Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    65s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 03:21

General

  • Target

    ac026bee297cb9c7852863cb13154b84.exe

  • Size

    37KB

  • MD5

    ac026bee297cb9c7852863cb13154b84

  • SHA1

    aa76e5d1598afe2e1f7d55c5d1728857bea263c7

  • SHA256

    eb8fdac6122db3911fb94887b8b56997a7eace7e65158d681906f194bfe3979d

  • SHA512

    0a51efec9448885f2dd1aa4da2fa5569aa8c743c78098c1542641283b814338d8d196d5839697a44142044c819ef48cf48122d80a9b82c81b72574ba157836e3

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe
    "C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5072
  • C:\Users\Admin\AppData\Local\Temp\9B27.exe
    C:\Users\Admin\AppData\Local\Temp\9B27.exe
    1⤵
    • Executes dropped EXE
    PID:3616
  • C:\Users\Admin\AppData\Local\Temp\308D.exe
    C:\Users\Admin\AppData\Local\Temp\308D.exe
    1⤵
      PID:1872
      • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
        2⤵
          PID:5052
          • C:\Users\Admin\AppData\Local\Temp\Broom.exe
            C:\Users\Admin\AppData\Local\Temp\Broom.exe
            3⤵
              PID:1392
          • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
            "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
            2⤵
              PID:3256
              • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
                "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
                3⤵
                  PID:3680
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 332
                    4⤵
                    • Program crash
                    PID:624
              • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
                2⤵
                  PID:916
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                      PID:2596
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2488
                        4⤵
                        • Program crash
                        PID:3280
                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
                      3⤵
                        PID:4292
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                            PID:800
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                            4⤵
                              PID:4744
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell -nologo -noprofile
                              4⤵
                                PID:4316
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -nologo -noprofile
                                4⤵
                                  PID:2204
                                • C:\Windows\rss\csrss.exe
                                  C:\Windows\rss\csrss.exe
                                  4⤵
                                    PID:4412
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -nologo -noprofile
                                      5⤵
                                        PID:4708
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -nologo -noprofile
                                        5⤵
                                          PID:5108
                                        • C:\Windows\SYSTEM32\schtasks.exe
                                          schtasks /delete /tn ScheduledUpdate /f
                                          5⤵
                                            PID:1468
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                                            5⤵
                                            • Creates scheduled task(s)
                                            PID:4632
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -nologo -noprofile
                                            5⤵
                                              PID:1632
                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                                              5⤵
                                                PID:4056
                                        • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                                          "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                                          2⤵
                                            PID:3768
                                          • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                                            "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                            2⤵
                                              PID:2172
                                          • C:\Users\Admin\AppData\Local\Temp\is-EHFDU.tmp\tuc3.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-EHFDU.tmp\tuc3.tmp" /SL5="$9011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                                            1⤵
                                              PID:5088
                                              • C:\Program Files (x86)\xrecode3\xrecode3.exe
                                                "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
                                                2⤵
                                                  PID:2872
                                                • C:\Program Files (x86)\xrecode3\xrecode3.exe
                                                  "C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
                                                  2⤵
                                                    PID:2528
                                                  • C:\Windows\SysWOW64\net.exe
                                                    "C:\Windows\system32\net.exe" helpmsg 1
                                                    2⤵
                                                      PID:4364
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 helpmsg 1
                                                        3⤵
                                                          PID:800
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "C:\Windows\system32\schtasks.exe" /Query
                                                        2⤵
                                                          PID:624
                                                      • C:\Users\Admin\AppData\Local\Temp\3996.exe
                                                        C:\Users\Admin\AppData\Local\Temp\3996.exe
                                                        1⤵
                                                          PID:620
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2596 -ip 2596
                                                          1⤵
                                                            PID:1652
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3680 -ip 3680
                                                            1⤵
                                                              PID:4216
                                                            • C:\Windows\system32\netsh.exe
                                                              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                                                              1⤵
                                                              • Modifies Windows Firewall
                                                              PID:1548

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                              Filesize

