Analysis Overview
SHA256
62f28fb67834679ed133e70158c6b89327de331af2e89ee895da8f43d2bb13a2
Threat Level: Known bad
The file b846f0bb8a677991d85807fded1e9007.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Smokeloader family
Glupteba
Glupteba payload
RedLine payload
Downloads MZ/PE file
Modifies Windows Firewall
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 02:57
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 02:57
Reported
2023-12-11 03:00
Platform
win7-20231023-en
Max time kernel
104s
Max time network
153s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F68F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C728.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BC2F.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F68F.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe
"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"
C:\Users\Admin\AppData\Local\Temp\F68F.exe
C:\Users\Admin\AppData\Local\Temp\F68F.exe
C:\Users\Admin\AppData\Local\Temp\BC2F.exe
C:\Users\Admin\AppData\Local\Temp\BC2F.exe
C:\Users\Admin\AppData\Local\Temp\C728.exe
C:\Users\Admin\AppData\Local\Temp\C728.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp" /SL5="$901C6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211025914.log C:\Windows\Logs\CBS\CbsPersist_20231211025914.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\102A.exe
C:\Users\Admin\AppData\Local\Temp\102A.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\33A2.exe
C:\Users\Admin\AppData\Local\Temp\33A2.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/1764-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1204-1-0x0000000002C00000-0x0000000002C16000-memory.dmp
memory/1764-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F68F.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2272-12-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2272-17-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2272-18-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/2272-21-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2272-22-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/2272-24-0x00000000747B0000-0x0000000074E9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BC2F.exe
| MD5 | d0c59443e41e1160209139841fa39c9f |
| SHA1 | 76be0077ce9dc5ef6756b8c202a6d5d94c759535 |
| SHA256 | de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c |
| SHA512 | d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28 |
memory/1536-30-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/1536-31-0x0000000000830000-0x0000000001CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C728.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/1640-38-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/1640-37-0x0000000000FC0000-0x0000000000FFC000-memory.dmp
memory/1640-40-0x0000000007270000-0x00000000072B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f81be07058935d224ab3843bff94fec0 |
| SHA1 | 1a7360901f8cb5017f7a41ca1a6984227b712b16 |
| SHA256 | 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c |
| SHA512 | 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
memory/2592-72-0x0000000002760000-0x0000000002B58000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1f40433778e799319ae0ece36d28f00f |
| SHA1 | 4ce947e15182e61e379fbfbf52b6625cb0528c69 |
| SHA256 | 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c |
| SHA512 | 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f |
memory/2844-78-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/868-92-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2592-101-0x0000000002760000-0x0000000002B58000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2592-104-0x0000000002B60000-0x000000000344B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2592-118-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1536-119-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2880-120-0x0000000000230000-0x0000000000231000-memory.dmp
