                                  Filesize

                                                  80KB

                                                • memory/2852-301-0x0000000007F20000-0x0000000007F2E000-memory.dmp

                                                  Filesize

                                                  56KB

                                                • memory/2852-281-0x000000007F650000-0x000000007F660000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2852-295-0x0000000007DD0000-0x0000000007E73000-memory.dmp

                                                  Filesize

                                                  652KB

                                                • memory/2852-282-0x0000000071440000-0x000000007148C000-memory.dmp

                                                  Filesize

                                                  304KB

                                                • memory/2852-296-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/2852-293-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

                                                  Filesize

                                                  120KB

                                                • memory/2852-297-0x0000000007F80000-0x0000000008016000-memory.dmp

                                                  Filesize

                                                  600KB

                                                • memory/2852-257-0x0000000005270000-0x00000000052A6000-memory.dmp

                                                  Filesize

                                                  216KB

                                                • memory/2852-259-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/2852-303-0x0000000008020000-0x000000000803A000-memory.dmp

                                                  Filesize

                                                  104KB

                                                • memory/2852-260-0x0000000005300000-0x0000000005310000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2852-262-0x0000000005F70000-0x0000000005F92000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/2852-294-0x0000000005300000-0x0000000005310000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2852-273-0x0000000006330000-0x0000000006396000-memory.dmp

                                                  Filesize

                                                  408KB

                                                • memory/2852-274-0x00000000063F0000-0x0000000006744000-memory.dmp

                                                  Filesize

                                                  3.3MB

                                                • memory/2852-263-0x0000000006120000-0x0000000006186000-memory.dmp

                                                  Filesize

                                                  408KB

                                                • memory/2852-298-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

                                                  Filesize

                                                  68KB

                                                • memory/2852-258-0x0000000005940000-0x0000000005F68000-memory.dmp

                                                  Filesize

                                                  6.2MB

                                                • memory/2852-280-0x0000000007D70000-0x0000000007DA2000-memory.dmp

                                                  Filesize

                                                  200KB

                                                • memory/2852-307-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/2852-304-0x0000000007F60000-0x0000000007F68000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/2852-276-0x0000000006D50000-0x0000000006D94000-memory.dmp

                                                  Filesize

                                                  272KB

                                                • memory/2852-277-0x0000000007B20000-0x0000000007B96000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/2852-278-0x0000000008220000-0x000000000889A000-memory.dmp

                                                  Filesize

                                                  6.5MB

                                                • memory/2852-279-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

                                                  Filesize

                                                  104KB

                                                • memory/3300-314-0x0000000000400000-0x0000000000965000-memory.dmp

                                                  Filesize

                                                  5.4MB

                                                • memory/3300-62-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3300-252-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3376-243-0x0000000000400000-0x0000000000785000-memory.dmp

                                                  Filesize

                                                  3.5MB

                                                • memory/3376-338-0x0000000000400000-0x0000000000785000-memory.dmp

                                                  Filesize

                                                  3.5MB

                                                • memory/3464-310-0x00000000023D0000-0x00000000023E6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/3464-1-0x0000000000850000-0x0000000000866000-memory.dmp

                                                  Filesize

                                                  88KB

                                                • memory/3832-82-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/3832-17-0x00000000002E0000-0x0000000001796000-memory.dmp

                                                  Filesize

                                                  20.7MB

                                                • memory/3832-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/4736-321-0x0000000002950000-0x0000000002D53000-memory.dmp

                                                  Filesize

                                                  4.0MB

                                                • memory/4928-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                  Filesize

                                                  9.1MB

                                                • memory/4928-316-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                  Filesize

                                                  9.1MB

                                                • memory/4928-247-0x0000000002D80000-0x000000000366B000-memory.dmp

                                                  Filesize

                                                  8.9MB

                                                • memory/4928-246-0x0000000002980000-0x0000000002D7B000-memory.dmp

                                                  Filesize

                                                  4.0MB

                                                • memory/4988-261-0x0000000007AF0000-0x0000000007B00000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/4988-300-0x0000000009C90000-0x000000000A1BC000-memory.dmp

                                                  Filesize

                                                  5.2MB

                                                • memory/4988-86-0x0000000007E80000-0x0000000007F8A000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                • memory/4988-309-0x000000000ACC0000-0x000000000AD10000-memory.dmp

                                                  Filesize

                                                  320KB

                                                • memory/4988-103-0x0000000007E30000-0x0000000007E7C000-memory.dmp

                                                  Filesize

                                                  304KB

                                                • memory/4988-90-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

                                                  Filesize

                                                  240KB

                                                • memory/4988-83-0x0000000008BA0000-0x00000000091B8000-memory.dmp

                                                  Filesize

                                                  6.1MB

                                                • memory/4988-248-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/4988-81-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/4988-299-0x0000000009590000-0x0000000009752000-memory.dmp

                                                  Filesize

                                                  1.8MB

                                                • memory/4988-89-0x0000000007D90000-0x0000000007DA2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4988-43-0x0000000074430000-0x0000000074BE0000-memory.dmp

                                                  Filesize

                                                  7.7MB

                                                • memory/4988-79-0x0000000007AF0000-0x0000000007B00000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/4988-64-0x0000000007FD0000-0x0000000008574000-memory.dmp

                                                  Filesize

                                                  5.6MB

                                                • memory/4988-51-0x0000000000D50000-0x0000000000D8C000-memory.dmp

                                                  Filesize

                                                  240KB

                                                • memory/4988-70-0x0000000007B00000-0x0000000007B92000-memory.dmp

                                                  Filesize

                                                  584KB

                                                • memory/5008-239-0x0000000000400000-0x0000000000785000-memory.dmp

                                                  Filesize

                                                  3.5MB

                                                • memory/5008-236-0x0000000000400000-0x0000000000785000-memory.dmp

                                                  Filesize

                                                  3.5MB