                                                              123KB

                                                              MD5

                                                              2cacf531e601a51348d2c694fae10336

                                                              SHA1

                                                              e15c88beb6d788ebea333ef176bdb4abb5032f21

                                                              SHA256

                                                              290db846d8051a344926ff8908dd39c9df08e97fb67aec6894a316212799dfbc

                                                              SHA512

                                                              270188e0f6a101ac593e7501986e590e722bf46d6785f02f68e1ee808375aa33d45b9451add8145ec05f7e8991659847e2f78049da13c71a58b461ad5e4fe506

                                                            • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                              Filesize

                                                              51KB

                                                              MD5

                                                              9a6aaf9e4f41f34c3bf3607c777b3bd3

                                                              SHA1

                                                              a7bc398523f165728fa83cd7f39f3e6d8196706c

                                                              SHA256

                                                              13d26cc0d7ab55d250ede623e674072f1d7aa2cf7e0ddcb8c9aa3f3e9ee410e7

                                                              SHA512

                                                              03ebe27a0527cd26f8ae71970e0155f12cfc17695da193c20db6d9c41ea88b37fa9732b03d7a4b3f7452d965ecd8864513528d47d1b92c1dc4ed83d75fe8f7f5

                                                            • C:\Program Files (x86)\xrecode3\xrecode3.exe

                                                              Filesize

                                                              100KB

                                                              MD5

                                                              64418c967a01b9765621df5e16aae3e8

                                                              SHA1

                                                              e4a78fe4a7b9ee4ead9d27ad9bd620f9bb8cff28

                                                              SHA256

                                                              f487a17f0a63cf994b1367b2c4fa8842aebeebba4fd0aa8d214e912c1d57eec8

                                                              SHA512

                                                              1921266bd6e59966813a04d032e5f1d3297561551eb7e19a0876312a963857ad895b7f9157fcc2bc1cda294ba084c48858856c2be3a5e8caa4c0d9ad7d68c9e5

                                                            • C:\Users\Admin\AppData\Local\Temp\308D.exe

                                                              Filesize

                                                              321KB

                                                              MD5

                                                              3a2550e9824c60ad7dbb898ca09ea7d2

                                                              SHA1

                                                              5aee7a7167961310371856fef07068c6842993e0

                                                              SHA256

                                                              68c7188e485469a2f054f028e2d82db07dba4e0644f48a7f1970216c3f084abb

                                                              SHA512

                                                              b88c71d18849237e4ccd58f4a1c2abeb369f3fc05bfaf3a4fa2d08e1b6d1b6fc20e5211f1b15721e8cc3225decc4260efc91e862cb97a48a614b4f5523cc00c3

                                                            • C:\Users\Admin\AppData\Local\Temp\308D.exe

                                                              Filesize

                                                              103KB

                                                              MD5

                                                              0e1ecb4b6b00f5cac9b1b5fbd9eb0ebe

                                                              SHA1

                                                              a63df3dce1c3fc53f57950ffefeed6734bcb9076

                                                              SHA256

                                                              89dc317c55549631413fd53f75f6c75248d9db453f64554f2c1b25e0d884408d

                                                              SHA512

                                                              ce2439ef9b3f2e0c43f65c29ad69130b40bf9a7420d8c5c48ec5fd3b80d426f713489e1fba76023ab291ae4db810681ee55b92c9150c524a3b03a038cef5436d

                                                            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              5aa695e3cdde538791e8753cedd9c46c

                                                              SHA1

                                                              e0409764ac338d439f96d75350d91305455a93eb

                                                              SHA256

                                                              0a75a1b179e8103761f3127840955e3465d6450e37a27533736797834699c04e

                                                              SHA512

                                                              fe79f69e752f1b3434ebbef574567f2cd2530bff2e637afe4849d1faa8a256f9a7db2c143b663394c823835f597cefaed16eeb63ef647d01582ca230de965211

                                                            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                              Filesize

                                                              623KB

                                                              MD5

                                                              ee6e608153788a0d3760153b6a485431

                                                              SHA1

                                                              7e55e0de9b7e002758e6b3ef4ae045a0988392f2

                                                              SHA256

                                                              97b05a2b9e678d56214060108b91945ca662353c67a98f3822998f2ce51e88b1

                                                              SHA512

                                                              ae58169e8d6b8965ba855bd87bf8fbebfdb6228e606be3c1af1f50d16493518fb61f56696e3e134832d72e127235593918af1790eebe4e898711a9c13d40b7d3