memory/944-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1684-124-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/944-130-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1640-131-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/944-128-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1684-126-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2880-134-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2592-133-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1640-135-0x0000000007270000-0x00000000072B0000-memory.dmp
memory/2844-136-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2592-138-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1204-139-0x0000000002A50000-0x0000000002A66000-memory.dmp
memory/944-140-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2592-145-0x0000000002760000-0x0000000002B58000-memory.dmp
memory/2592-143-0x0000000002B60000-0x000000000344B000-memory.dmp
memory/868-146-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/868-148-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\102A.exe
| MD5 | 2e47689f4002fe68d190b2f939f683c7 |
| SHA1 | f389e3443edaf6886220427b65a0688cd87de873 |
| SHA256 | dab540109675f8680f497b14f62913bc6ffa21c28dd4604f480ea5a9beffaff4 |
| SHA512 | 398a682c426be43396894cd8d5dda25f6308f191dab236496522e524a69ceacd31019f238034e27af8af2155b017bd50397a6b3b939441a0e2fdbc034f22b57b |
memory/2344-154-0x0000000000FD0000-0x0000000001582000-memory.dmp
memory/1328-153-0x000000013F490000-0x000000013FA31000-memory.dmp
memory/2956-155-0x00000000025E0000-0x00000000029D8000-memory.dmp
memory/2344-156-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2344-157-0x0000000005310000-0x0000000005350000-memory.dmp
memory/2956-158-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2956-159-0x00000000025E0000-0x00000000029D8000-memory.dmp
memory/2880-161-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2956-171-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 02:57
Reported
2023-12-11 03:00
Platform
win10v2004-20231201-en
Max time kernel
79s
Max time network
102s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9451.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\729C.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 1752 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9451.exe |
| PID 3464 wrote to memory of 1752 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9451.exe |
| PID 3464 wrote to memory of 1752 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9451.exe |
| PID 3464 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\729C.exe |
| PID 3464 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\729C.exe |
| PID 3464 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\729C.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe
"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"
C:\Users\Admin\AppData\Local\Temp\9451.exe
C:\Users\Admin\AppData\Local\Temp\9451.exe
C:\Users\Admin\AppData\Local\Temp\729C.exe
C:\Users\Admin\AppData\Local\Temp\729C.exe
C:\Users\Admin\AppData\Local\Temp\75E9.exe
C:\Users\Admin\AppData\Local\Temp\75E9.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp" /SL5="$601CC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1488 -ip 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 328
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\BED9.exe
C:\Users\Admin\AppData\Local\Temp\BED9.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 190.7.123.176.in-addr.arpa | udp |
