Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-h2bw7ahec8
Target XO0UY05.exe
SHA256 cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
Tags
privateloader redline risepro smokeloader @oleh_ps livetraffic up3 backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718

Threat Level: Known bad

The file XO0UY05.exe was found to be: Known bad.

Malicious Activity Summary

privateloader redline risepro smokeloader @oleh_ps livetraffic up3 backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan

SmokeLoader

RedLine payload

RisePro

PrivateLoader

RedLine

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Reads user/profile data of local email clients

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Runs net.exe

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 07:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 07:13

Reported

2023-12-11 07:16

Platform

win7-20231130-en

Max time kernel

69s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9119.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1080 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1080 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1300 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\9119.exe
PID 1300 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\9119.exe
PID 1300 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\9119.exe
PID 1300 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\9119.exe
PID 1300 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AD9.exe
PID 1300 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AD9.exe
PID 1300 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AD9.exe
PID 1300 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\Temp\2AD9.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\9119.exe

C:\Users\Admin\AppData\Local\Temp\9119.exe

C:\Users\Admin\AppData\Local\Temp\2AD9.exe

C:\Users\Admin\AppData\Local\Temp\2AD9.exe

C:\Users\Admin\AppData\Local\Temp\2CBD.exe

C:\Users\Admin\AppData\Local\Temp\2CBD.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-GK82F.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GK82F.tmp\tuc3.tmp" /SL5="$6009A,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211071446.log C:\Windows\Logs\CBS\CbsPersist_20231211071446.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\4972.exe

C:\Users\Admin\AppData\Local\Temp\4972.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 20.150.70.36:443 tcp
US 204.79.197.219:443 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 9b10f741fad1d0dd09b89dc6638833ae
SHA1 1f0ffa6f136cd5433f202c9c79ce5956796b4151
SHA256 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6
SHA512 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2409.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\grandUIAwaENBBZhSDRmg\information.txt

MD5 b196e036bb43ecdc7cadf57ce731bdcb
SHA1 a17bb756d3e6e995b9eeaea6de97e9df2e92553a
SHA256 f1694f81b4a062a6033eec935aab54ab25f4c55c0fe1ae4cd5cba11fb9ad517b
SHA512 f114d2aa76ea61c4ea42e14a3ecb994b8434701a69a969c9872aab850cb7b31913612210dbf6ebc5a213c1c30002629e73a9536e97289a6d310d40cbd412af43

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

MD5 8837a89b82d0d3b0259cc9f47b2e599b
SHA1 51dd86a6a717a8f1470fff7a65f96c983aa71f09
SHA256 ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
SHA512 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71

memory/2680-116-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1080-112-0x0000000000280000-0x000000000028B000-memory.dmp

memory/1080-110-0x0000000000280000-0x000000000028B000-memory.dmp

memory/1300-117-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

memory/2680-118-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9119.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2824-125-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/2824-130-0x0000000074C30000-0x000000007531E000-memory.dmp

memory/2824-131-0x0000000007600000-0x0000000007640000-memory.dmp

memory/2824-134-0x0000000074C30000-0x000000007531E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2AD9.exe

MD5 e14f85301e4bd520af920d37084c5743
SHA1 147c8fa869c7bf1cb7ca662a30abf9fafb71d55e
SHA256 5c9e2ba6644bd8002ed08bcf503d546119d7ae74d2de4d716566afe6ae8ba259
SHA512 f4428e26bf81db422b095bf54bcd755f5389491fcd648b9d615de3e6886d1dd49bc42f161ccb091e8c431d67a0009d2b8ea58ad29dde372a44ea8363f996bda4

C:\Users\Admin\AppData\Local\Temp\2AD9.exe

MD5 8a2dd461fbf8e46b94d996044fc092a8
SHA1 7e1dc496ff98e59b7268bc796d49ca22e67f92d1
SHA256 64655692ad2b886c3cac103867fea8911fce279db772d3dddd907b4f68a42fd9
SHA512 db91739701a35fcd32c8dc231e4f10a2ffc64333a1d2371b6f1d4d350f2b1034563f04dca1f33628f9a4f24a3d2864112a10a1382e4506cc05f2c6e8f149e862