                                                            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                              Filesize

                                                              443KB

                                                              MD5

                                                              1a2909af7ed0b206f2f5be985dd6f345

                                                              SHA1

                                                              d23e4935ff46f15f50716f41fac0f06cbf1183e3

                                                              SHA256

                                                              aebe68e13d58b4418c1b7cc0c53a6e6a197915a5664f0d4f439647d9c1195cab

                                                              SHA512

                                                              dba6758a19e843c6381d0402ff05404ccb2900d93b06f61861931a09395b453f1a674f3a17d4058d794b7aacc334c424431f654073a55a5a5ac8f126b4d40083

                                                            • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                                                              Filesize

                                                              127KB

                                                              MD5

                                                              d67cdcd4f2c3bd5e10c44e069c3de5ff

                                                              SHA1

                                                              b04710e1ca7a8076ce697fdf12fd593168e76e4d

                                                              SHA256

                                                              9a4a8afd1aa9ffe85c30b7c0d463d205f80c63ba581a1e4f250d5056f009a9ab

                                                              SHA512

                                                              2a76c576ec4470795f204bcd6e5263728e3648fa45e7ef7f1aadd6b0a2ebe1fd1e9bfcf55f674d273c110b9b2b09bd5af2db94a88fbad3f1b08eb3f49383dc2d

                                                            • C:\Users\Admin\AppData\Local\Temp\3996.exe

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              9779748b61252ebd9166907b98e33f03

                                                              SHA1

                                                              18e5ea26c055bd7d76b70c556318bd5ac70eb232

                                                              SHA256

                                                              0f198c35b3257f1d2a82f4c1d063d7d4fcd51df11591d4557dbe50d92720b90b

                                                              SHA512

                                                              8334b9ad262a6a17ab7ef12b528af9ec932fb95de405d1a9d8e5e7befcc1478daef7e1f3fab3e5ebdef056acbbc1e92e8e7193efbecce92bc28effefb2b711bd

                                                            • C:\Users\Admin\AppData\Local\Temp\3996.exe

                                                              Filesize

                                                              120KB

                                                              MD5

                                                              b9d15d21d6198df4163aeab8adf168d9

                                                              SHA1

                                                              f9a925b67e26763ecef59ea19f4784efdebdd5b5

                                                              SHA256

                                                              9cbde14cc37cdf0bb17e10c543b839c2c455166cb810922bf035ee26f929b11b

                                                              SHA512

                                                              612ddb905d61cd9b9a20fe81f67ee7ff573a63fce1c76bb0f0e3cee4ce7e6838fbab86d305955097bf89feb22c41dfd3a88e1876fa6fcb461bd41032ca21af52

                                                            • C:\Users\Admin\AppData\Local\Temp\9B27.exe

                                                              Filesize

                                                              270KB

                                                              MD5

                                                              2c2990fd0ee59fc2137319526dfbb35b

                                                              SHA1

                                                              c39e8b8c601cb55eef7c6e25b548eec2acf002bd

                                                              SHA256

                                                              bbecda4e7bccf5a06e515811c1cd3461c0804a80fb876adc98bc00cfe4aad01a

                                                              SHA512

                                                              9592e7ebb0a1cff6996816e880c45c826a40ad1f9123bc60ec24b9f02e5d92b9007785169d4f3198b281281518e9bcfc745d60a311c9219c2b701136e1277527

                                                            • C:\Users\Admin\AppData\Local\Temp\9B27.exe

                                                              Filesize

                                                              197KB

                                                              MD5

                                                              b0c1def31cc92c7136f6fc110236a839

                                                              SHA1

                                                              63d6a11693d8076deab2e73ca0e270d40df83bdd

                                                              SHA256

                                                              7351d8c114d003e07801b91b22f62a3c2ab9d9dc503e4e436ec293a0938f9a62

                                                              SHA512

                                                              244d6b9120bd03988103168b70bb6b354c788e8abdb3293bd7fdb659a2ede2f37faccc682ae167b02ed4b4103d0337798d3313faba8c1f66885b725f6d58e4a2

                                                            • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                                                              Filesize