Files
memory/1100-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3464-1-0x0000000000850000-0x0000000000866000-memory.dmp
memory/1100-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9451.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\729C.exe
| MD5 | bb2020dbcc2c8bdea19bade91c4595fb |
| SHA1 | 5b18b608796b708b500b3007e6863b67bb33f95d |
| SHA256 | fbe36e45621fea85ee0ab12e84529177993ac32be83c8c23e303813ff43bb5ec |
| SHA512 | e268ae13efd03c09d66871a6b44e15f67d91e752a52e53e421bbf31aa880bfe31505cbd4f7a078cd32283b09cae3065b02775090a369a06eedde14d3ea2f8d3c |
C:\Users\Admin\AppData\Local\Temp\729C.exe
| MD5 | e48f6d63e08545ebebb69a65348b520b |
| SHA1 | 4baaa7cdfae4715e841dc432a908c6db9a86cc8a |
| SHA256 | 3957108b4e53297db0322fafa6c59802436c0a43cf350deb3b409bd41d847723 |
| SHA512 | e0d11045e12da1c137e12e6744583cd75a1649b223cdbf513c72f354873f426bdd0c9854a87e427a18cf543c19ab77c48c2a735de89d0378b5912247a5396dd6 |
memory/3832-16-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3832-17-0x00000000002E0000-0x0000000001796000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6c0f52a5d64d63342a75809dad01db84 |
| SHA1 | 696201a40d3b0fd5d782d9a7ce72414ec572fb53 |
| SHA256 | 0cd5e005d5016f47ccb32765a03e3ebda937f7d8d567fcff7e40729f17e0b508 |
| SHA512 | fdf4894ac2ace4dd902367ff5d501635befdc22c143ded4b0ac4efa5d6d0a6a9b35332a481a587500d5d301847cec8d1b4d96f0356a3c927db1e4e7ca431774b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | eacdc697edea97484089d4785b4963f5 |
| SHA1 | c7eab58051c1b851b26216829bd05593628bfeac |
| SHA256 | 6d2d4445b1a0b9c6949020a350c141cc5e8bb7f15ce1a65cb3cdae92d77e2a03 |
| SHA512 | 937c4c26bf1bee2e5b48325f48963ba1ca7e356226a4d134edea66caecc97ba448188323285ac483ba5831e2b12343d726e39ff24d3ff3474654435ffbfefb1e |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2c54e350d78801b5c8b812d43763f5d8 |
| SHA1 | 0773a7069c9e642dd18dd0782644db62c7f88721 |
| SHA256 | add2b419000589b279d5ad6ad65eaf1e524117eeccd68e277bdcb8338d99eaeb |
| SHA512 | 46c9c758754ad54c18fdfae933c0847ba78491077d3d0f7df8207c107008d2f7990b76b48712b577a75c24c43c6a4b4cd09ac21627c77ee5307035157b121cae |
C:\Users\Admin\AppData\Local\Temp\75E9.exe
| MD5 | 12604a75ffe9fe85b4cd9c1159ada9e6 |
| SHA1 | ab1b4205e30e3b8a2254bdb802d48dbd0717475e |
| SHA256 | 5ef1e8c54f031274792caf78292d4c84602e16cf1a668afef0e79e167ca29aa7 |
| SHA512 | a99f79bc16e28c58ac0a6659dc14ddcf7dea3356bbdfafc20d4f3e9904ab53e69b82bf0759de45e063aa68b9d67de20ece6224a06ffed01da92fd4342642b614 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 325f0e75259426949c1e7e00704c4015 |
| SHA1 | dc3bb01728ac749d57e98bbb43bcf1d2ea5d3603 |
| SHA256 | ffe10958e9b757bb25efe72f0aa04c434530a4582e9d6946b0c977de97ea2d84 |
| SHA512 | cfc5e224b36d567f52de01bad7e9a39ab0fbfd1d6b5a8367b4ca4d0804db7a86fa68c2a3ca19e77006b08325eca888b820036b2784f63d7f859d018ac82ab214 |
memory/4988-51-0x0000000000D50000-0x0000000000D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a0516776a9453ef04e1930e9e932f8f9 |
| SHA1 | 772c22f42ce2032d5efb573d6514f61da2b1ec8a |
| SHA256 | 445d5fe629e2f1085379b971e03252b3e27fc3bd49c6fd46deb284715e07102d |
| SHA512 | f83fce7f92b48a5cc94b0a59d761bc03f19e933e06ee8ab9b7e424673bc50d6c19b34d5a474ee2b53ce35879e09a68de5f0ab4d905ce75c9d99619abf9638e99 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | da69fe1ec72c66d6d5cb4660d2aa0096 |
| SHA1 | f4c9532bbcdae456d9b3102e01197e8032ae906d |
| SHA256 | d12c519c7de09e7a7eacb8a9fcce77a8c49ddb249875e2ce9cbbb2d0e46eb015 |
| SHA512 | 1e4dca9098cd5f8dc96216b9a618eabb59eea04bb3ba7e262d617eac8c3478c3911963a933a3693990f2ac17a65c7d4912d96bc1a7ddeb071eb1fe3a1ed45e80 |
memory/4988-64-0x0000000007FD0000-0x0000000008574000-memory.dmp