memory/1292-140-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/1292-141-0x0000000000040000-0x00000000014F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 fffdfb3dd8ace0759f26dc8a8cb056dd
SHA1 f64e34b6525780bae8b7fb2c8eb3a0d12eb75bec
SHA256 4c73cfdb907556a60e7ac6fc71c1aa9913c388bd0e1c43cc187dccaf5ea1842a
SHA512 fee43f00aeaba9595928ebf9d0bb36371bbd79d6af1c7329db661f4dd1a6a3727102ffc76356505534411de78c1df94ab283c681677b0bd1d4f8d60ee626e8e9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 894658236a671fd985e42f6b5c21ee89
SHA1 1d117443819c7067c32a53dd6f91c7b405eef0bc
SHA256 17f9c341de96ca973e0930ffaa848e2c5664e640d0ea02456040f2669bdacb2e
SHA512 386af725ea95729252a0506ff8f85b6c382a848c2796c3e5814a4487d558ea782c09e12a84559f1e77868e046a5a26e4834c618db0f0389b5a94675dfcce7d74

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 1ded5e6303eeca87eff912c748a91944
SHA1 86b07b232188b2d73bb42f8923a6357971889822
SHA256 5ca4faba437055fe287106b18a0f2afebad9ca0334324b11e36796ec0806b55f
SHA512 1e14d61206859517dd32fe6efebe17e521f6f9913ac4b8a179331f07424cc619a6e1850672e7e102435a1629759198da731d1584e5bb7d56f9ae57f0fd19fc2d

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f36eecf9ab04f04812d2dfd73581d3ef
SHA1 f25e8210e3d854058ffadba2f65f2d24560a544e
SHA256 e7f02b2f20eec21486cb8fe6b4d83453a92e27ac9092bafba4349789c4638027
SHA512 8f581367c3259932f3194005f87136a31239d80de61bb0eb69898335e4ac89bfe3e666d719fadc6b62df17b618bb1a369c5629e9cd2bd34d82eef955a761b895

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 69d7cb85b0791293797b88c761fb3835
SHA1 eeb9ba202a7915bec2b31ed86af3712e27c72848
SHA256 0432e624d7b922d66b9b01a5db7a6f3109db8a26ae81fdc1b43878e6dc344dba
SHA512 d9ab5d775a6cca1ad1f9a3d611684148cca5f73ad9b49d59ae576ed903946c119cdbd077a5001b9277a8993d4cf1564871b4a5f90208bb229bf2aa3e0cd8151a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d2a26177345ad7cd2746bc3b371dc186
SHA1 6f30ccc3b4243cf4a14a77085b1b6913e097ab4c
SHA256 ef386c17901f7fa2d22f00acb548073b845f304d0c01fb053f3e3ea9782627db
SHA512 d142579006d26a9b077198a27683bdc553e3debe5eec438bdfd0fb159a4a2fbddcaf8f1aca56452cf1e82cf8c10e232e0181422f629bd5188ecc7b2a4516ad3d

C:\Users\Admin\AppData\Local\Temp\2CBD.exe

MD5 ae8253459e2dd23fb343df84a1580ba8
SHA1 655988d0d7fbf04352549e02be64bbe16ac55511
SHA256 4119ac6baa45da105b3ec78788c8f5f7e63bb909140a5c4b9cd3ac5445d27c05
SHA512 361cbf5c47bc1f1d7d9bd186ac916735950da09dc12b223ffa4db39e0d713dd373728669fe18f6d0e18b1fbba273d8a9b3f2af2223207939cdbb9fb62fc3dfab

C:\Users\Admin\AppData\Local\Temp\2CBD.exe

MD5 77e336dcf714927c4ed8cea00da14e60
SHA1 ce5baba1faa4aee5f4acbf82234f7a38db5a109c
SHA256 0488bc48360d3e9e774390b272a0aaf239340dec90386004c6c97b857cb3cf9c
SHA512 22104524b5e2c651193993d1653afd793aa3b9219f4c64afdadb0621d548e6bc0ae3334797126b9cc2e34eb0defb0868844b1bceae95dfc7689585303be605cd

memory/1936-176-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/1936-175-0x0000000001090000-0x00000000010CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 5f00489ba953f52228ed606e495b74af
SHA1 1fadc2f644a2e50217e4d28bd9ef69a3ec8544bc
SHA256 0db13546ab6b6002f8d0436ba19e8f3880be11ad97cdb9ce5faca7910a3b7342
SHA512 41a67be39a42a9f24b22deccaf51fa82f5bbe6bcf017866038a6dc39293b822cccc5f90d949c294ba58a51fe97637828558dd79516bf3b228deb5b8535aaf0c7

memory/1936-177-0x0000000007130000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 6b865e5b9efcbcac3e7c13c8ce0c85e7
SHA1 5942a0ea057aecb04e902633cf28b721386b19ae
SHA256 4790e4b5409a861670929025345f79ee7e5302d415324ea4bcc0213c1682dc2c
SHA512 737b6d7cee494da988f66305357ee65c53d720338226ed06eb9ff1f185d596e643d29df2328603138fabc66a395faa761fc20333d04ae5a5e7a393ae1b8f936d