                                                              229KB

                                                              MD5

                                                              c53bcd1603a20648d123920752814c20

                                                              SHA1

                                                              294150fcc48f24ddc5a8b96e575aeb59906c3845

                                                              SHA256

                                                              1fc81db3e226f4942bf1095974151448cc1968e2a1e9a5f4afd9f077685defc6

                                                              SHA512

                                                              1f437ea84f6ad93b8529aaa40448ee2c717a21adc1f6fc284fd529615dbf86ab2e70ac1a42fed7300cd6dbe7cc2c6cbaf7c899e6cd0de63f996179dff0867a6d

                                                            • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                              Filesize

                                                              261KB

                                                              MD5

                                                              cb52e266102da5127f78eae46e9d61ed

                                                              SHA1

                                                              614335f3256dc8e3c337a06687aeb7033977bed8

                                                              SHA256

                                                              1fabb8c7336f4431ebdf70b7d99b68398b5fe1219b066d057ec309c94d91e64b

                                                              SHA512

                                                              ea4f2e7c7d7e7453a2524fb62f8cf27e43d4af132da7e61cf7cf68ede1c32e79c42228060fc91ca655c55045e29ee178d0b92535853ae853b5befaed0b2f3754

                                                            • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                              Filesize

                                                              529KB

                                                              MD5

                                                              f056ebbc6c5521beeaf93e186b17143f

                                                              SHA1

                                                              61f889f72806cb8ffe2c1477be71f4c8ed27dfb9

                                                              SHA256

                                                              1a0159b5093dc4a98dfbee288d7dd0b81e61b54343cbeb4891d23de2d9c9111f

                                                              SHA512

                                                              cd56230d86c40fd51190536da4528c7d62fa29438879568f30c3806e9feca7109cb13c768450b2177f981c5bf8bcc4890e1ad74ea9adecd31a9d13e8fef8d636

                                                            • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                                                              Filesize

                                                              213KB

                                                              MD5

                                                              291fd1e2753743667221251d185decf2

                                                              SHA1

                                                              f0ac812e2d79b8e5c9eba224ddca8dfbfab6eaec

                                                              SHA256

                                                              24ae24d759b5df7d2e8403dcbd1a0559849f8b26528103106b54e133c9239286

                                                              SHA512

                                                              7407d860ea994b4aa99f50f28ee4bf9292f897f235b4a1011c7439f312986b8d0b82c388a25c05ce397b53b2cecd249108bae54fa22d3c54b8f623b8fbc02f96

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zvk42b4.tnb.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                              Filesize

                                                              91KB

                                                              MD5

                                                              715f47738e7ec8451659f80ee6249230

                                                              SHA1

                                                              ffd4b7ce8de97585030d033b343864600e6eb31d

                                                              SHA256

                                                              c20d34146ed15ad15ec94c38f7c2edb15eddd57180d3e2082f4f3af0d8810311

                                                              SHA512

                                                              057dd1afd14dab44ce13c4e3555883a9dc475989f31e0ba69e540f83332a13d3daace06e997efc81185f35181359b4dd061febec67b15ea8b39cfb912ab1e1d6

                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                                              Filesize

                                                              134KB

                                                              MD5

                                                              69d0cc10a6a204f338df31c78e2e2ef8

                                                              SHA1

                                                              9a0f2095e52f74a897299f2af4b5a957576cce1e

                                                              SHA256

                                                              e23acebb9522c67d7bc233516121bcfb5655773f130dc23c4edf552d3dd76503

                                                              SHA512

                                                              09ae21bd3c657dce418cda58e0ffeb052ab740b6f00fb097679b4baedc10c7565938684712a0a60699a2c6323615705dd9587f62a2d2500208039e42342aca11

                                                            • C:\Users\Admin\AppData\Local\Temp\is-4K0BH.tmp\_isetup\_iscrypt.dll

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              a69559718ab506675e907fe49deb71e9

                                                              SHA1

                                                              bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                                                              SHA256

                                                              2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                                                              SHA512

                                                              e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                                                            • C:\Users\Admin\AppData\Local\Temp\is-4K0BH.tmp\_isetup\_isdecmp.dll

                                                              Filesize

                                                              13KB

                                                              MD5

                                                              a813d18268affd4763dde940246dc7e5

                                                              SHA1

                                                              c7366e1fd925c17cc6068001bd38eaef5b42852f

                                                              SHA256

                                                              e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                                                              SHA512