memory/3300-62-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 7ac959499451f7a26df5179017c465c1 |
| SHA1 | f453852aa78c890293eee4523ea60a8aeaa4374b |
| SHA256 | 29d36952ba9b58e17f7384f9ea3d24ccc93f0d28a579dd1a96abb2c343fa77d9 |
| SHA512 | 843e926a26a663878b82bc20b3002cea940924d2bf7ef0b06ed32c200a3fff477873fa4940e20e4bbb12d4df235dd89329df2640c9895a4acec029c3db5a25fd |
memory/4988-81-0x0000000007CB0000-0x0000000007CBA000-memory.dmp
memory/3832-82-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/4988-83-0x0000000008BA0000-0x00000000091B8000-memory.dmp
memory/4988-86-0x0000000007E80000-0x0000000007F8A000-memory.dmp
memory/4988-89-0x0000000007D90000-0x0000000007DA2000-memory.dmp
memory/4988-90-0x0000000007DF0000-0x0000000007E2C000-memory.dmp
memory/4988-103-0x0000000007E30000-0x0000000007E7C000-memory.dmp
memory/2368-191-0x00000000020B0000-0x00000000020B1000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | de917e5b08803c3af4c64bf7a59b7c4c |
| SHA1 | 59960fedf2117b33f50529893d53c98ca437759b |
| SHA256 | d7a1b547ce2ba11f13cf57db709eb66478163c0d39663e3ae72d5c114a7f3e20 |
| SHA512 | e0cf30a924726dbeba06e813c4f630eb66173c1ceb040a66fd4e75730777d8aeb103d8b1df7ab5a761dd410b55494279285c4f4439e4793f2562441561e44267 |
memory/5008-239-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | db25f32c3da4a24eb2d3a2b914086c3b |
| SHA1 | 6d26643a644bc47bc77817183a9da5efc7715acf |
| SHA256 | 87b68b186fd253126681dbbb99c18ffeebab106563c7767f55d62a9bfa512e8f |
| SHA512 | 82a1e8f5671ec1a8f2d9ba8415e3da167efcffc7a0b4ac7607bcaa1379dd3a9f35af03feece785d3c39121c9b68a2a6b592ea2d2c4d1e87d2a28efd61a7b4a89 |
memory/5008-236-0x0000000000400000-0x0000000000785000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | a9f2cac980ad1faf203e3abdedf4da8f |
| SHA1 | a3bce8f22593ba96fa66599420fe71ea35299a66 |
| SHA256 | 32286c1b0e661bc214365865ce9174b8aa62a290e1c6dfe0b9eff997f28e8259 |
| SHA512 | eb047fb04acf3990c8e244c917d69f29a06891bd27b2866ae419390846fa7fc232bdd088491eacea3c43a1ff458c810e41a10320a4a540f82a469b9a9cc02ad6 |
memory/3376-243-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 1e01a8b59c9004e06988208ad09f8cfb |
| SHA1 | dc6d336b324fa15dee2a904e7563e9900e9ec2f7 |
| SHA256 | 9d04a88a17c4d4b3cfb33ee91466b41e150515621b910ea64557307c06262e10 |
| SHA512 | 44317208e0a93c7c4eb2b59fa36652cdaff98a042d4570d9873c6a26c58c9f1f4edabde2319c354921d679f8f17b806d05d30f49fcbe05134c4a2cd6018fdfbc |
C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp
| MD5 | 2b49a33d1cc1b143882bfb7adb7fef9e |
| SHA1 | f2852260d929b7a5cec513958e9ac69ad670ad56 |
| SHA256 | 1b9c228b701dde25f89a134efc7cfbea5cf20f32d4e5be5674c2036ac8945041 |
| SHA512 | 0c549846d63c29d284b70369752aa978917331e6e71ce0f9423716a3c0d0db7f2243aabf97ac8f613bccd6e273c7cd531bd35298eef72d0af721b1b1f9d86942 |
C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp
| MD5 | 21b22731aaaed5b39ee226ee1590ac84 |
| SHA1 | 72dad7fb65a97a38fce0e8f73df7b1df5e014b97 |
| SHA256 | 488dad1446ad7315106ad1dd5fabc1c0dc1ea762cb5854bb3628c417e2e1cf80 |
| SHA512 | a5caac6fd36085562dacbf8e3ae9bfb89622369f9f2cd09b423ebb12d2e91587c6aa421e492c175892bfc4f26dd46a7e6084f67a81bc697512dcd0b660b285b9 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 8ef3f23097b21e33afc41b74b37a9637 |
| SHA1 | f5507d6eb0c921994399516d4cb26084cee76f32 |
| SHA256 | 3e9756d1fc8a51ac35a84222c5687d553e38a0077a4212893547a0a53222340b |
| SHA512 | 38b32a8ca8ffe5149c9f7597ee418b25fd0f2c59220e38d5de8bd3e6670aa33bf1818c77182efa1c382695b222799cbacca26ca704fde07ea2e343026a8f624e |
memory/4988-79-0x0000000007AF0000-0x0000000007B00000-memory.dmp
memory/4988-70-0x0000000007B00000-0x0000000007B92000-memory.dmp