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b9c976e7da0ccdfe5d62d00cb9b9a557
SHA1 2bf5ef503efd1d88d139eab7abeac44c4604d367
SHA256 1bae4f83b95b27e8da7301faf0effa69bf3a40ce897fbb9dd4b68f7c988f7446
SHA512 f30af2f96576a41d0c8f5e143de0531ab0790a3adde9b484d014aa681ccbd9c48d1b8c02a24ff5e63a26f4f9aee3d2e9f85b5d303254ef1a4a9847cd77575a8e

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 813e693d0b3f8bf7658e2dfec20fed61
SHA1 947f9b6d787f1992c53b6ab7c1c20a8b46b53c8e
SHA256 9aafa3e40cb3de35c9fd627cabd2181b0d3b1781023d190196be6a1302f0d531
SHA512 fe35f21bc7d5fd8fd5770af785f914860cd3d210620396107264d650999f518721156615ea931c1bb4765c4b80c419b7bb6e3adcdf0d19a315885ca0fb5c13df

memory/1696-187-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 558d2e13a268b9419595e6a1865687b1
SHA1 3e9220820b85b77b51c5186f175aa9bc24d6e246
SHA256 183f15bf6e7a6b00dfe64267203b0206bdfdac5cf6d0a579a5326dda6489a9c6
SHA512 a73e6b8032f54128051f8e52fafde6c62edf58ae449413f5bb22d66736b8724da04582837347ed305e0f503381fedf977b8ee837bd44c18ebdb578636745c19b

memory/2204-191-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/1292-197-0x0000000074C00000-0x00000000752EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e513ee1a310c1e6a9347f48e14bc462e
SHA1 fcc2308c7345dd20206856e010af41d6ca0dfe72
SHA256 6473a0def193c0214f3a5ff555fd84ba1ac189d37283963f83c06ae7e175a5e8
SHA512 f0b52778f837a57c0ede03c1223b2534246595ea0d0b8a2ec651a1384762cd29d31ee1f90c891aa88a536edd564c02ee5c26ce151556cf091faa90c84661a5be

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 57d3e99cfa065d456727006e80b32e55
SHA1 04831b2e8e1e74d019e9d74ba382ea7a92c8445f
SHA256 6ceb554dd99f22659baf77aeb0b063aece43ed1109c205d53fdff582965fe416
SHA512 40c9abbbf218e93de3f876dd678516a6d8613620282063300386afa56f5335d979cd6698fe6aea745affc438cde1746c640d150e8627b229d9aecec0105de409

memory/2100-192-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GK82F.tmp\tuc3.tmp

MD5 d19d15c143bf5a7ca2de12852a687eab
SHA1 46c3864f5644b739a82a46cf689f458e0578dde3
SHA256 e8464616b9f78f436bf70f74d9198d14b7008a8f2534b34e25187a0e645d193e
SHA512 e71152e0e070b4ce66c87c00a8ce51cdd8691977c0fdbd6d5a504610b4c3f5037c4ac69ed35d27864ad6a6666bd3921e6674498d4ac8c1d9c5f6b8e1e34ee3cc

\Users\Admin\AppData\Local\Temp\is-GK82F.tmp\tuc3.tmp

MD5 f80be5329ae65be0666bbe9945fa1710
SHA1 b2f99fdebdad03889e764330743090dee1208f9d
SHA256 31ff25614762ee2b07ea953139f02aa2bc6914aae30c6ca69ac36891226dd3b2
SHA512 63300d8119748dee796fb5d14487e8de3ac74f6bda19a6a912601d3c17daa94caf96c241ddc17c78637310ea82ffcb9c5441e7893bf6fc68239a65808874f1d2

memory/2748-227-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GLP2K.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-GLP2K.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-GLP2K.tmp\_isetup\_shfoldr.dll