                                                              b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                                                            • C:\Users\Admin\AppData\Local\Temp\is-EHFDU.tmp\tuc3.tmp

                                                              Filesize

                                                              167KB

                                                              MD5

                                                              712afcd5e30de380ac431814d0deee5a

                                                              SHA1

                                                              d885294a6bbd896c1ebf3ea822fe8c6d44a62dee

                                                              SHA256

                                                              1df8e894a514bcfef9d7e892392e1cd4fec8a564648e03c7dd8661a250b207f6

                                                              SHA512

                                                              f8b9afd2513db22da0fcc5656b07d4c10828521ff8feff36fae4d3fb9cdd26c53d929f0ff87d20aea112bd12da1cd566c8a760dfa1edad617500713baaabe2d0

                                                            • C:\Users\Admin\AppData\Local\Temp\is-EHFDU.tmp\tuc3.tmp

                                                              Filesize

                                                              57KB

                                                              MD5

                                                              652ab59cef3bcb3765b8129b001b1b17

                                                              SHA1

                                                              1d16e83d79acc757fb396531fc4dfeb12d171cc6

                                                              SHA256

                                                              d91ca1190d3e0ccc89c74e9edeafb9a99a9c37b9f17faaef0c0833509e184960

                                                              SHA512

                                                              d48d6c471b1d5be8835314dd1b7acbac2d2d941d808421c561ac476450f1ec5ea977b41b469384e252369ccbcd57936340bb582d6626541979e59ee2b501286c

                                                            • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                                              Filesize

                                                              174KB

                                                              MD5

                                                              8f4f41a6936b8a40a737d33a2792ae86

                                                              SHA1

                                                              a0faf2a34ad2b506770d0458f5c9ba1034a34b4a

                                                              SHA256

                                                              e44db5a8ba3814fd1d22e034ecbf8cf1ed7a1256c5a358de4b54c88b8e371919

                                                              SHA512

                                                              7afb253639dbb9405e467941fa192ebf4c46fc2dd7ecb7aca24c92c405642ab87a914a2c834eff85be5fc67593192f24b8bc17f2b714245e6696c244ba8ab5ee

                                                            • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                                                              Filesize

                                                              159KB

                                                              MD5

                                                              cf1b6bebe1ed5375e98fc6ad89735f20

                                                              SHA1

                                                              18ddc0c11d62b9a03046bd466e1c18d78df6f02c

                                                              SHA256

                                                              fbefcb77da5fc287feded9e2fa9cf9bbac740f198f575ba8736417270013d744

                                                              SHA512

                                                              6613e106f38dff23c381ab912b3f012680d826a0eca8277545cddfd59f96fa1b007d057a5de183dbfc7ecffe7f354f553de0651fd408d3eed2c931348dc7e37e

                                                            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                              Filesize

                                                              79KB

                                                              MD5

                                                              ecdf513bb554ba406139c62a0a00616b

                                                              SHA1

                                                              9e32436406e87d503bdf8dbb3c7432b02553aeb0

                                                              SHA256

                                                              953bc012e06c45a206f27e16cb82c4937a2b43ee8c973f9e9bf758541f9aa069

                                                              SHA512

                                                              36a84180d0fe4f9198d965826e755dcf822c66be60c061d3fa1438154985ab5b7411637b69b410a9f55416e1d591c0515a14bd694c007c03de28db87be6423c4

                                                            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                              Filesize

                                                              291KB

                                                              MD5

                                                              cde750f39f58f1ec80ef41ce2f4f1db9

                                                              SHA1

                                                              942ea40349b0e5af7583fd34f4d913398a9c3b96

                                                              SHA256

                                                              0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                                                              SHA512

                                                              c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                                                            • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                                                              Filesize

                                                              192KB

                                                              MD5

                                                              47ea0efec743a834c67c2b99fe32c520

                                                              SHA1

                                                              027823cc0acf78e9a288e6e7c7106e2222c4a73e

                                                              SHA256

                                                              9d856631213a7bc531a5f69748c1cc49cdcc70e1e2fc2e26e742b41aec66d7d4

                                                              SHA512

                                                              6365932e98378391fc3ac5c977899d321c7aa9801b2ab6b73c678ce038a5212be6a4e261331fe6619f963207487b95cdd1af9578277a9236c37cdab0d3c86415