memory/1832-69-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4928-246-0x0000000002980000-0x0000000002D7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 61ae590d86d99d5dbc950d6c71a2879b |
| SHA1 | 87df214d2ae251fcea9940b69121d2b50b44391d |
| SHA256 | 7a8586dab123346ee9ec8fd0d51e8c02238873529cd08329f4336e62375bc5cd |
| SHA512 | a3db59df7071dd8eb81826148a8fb031ff8666803f72f5de3cab6a25094543b61effa50dfb8e6a7c9bad6a1c08fca8ef60d461e08a502f4f4676289544295ee6 |
memory/4988-248-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/4928-247-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/4928-249-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | f6d782cd811b9d321a80c5e106b81aec |
| SHA1 | 33f0ad05b9fd11778b3056be69928e8c2b132f3b |
| SHA256 | 7b7d5dbd9a4edd21885c11cc77f7130cb732dac41c4fb6401cc87e1cbcf383a8 |
| SHA512 | f0148aac5f5fa0090432bcec152eb19838f02ea6a75db2fd0213402a74de34b34d12d361cd5350ba93879e0e2d44ecc99924481ebbd5f2b31cb72f2234952691 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | a8e8188aeacbdda049680a6e01045890 |
| SHA1 | 8e7550c10838f8fb8c3c110c7e592c920016af7d |
| SHA256 | 4899f4608a2cdeb7d09ad3aa499b5736a5e2457c7f22e3ce3a52436d1a709866 |
| SHA512 | 580773e099612eeacda8b58a10805d9e61cbac5fb489519b1e86b6f6d6aacec0b956bfd6ab8e3e627ad7ae6173fa5cf84361d1e6cb9cdc0a705e958be372793e |
memory/1488-250-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2416-254-0x00000000009F0000-0x00000000009F9000-memory.dmp
memory/1488-255-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2416-253-0x0000000000A20000-0x0000000000B20000-memory.dmp
memory/3300-252-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d024c5050ec8b9873965c0488a6c3d6a |
| SHA1 | 1c32a24d1db43cc0d8c9567150f6a62428e4da1a |
| SHA256 | 0c7399c9bb7a539bdec5ed0313b073398c51a632937ab866e1ae05a63ae58c37 |
| SHA512 | 34fe95efe9ef2ec83371f1d11078ca0bb07bb05469807a23914fc1a1b841291e68fd3b140d150349b197345a797a72d78f9e34b4bbb2c61e8a402358ca774e7f |
memory/4988-43-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 16af3551c222f6847d365b2a07bdad7a |
| SHA1 | b0db2964261a78dbcafd83b4aa2c1f9651a23c58 |
| SHA256 | 8a4df24b49f2087b66865dd360edccac935a7fc7fdadffcebd4e6c1d6daca2a1 |
| SHA512 | ce071fed772c971e3207552f52c08870be757883c1b5490ad3087eef92bfecea69d6a35f62b17a44fcb1f574d907d14805f2faf3e4d773ab7fd9923bd0fa69a1 |
C:\Users\Admin\AppData\Local\Temp\75E9.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2852-257-0x0000000005270000-0x00000000052A6000-memory.dmp
memory/2852-259-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/4988-261-0x0000000007AF0000-0x0000000007B00000-memory.dmp
memory/2852-260-0x0000000005300000-0x0000000005310000-memory.dmp
memory/2852-262-0x0000000005F70000-0x0000000005F92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuq42npw.czl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2852-273-0x0000000006330000-0x0000000006396000-memory.dmp
memory/2852-274-0x00000000063F0000-0x0000000006744000-memory.dmp
memory/2852-263-0x0000000006120000-0x0000000006186000-memory.dmp
memory/2852-275-0x00000000067F0000-0x000000000680E000-memory.dmp
memory/2852-258-0x0000000005940000-0x0000000005F68000-memory.dmp
memory/1832-256-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d1738894304dbfec20865c0f6c3e5476 |
| SHA1 | 5ba51bf18b55b65d927c9f5f1245baecaad1f131 |
| SHA256 | 601e730369184de36a4ccc1a489786404fb2cac1674807b945f7b1d2e6d0dc12 |
| SHA512 | ebc07d2c55f4d67bf7cf55610696c75b410e566a539325e24fbccdd60d4482c608c6bae1bffc0732074f597aaa7eddc823f527155356e34a2cc6c1c27839942d |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/2852-276-0x0000000006D50000-0x0000000006D94000-memory.dmp
memory/2852-277-0x0000000007B20000-0x0000000007B96000-memory.dmp
memory/2852-278-0x0000000008220000-0x000000000889A000-memory.dmp