MD5 d1a8b2f98bcaf969d40ef6f2548f6b4d
SHA1 a465ce22774411d1994a7d56d2e8ca545497a779
SHA256 e93933057902b50b066e625588b722900797566065095305e6ad98683e42bd14
SHA512 8287252be27d7a9731a8b9d85242b8e241c9d9bbabff9812089f43cc5ddfde5558727cd13be5d0709ff2e3ab152dddcfa0b7672a20efff11d4a2888a422e776c

\Users\Admin\AppData\Local\Temp\is-GLP2K.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-gk82f.tmp\tuc3.tmp

MD5 7571ae88914047847803949b403e993c
SHA1 a79a1d12f7c0d3b52f34093dee7d2212a52ad1a8
SHA256 297dbed14ce020b2bcc149dec6d455225be3b00eeec9e69202f8e81ec54b648c
SHA512 addbb1ca155690117ca41d341da3bd27c7e316546562111686d2d8e402cebbf8eb246651aac4c405d9769a8cde876304c374e59d6a0d87f7eb3b6b15703e2f8e

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b60f9c0158808380cd8cbbec1d0195f2
SHA1 1d79ad07789eea26ad86e9bf7ea4f7c927327a32
SHA256 be52bb0fb2203d5455225133872f6f88cff5d2598e64dba25409660f2252fdea
SHA512 cf0659e6bab188e512f0c9cb0c41c62de2eb842e99f0fbffadea176380c9770d4f7c0a1c981f5414094dff7f8f4bd749c51af0a0e7ab8d8353b49fdfc658778c

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 80e06df668904f81ce0cd967691bac6d
SHA1 5b958dc846b4ae7e337615a91c2293c3039da8a4
SHA256 40cc57aecdbed2ad0571d585096dc84c2565c29cddfb64980c128f287b288ed1
SHA512 b891041c68732a4790f101f3eaaf0e504ba669d61e7fc19880aab5779d449573c0b2523770e3bdac12111b0f21528dfe8fa4a5d0d32a2684b6519e852a1b3b7e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 a0a11a28794f0d208b626ea85a1ae3a9
SHA1 1674b917aec95fb8f3e3291b0bf4eb37806acbb2
SHA256 5b1947b010efae676f8863bf02198f0830c883f59d07bdc81c3bbe8e0cbdc926
SHA512 6af7006d61d72f547f62f2702f9e3e71f5ff4ec242d5a927060735865867013c1c7a16818b68b27caf63da63758b28f15b9283eaecb29abb0f7bbcc5e1eb9ca9

memory/2204-229-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/2828-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2828-239-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2204-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cef1ec5f7f73e941e03f1e56abae7004
SHA1 79b2b4394a5397cc10c97461e907a00dc5f513f4
SHA256 6f1b8f605dab8cb57b456387c937ee729e67b8dc95565f8ac646fa8551e493f8
SHA512 e76701bd3229013ef9b24c6a2dbaeb3f83e3ed998dcdf888bc51aed49fe0c475c747cdf944b591806dbf6d7ea8e7a0a017f0122c18fd92da3d5f4faefeee016d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8c1312bd954c08e4a79a30fb957eb20e
SHA1 bf4941332349e938fb31766b5cdfe53275820450
SHA256 3b9b3e831fbabf026a77afc6dd018979ba755c420afe432dd61fe3d5de220958
SHA512 32f7abb0c725bcd6e3cd1aee577963d27ac4fe380d36b718972023bb77d5b6f0bc501f5396e7a0052765c01bed9506ffd503af42199b2f20830e893b18ef3233

memory/2828-237-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1748-236-0x00000000008C0000-0x00000000009C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5ea028083438258cd45435edc6bf95e7
SHA1 02bf311d8b9e6d30e005987bff01a9f83ffdee1d
SHA256 e15b5837df1849f7b4ac200fd13f9424633e772be6fbfa26310cb6349d6146b1
SHA512 3b1c32adc3ede8d6777836bf47689ef1906ce02fd85b2c45ecaf6c9ca77ca2a12ec5a0befa61418fb11f7c61ee42e40c9ab4ef1d74edea7541139c1a3177d949