                                                            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                              Filesize

                                                              228KB

                                                              MD5

                                                              af54260b759f724c765b9ce871cdeb4f

                                                              SHA1

                                                              d0ade5f928039977a0e903bf9f1b8a22d5791b8f

                                                              SHA256

                                                              6d0b6c371e5ac508a685227974176cf409a03542082689ce11290736b0a66a54

                                                              SHA512

                                                              9591527a113d18364d8b3fab9db140f4b5ea525099376e924de06733469fc0f3710f2d5326a33ba6858f49202a097e0310530bb3d96945c53682348ad95ddb2d

                                                            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                              Filesize

                                                              252KB

                                                              MD5

                                                              4bd0e5aadc04808de4b798fcc1a8fe32

                                                              SHA1

                                                              4ab3c72875908b91ef6683db3cd472062dd43163

                                                              SHA256

                                                              e25e7c6d9717ac4e86ac5b601e79756cf57605febd87c5baffb327903c3c36b6

                                                              SHA512

                                                              8d7b2f80473ef3f25ecc02b585cb8add7fabbe64e1d14ffe453acd6dae92eaea3bbf4671d56cbb8bc300a58e2c792d3db7ff7a13f1915509b49e7bfcf1b695bf

                                                            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                                                              Filesize

                                                              244KB

                                                              MD5

                                                              8dfd21662d96552d4a24cc93e79dc7c5

                                                              SHA1

                                                              a353c532c7e5df320ccf6e57ab4dc3c8089f4b6f

                                                              SHA256

                                                              7c9affb9aaced37f7e22ca5e5ea87a82bba3e1743f892a7b027abc84d35bf2cb

                                                              SHA512

                                                              f8f52b4f0273b7bc714727396f8b8076caa59e005e83a05690005bb1a199c441c703c078e2acf81f82aa00b7cea493a73fe082c485b536f6e00034d24451a5c6

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              2KB

                                                              MD5

                                                              3d086a433708053f9bf9523e1d87a4e8

                                                              SHA1

                                                              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                              SHA256

                                                              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                              SHA512

                                                              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              8e7c5f23cbbca6446b0182750a8eda63

                                                              SHA1

                                                              ae508e3ea0470fe926328a625bed316ca6c45500

                                                              SHA256

                                                              39a09deea790afaee7d9eea8ff32a54017e6d6a3ec203e16b67f3fc881ea68ef

                                                              SHA512

                                                              f6ea21ea3df44b6c90aea8cedf8da57a461f95bba5c260a4d63ab30723b8923a782666979f094753207339b3c34981a2ecd7c15c62b80b6cfc587a33409665d2

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              2b96987dfdfa4700badfc5f3b8d2bdbe

                                                              SHA1

                                                              0882bed41ee55f7364933df245686d6f16517368

                                                              SHA256

                                                              50f97537e122b19d74950c583713c4d00eb0502f201e297dfc7531739538f29e

                                                              SHA512

                                                              20ded1f8b5fcfe1611565c6c9d937c545b53db5e45d5673fdb3cfff5b3eb1c0e74a1114a7b9e6881955adf2619f65a6c4617a98fc1a8fa6993048999a86bb635

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              d1aa9172b122efe5246e9ca1eae06c3a

                                                              SHA1

                                                              88b6ed067de6d46b34e9cce3f9e50fab3cb56f1f

                                                              SHA256

                                                              09f6321f87aa7266ff645c05a697b9dbcf45067fce78e49a051381b533f58cac

                                                              SHA512

                                                              b1d1bea6bb6c3860f305d3bccb8df2bce4a316e8ac67c75754d2cebaf6f55c562f31e64eed4ddd11fd9954a39010e8dc8e1f1fb5527c458b7296c28c800cdf32

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              50f7f6038ad542b68e8055344532522f

                                                              SHA1

                                                              9d7d7fd90edf29dc97cc9e03598c0136c557433f

                                                              SHA256

                                                              62d1d7c0d196edeee9836ec0868332795797c64bf076255c3843a8ef9ff065f7

                                                              SHA512

                                                              887e44e9489e38b32840cf3739ee0c6b85d69970823a32304ce56646f1f5765941ecfab426c012b1b4fe4dd9f6d9276263fd410703234770e97be43a8dfa3509