memory/2852-279-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
memory/2852-280-0x0000000007D70000-0x0000000007DA2000-memory.dmp
memory/2852-283-0x000000006C410000-0x000000006C764000-memory.dmp
memory/2852-293-0x0000000007DB0000-0x0000000007DCE000-memory.dmp
memory/2852-295-0x0000000007DD0000-0x0000000007E73000-memory.dmp
memory/2852-294-0x0000000005300000-0x0000000005310000-memory.dmp
memory/2852-296-0x0000000007EC0000-0x0000000007ECA000-memory.dmp
memory/2852-282-0x0000000071440000-0x000000007148C000-memory.dmp
memory/2852-297-0x0000000007F80000-0x0000000008016000-memory.dmp
memory/2852-281-0x000000007F650000-0x000000007F660000-memory.dmp
memory/4988-299-0x0000000009590000-0x0000000009752000-memory.dmp
memory/4988-300-0x0000000009C90000-0x000000000A1BC000-memory.dmp
memory/2852-298-0x0000000007EE0000-0x0000000007EF1000-memory.dmp
memory/2852-302-0x0000000007F30000-0x0000000007F44000-memory.dmp
memory/2852-301-0x0000000007F20000-0x0000000007F2E000-memory.dmp
memory/2852-303-0x0000000008020000-0x000000000803A000-memory.dmp
memory/2852-304-0x0000000007F60000-0x0000000007F68000-memory.dmp
memory/2852-307-0x0000000074430000-0x0000000074BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 16879ee8a51ab934d7b9a36b0d9a6290 |
| SHA1 | 1d5325273172eb91427cadd4c0336e8009bcc414 |
| SHA256 | 3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b |
| SHA512 | 7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c |
memory/4988-309-0x000000000ACC0000-0x000000000AD10000-memory.dmp
memory/3464-310-0x00000000023D0000-0x00000000023E6000-memory.dmp
memory/3300-314-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1488-315-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1480-319-0x00007FF769EF0000-0x00007FF76A491000-memory.dmp
memory/2368-320-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/4736-321-0x0000000002950000-0x0000000002D53000-memory.dmp
memory/4928-316-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3376-338-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 623c6adef0ccf0148227d52201b422c4 |
| SHA1 | c8905c734c8e0f9c3e61386f4605059c2a677c20 |
| SHA256 | 630eb97ff99677084eb6842d87cc2f01e1466c15b5b9226195fef6d205a40b0c |
| SHA512 | ccb5255c72c51f11b17730e6c976d97a2a98de256aa200830e428e2fe8b5a83a4ff97cc4bc25d437abe346d1276eb9a8d22adcc77c45595c560473ae7768d004 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 47e9e212f6b2f89bb4c68312d944b3f3 |
| SHA1 | 31efc7fbb5e6279fc46165ddaa15262564d0b0e7 |
| SHA256 | 3850b510d5ce3de0e6a4706ae358e36c9f49a17406d51c22152c1d9cdcaabc21 |
| SHA512 | 0457ab49ace23ac68db196ee72578ba3f57ff7c98e3d174b49b8e6900c6fe64d3d885eec46ccbbdc90651f05d2c16ee31473d6e24d7e65535463ee985fd7591d |
C:\Users\Admin\AppData\Local\Temp\BED9.exe
| MD5 | aea4a3521885b37a1c8980c57b302a64 |
| SHA1 | 5c1cd6f4fe19cb915eb3a9b3e1d9cab7ee6ff066 |
| SHA256 | 3d1ece4cee96c27d631b70743ca0942df77d2a4803a2a51e415ae4a061889fec |
| SHA512 | 67445b50ffd4745bdd8d62cf05ee6c45dea641ec0eafd6802a9d94843a5c1282248c65bb69cb9653f220e163c98f256b63f56fdddc73f062b3d1cea11d170b01 |
C:\Windows\rss\csrss.exe
| MD5 | de0dd35b3899dae68747a9dbbd934d34 |
| SHA1 | 35d84875b44b556b97f6f745ca8295e143cd1fb5 |
| SHA256 | 35932ee4f0b02fc344fd732693ade07c3555d1e69b3e80f4c1d951768a1fa230 |
| SHA512 | 4a870ba45c16be213a9d6b2b02b069639a3352201290edb02129a1d1f5c355b3fda876cb987f4e18785ec803039fddb8aa6fa7f369e34395abd96278a4ed7cb1 |
C:\Windows\rss\csrss.exe
| MD5 | 53bbd25330d69c35def552abef17c727 |
| SHA1 | d33e31b708892c76da146c283b806e1c301a1199 |
| SHA256 | 10c74d04d16111135e5b82f5f507d652d5b4d72b99ff26071d28083e1ce671c1 |
| SHA512 | 56966fbd3784f93dcf47fb5e0f39515ad65577c3a2ce01a5e8d5f54bb4b50c07ef97ebf7c9811d230954ce26048449635404558fdf1c28276f4ca4f39a57311d |