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2620220446e4488493865653f9bca37e
SHA1 56be02429ee79512cd650ef142e9a9923c03fb0b
SHA256 b3d195ae271d3efceda3beb343280cd830d135925d8abc0b76363001ea31f340
SHA512 f0dd2fa22745b7c40dcc0f6d6f7d47dd7f69dcde7faf663fe2436b4e52401f725980386f51abdf92783fe096fcec60ca22d72670ebd64d3e67b5bc494ee6c887

memory/1748-231-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2204-230-0x0000000002A70000-0x000000000335B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 7853c8b96f10975894d7e3648a893d30
SHA1 5991429df8b3b546f2c2e2057a5a654e1d180221
SHA256 eb68caa1a1fbe6505b51b92ee990083b65ebab3e88edbbdf8ecd8bddcc43f231
SHA512 b5278ae3d5b99323605f578ff2592fde5f946b3140660ac81ab88fc0ed4156b57845b268fcce2487b3b9c4b107f52d894320314c37e4b93c102e7f0c144557fe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b6b88bcb083dd733615386693d1c3253
SHA1 09803cd134fdb767ad19adbe72841156d482a833
SHA256 c748651b005d7ce28acd9ffb2ba8ddcae3e638137cb5cf0d9df02a072287fe85
SHA512 6a2cb26e4ec53141a700570ce377c3a565f4415d1ad5314e200f31172a6873c6fb7dab760b5a3737da45b9a3e06481c1ab02627c726a931a987b83243cfe0ba9

memory/2204-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 bb24c4c4ae3ee3bd6233ac3acb55a70b
SHA1 b841c865cc3ba65e3abbefb693d66141cf8204a4
SHA256 d915b4e83fa061c07223d17b5dfe50f8ee98ceeefdee782c6b0a02d599fdd5a4
SHA512 ed407e14a1d63a30397f1e6003a8fdf7acc9ff4b9e2658784ab1d738ac81d386cccd18ed08c9c8c4a0ed91b3dbffa344c5b8f05e540e88bfe00af6a263dd6fc7

memory/2204-244-0x0000000002A70000-0x000000000335B000-memory.dmp

memory/1708-245-0x00000000027F0000-0x0000000002BE8000-memory.dmp

memory/1708-247-0x00000000027F0000-0x0000000002BE8000-memory.dmp

memory/1936-249-0x0000000007130000-0x0000000007170000-memory.dmp

memory/1708-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1936-246-0x0000000074C00000-0x00000000752EE000-memory.dmp

\Windows\rss\csrss.exe

MD5 0957857b3dda8090780a1605eaf21dfc
SHA1 c4845da3c12b4eb4376176d74f5a3ecb1a3feac3
SHA256 a05d8cf84a551b32990d2817d5d875e0c122eb0a3c50bb4cacd1d2cf158ea2bf
SHA512 71bec66f296908816e5f8c5a3138df1a969eff12b51470474e335c411d15287dd59f07398e2dfe064a21bb9f8fe95a874ef80486b346970e78aaa7630aca9eb8

C:\Windows\rss\csrss.exe

MD5 dd6ca58d2fdb38d5fb2f68e2f7cc534e
SHA1 87cdb77adf6dcacd1db4100639299f611807ceed
SHA256 83d03b2f5c81db276f985247109b37e39f803a6db54750cf0f1a523a82b230ba
SHA512 1c68e3343449aed79886b93fc44b03a4a445c8b2fe4053fe17a9763e7df8bfa6eb4fb06dbd210039efb8141d9044a6583aa594c71f94586379bd0a5ccb3dadce

memory/1708-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 44566fdc3a13bfa6b5bcf834def73bf5
SHA1 13f5eb0e6118cd876cc6aaec28677378e2a3897e
SHA256 9295264a3af5109b24114e41d824e82bf96a2409da94583189088ad6d30488cc
SHA512 bbb12f24b42687bc7da58f61320441b4acef859847c9f026b65d449cf8afbceba262ddd8575973f56c6c2456379ac766533a4e0c2a93536373f35d6c05dd714a

memory/2692-259-0x0000000002640000-0x0000000002A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4972.exe