                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                              Filesize

                                                              19KB

                                                              MD5

                                                              6abe1ced015737dce24a11f5ec82ffb0

                                                              SHA1

                                                              7aab6961a14d3e671ab6caeefc163958bfdda6c7

                                                              SHA256

                                                              de854bdb91ea10346b337ce74c66fbb30949f4c71922c99e27055cba0204bdf6

                                                              SHA512

                                                              72b1d66ba3270ba033b9be9fe8a40e058b94d3f6736a2f68fd0b79c6049b102ab85435651814de13dc63b0ec4988d5e79dc6129e9b0edcde7e7fa6f2c3c3b467

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              94KB

                                                              MD5

                                                              3bb1c856de43c2297159851dfc158acd

                                                              SHA1

                                                              a8ff3e007d058ddf8f105baf1e9b36ea856dbafe

                                                              SHA256

                                                              72ebef62bda30f5b6cd178e35da2125e7b2e23d0f810f3203728166ed2daf847

                                                              SHA512

                                                              ed61a8915ac93b1426c5cd4d2fa8b7a89c858c838a858573bf7977c213f77e0216ab5b40eb6fb3247b7f0ca2fc51938793684265c94e92f5bc06b72ffbd9947f

                                                            • C:\Windows\rss\csrss.exe

                                                              Filesize

                                                              217KB

                                                              MD5

                                                              c215817f37a3bbe38100dbb406f033d2

                                                              SHA1

                                                              7af52df5ac50bd1360448713d89aef79edca492b

                                                              SHA256

                                                              dcf637c6d3595b47ca49ece7739a93a1295c9f6382832eccd7b7e9f47cca6fb5

                                                              SHA512

                                                              000100b77146a3d1da7778f1f0316491a92eaa1f6f4b5d35e97b25975358f338d4ba7f1e7ad1b9858bd41cb892828ed8329a9e3b7f44e46d8efedbb5ae789699

                                                            • memory/620-248-0x00000000002B0000-0x00000000002EC000-memory.dmp

                                                              Filesize

                                                              240KB

                                                            • memory/620-254-0x0000000007190000-0x00000000071A0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/620-266-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/620-309-0x0000000007190000-0x00000000071A0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/620-249-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/800-313-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/800-320-0x00000000053F0000-0x0000000005400000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/916-257-0x0000000002D80000-0x000000000366B000-memory.dmp

                                                              Filesize

                                                              8.9MB

                                                            • memory/916-310-0x0000000002970000-0x0000000002D75000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/916-331-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/916-256-0x0000000002970000-0x0000000002D75000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/916-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/1392-75-0x0000000002720000-0x0000000002721000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1392-258-0x0000000002720000-0x0000000002721000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1392-330-0x0000000000400000-0x0000000000965000-memory.dmp

                                                              Filesize

                                                              5.4MB

                                                            • memory/1872-35-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/1872-36-0x0000000000DE0000-0x0000000002296000-memory.dmp

                                                              Filesize

                                                              20.7MB

                                                            • memory/1872-93-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/2172-79-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/2172-262-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/2528-289-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/2528-252-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/2528-518-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/2528-370-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/2596-284-0x00000000066D0000-0x00000000066EE000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/2596-269-0x00000000057B0000-0x0000000005DD8000-memory.dmp

                                                              Filesize

                                                              6.2MB

                                                            • memory/2596-293-0x000000006C150000-0x000000006C4A4000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/2596-267-0x0000000005120000-0x0000000005156000-memory.dmp

                                                              Filesize

                                                              216KB

                                                            • memory/2596-270-0x0000000005710000-0x0000000005732000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/2596-279-0x0000000006020000-0x0000000006086000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/2596-282-0x0000000005170000-0x0000000005180000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2596-283-0x00000000062B0000-0x0000000006604000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/2596-271-0x0000000005170000-0x0000000005180000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2596-306-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/2596-303-0x0000000007CA0000-0x0000000007CBE000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/2596-305-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/2596-268-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/2596-291-0x000000007FBE0000-0x000000007FBF0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/2596-292-0x000000006DA40000-0x000000006DA8C000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/2596-285-0x0000000006C40000-0x0000000006C84000-memory.dmp