MD5 7a13ab29c26a8baa4991bd2055d3c306
SHA1 338f6b8d7cdb52963b7ffc7691c4e7da8f39d120
SHA256 a18e27dd8fe826e70a3d918e86f17388a9e08442a8cd685f2638f3fbf1868dfb
SHA512 a40d1d88dcfc833be28dde65611fd14e328191eb36be5696ba8b7132b65b2b4686db425b3a82b81dd99ae31ebc6db93c1d121ac8ea04bf754f11e393df9becf9

memory/2044-265-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/2044-266-0x0000000000180000-0x0000000000732000-memory.dmp

memory/1300-268-0x0000000003DC0000-0x0000000003DD6000-memory.dmp

memory/1696-267-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2828-269-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2100-271-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2044-273-0x0000000000BD0000-0x0000000000C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4972.exe

MD5 7b36bbc6ddaf8f6851517f5705be5728
SHA1 3b1390c54a527ac43bc8e27f236061c76852173e
SHA256 49990d51d5a892a1522cc2c52b783c811568fbd639f77ba927bb8862422df5e1
SHA512 db1e498c6bee3e10dee5e577e28fcc5e902a3017cf181bce1d74ea9abd15d67b1d6b7651ba359c1720049fc9e937e996624b2ad464768514ffb1d1b5a7fd5b21

memory/2692-275-0x0000000002640000-0x0000000002A38000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5daad46eb1ae3493d079fd55e9db7150
SHA1 51f73d7d56d95d027c5637a6262a14bf02bb3987
SHA256 82bf408f9b445e281e746c34ea3ebe192cfa6597ee15c43e6d17deff4794d4d3
SHA512 053b745ff02c8410bb0baf07184d8e5603f874719e18c109bc15a2a4265c8248af7f9c70711a65aee1d4818c363b80f004d2ce06980bd0a96518d0e7105e1179

memory/2692-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 82909593cb773899b0cbae101992c765
SHA1 01d97f6be42ec6449fb2ccd82b207aa1553a648a
SHA256 d8a994de217aa25caa1903d21b0d5f254ebfe1e75dbc3c7ef28b63fd1ad29bd2
SHA512 d9dcbb7698c0728158e554c88f30a38603b3fa7a22303d5c45dd04827134aea5689d2bc7644d771fa4a6053552555e043a1a31cd1998c0a8a43118fe4c859bb4

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 8a102fe1416b2ac8491882b84704dd9b
SHA1 938af65d9a904733fc388630ea87bcf9957402e9
SHA256 149ca903d5b2a1cb455903bb51c59fb5e85533c4cfd7b295a1e094386556f54c
SHA512 5abed3062829069fb1680a4b4e588afc359e13661c205341f3911a8beef4c09b3f48baff0a13caefca50e500ef2342f01805b6e7321fe519dd8140f28d98f68e

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 3e979e41103e23892b65f3a9361d5409
SHA1 5bba4f8ca988e86b3d39334cda6783e006b9d9d9
SHA256 92659e1ec6072f80da1c8c95e47198bbe741b1519ccbc9e317657633c73c7c7f
SHA512 63118e76364a7211d7de820dd53cb2de79b525e55459bc68841b46316887268c255fcda325e4d72f8a01f13b48df80004d781ab08076b5f8341c8579199953d9

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ccbbf7afd855b52c2119bf45858ab39d
SHA1 37f6782e9b1861def30fcaef2d62d52d9fa87259
SHA256 f3962e0dca6aa7166f15e993d2083f13f8dc943ccee383021f8309fd4710ba69
SHA512 683a0fd3a8d9b06872301a31a564670d46cab46505a8961517c46994be28744a447f4a5c64946905b719c394ab916eb3781bed684b7d56a39767fa16c88b7491

memory/2400-297-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 113b3043932afc53ef5f8ce688b32bf5
SHA1 c3e89a25d9268a76777fc880cb424f5a9d62f77a
SHA256 977ad1115c60467ca3da1c1ca7fb524f8ed240b863d8313665343cb32412f6dd
SHA512 2796dbfbfa791fbc7c8bd82088ba4821a3168db33f0a1eda9afa1f99479acb36a29cdb2b1d8d4521ee2cc0cf17e0ee8037b1bcffc1acea272ff8c20b4b5afa41