                                                              Filesize

                                                              272KB

                                                            • memory/2596-286-0x0000000007A10000-0x0000000007A86000-memory.dmp

                                                              Filesize

                                                              472KB

                                                            • memory/2596-288-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/2596-287-0x0000000008110000-0x000000000878A000-memory.dmp

                                                              Filesize

                                                              6.5MB

                                                            • memory/2596-290-0x0000000007C60000-0x0000000007C92000-memory.dmp

                                                              Filesize

                                                              200KB

                                                            • memory/2596-304-0x0000000007CC0000-0x0000000007D63000-memory.dmp

                                                              Filesize

                                                              652KB

                                                            • memory/2872-240-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/2872-246-0x0000000000400000-0x0000000000785000-memory.dmp

                                                              Filesize

                                                              3.5MB

                                                            • memory/3256-264-0x0000000000810000-0x0000000000819000-memory.dmp

                                                              Filesize

                                                              36KB

                                                            • memory/3256-263-0x00000000008B8000-0x00000000008CB000-memory.dmp

                                                              Filesize

                                                              76KB

                                                            • memory/3516-314-0x0000000007270000-0x0000000007286000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/3516-1-0x0000000002430000-0x0000000002446000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/3616-20-0x0000000007830000-0x0000000007840000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/3616-28-0x000000000B070000-0x000000000B0D6000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/3616-243-0x0000000007830000-0x0000000007840000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/3616-30-0x000000000BBF0000-0x000000000C11C000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                            • memory/3616-12-0x00000000005A0000-0x00000000005DC000-memory.dmp

                                                              Filesize

                                                              240KB

                                                            • memory/3616-25-0x0000000008AB0000-0x0000000008AC2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/3616-27-0x000000000A3D0000-0x000000000A41C000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/3616-21-0x0000000002A70000-0x0000000002A7A000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/3616-26-0x000000000A390000-0x000000000A3CC000-memory.dmp

                                                              Filesize

                                                              240KB

                                                            • memory/3616-17-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/3616-19-0x0000000007640000-0x00000000076D2000-memory.dmp

                                                              Filesize

                                                              584KB

                                                            • memory/3616-109-0x00000000744A0000-0x0000000074C50000-memory.dmp

                                                              Filesize

                                                              7.7MB

                                                            • memory/3616-24-0x000000000A460000-0x000000000A56A000-memory.dmp

                                                              Filesize

                                                              1.0MB

                                                            • memory/3616-18-0x0000000007B40000-0x00000000080E4000-memory.dmp

                                                              Filesize

                                                              5.6MB

                                                            • memory/3616-29-0x000000000B4F0000-0x000000000B6B2000-memory.dmp

                                                              Filesize

                                                              1.8MB

                                                            • memory/3616-22-0x0000000008AD0000-0x00000000090E8000-memory.dmp

                                                              Filesize

                                                              6.1MB

                                                            • memory/3680-265-0x0000000000400000-0x0000000000409000-memory.dmp

                                                              Filesize

                                                              36KB

                                                            • memory/3680-328-0x0000000000400000-0x0000000000409000-memory.dmp

                                                              Filesize

                                                              36KB

                                                            • memory/3680-260-0x0000000000400000-0x0000000000409000-memory.dmp

                                                              Filesize

                                                              36KB

                                                            • memory/3768-355-0x00007FF7809B0000-0x00007FF780F51000-memory.dmp

                                                              Filesize

                                                              5.6MB

                                                            • memory/4292-448-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/4292-312-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                              Filesize

                                                              9.1MB

                                                            • memory/4292-311-0x0000000002A30000-0x0000000002E2D000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                            • memory/5072-0-0x0000000000400000-0x000000000040B000-memory.dmp

                                                              Filesize

                                                              44KB

                                                            • memory/5072-2-0x0000000000400000-0x000000000040B000-memory.dmp

                                                              Filesize

                                                              44KB

                                                            • memory/5088-110-0x0000000000600000-0x0000000000601000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/5088-356-0x0000000000400000-0x00000000004BD000-memory.dmp

                                                              Filesize

                                                              756KB