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8406e14997564a5b5230910b32f07e28
SHA1 f0838a884e37a79a0ddcfcf6d1d2c6f1fde66994
SHA256 6f0c88c7fc8ba900292979ba9df9e3cc4496924a45b65b6c7329c2ede4b26a5f
SHA512 06f443591b22c10b97f1eefd281dc7a152d34705337752ed1c0b0b55ad8e69b9ed5aeb160b30a8e9cd20bebdcb858ba6a3f190c605c87afe7311c08ade8cf8c6

memory/2400-289-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 49b3249f2f883f9d53f5537d2166b0d0
SHA1 11fdc5314c86ff37fffc1af8b1975af34acf8615
SHA256 cd06c2ce2d62ff63cce3d677c6134d312b25c2e3188be82fb28ccbfddae7dfd3
SHA512 6103ef8cf1daa703739bf4109c0b880d826a31ae1e125967a9d96545609ff8c29bd3e62b47da1d15eba73dbfda8fcdb744fc7aff4fee85fbec39934956f545e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c8e0469f54063315643551eb72d05cf3
SHA1 d35453c0f85038cbb4b63479486c7b6588887dc1
SHA256 1826bb49e73eb4ffc4923f39545f9a74b6b737e31d6ea9e9c201c73defc09fa7
SHA512 b41fde2071e1c71ed975d7f7cebf5e577e242966ef370c8a519f3213322dd3a263e684464c8188bb4b0843b5a1a670a655ac4b9c7ec743aa1ab73783088d880e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 167f53aa7c37ddacc9d720f885d0cd0e
SHA1 af17874549ea66801a5f1000b7ab79fcba5c4b56
SHA256 3c0b0c138d02413373ce7c60867cfad144a76f302b70e1243e578bc4de6bba3d
SHA512 58d23bab3cf4ef04ea938d9f2918d3dd59d51809b4b5e6eaabe4d3f7e3b0047e4a698ffd4fe793bd8441f40632659a9a7e03dc0a6ec36a29623298d683dd92bb

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 a147862b5e83d8cd71bb33811d2b9595
SHA1 e1a95845fcd132df18ec83e9d297cc0c7551d5f1
SHA256 4692c912349096cb1c524ba1f07d772d3237ecf0add2edbea18b4e01762a7f89
SHA512 363ef088360ff1f40e113e136c9e550215ed891d414f73b3d6da0b79a264f0528afe33178d4ad1a84b9ad39e3d8bca86098070b451b2c541b4fc358d1fdfa588

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 50cc69f01e489d0bc478468481c13db5
SHA1 ec30d022af10f47506401fdcc172b18dae0bdf18
SHA256 dd60bf876680179ce76666115c4e6b11429a35ce45708df77aff4ba976131e2e
SHA512 171ad5e9b749958a7be0fcc83ea43aefa08fbcd53e92d283068903b80d8e3ec08d880ca19bc805ffe48a06bc05ea809ecb7749b32152582ad6c8a94393975eca

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 07:13

Reported

2023-12-11 07:16

Platform

win10v2004-20231127-en

Max time kernel

49s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1392 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1392 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 4288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1392 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1392 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 3248 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\F666.exe
PID 3248 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\F666.exe
PID 3248 wrote to memory of 3352 N/A N/A C:\Users\Admin\AppData\Local\Temp\F666.exe
PID 3248 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BFB.exe
PID 3248 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BFB.exe
PID 3248 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\3BFB.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\F666.exe

C:\Users\Admin\AppData\Local\Temp\F666.exe

C:\Users\Admin\AppData\Local\Temp\3BFB.exe

C:\Users\Admin\AppData\Local\Temp\3BFB.exe

C:\Users\Admin\AppData\Local\Temp\3D93.exe

C:\Users\Admin\AppData\Local\Temp\3D93.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-5N0KV.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5N0KV.tmp\tuc3.tmp" /SL5="$6014C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Users\Admin\AppData\Local\Temp\584F.exe

C:\Users\Admin\AppData\Local\Temp\584F.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\61E6.exe

C:\Users\Admin\AppData\Local\Temp\61E6.exe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 9b10f741fad1d0dd09b89dc6638833ae
SHA1 1f0ffa6f136cd5433f202c9c79ce5956796b4151
SHA256 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6
SHA512 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7

C:\Users\Admin\AppData\Local\Temp\grandUIA9lCppVAqYs4Zw\information.txt

MD5 6b0f08778ee0da825f37835ff4b410f6
SHA1 9c0eade2e829e169e51598ab7493bf1ef2be11b6
SHA256 e8b377d63ab30222bd194130225cd5aceda948c30d909277c27c4f68d48b4bb3
SHA512 419f3e7b035dc283fd8bef8f7dc2139d2217850dffea3422cdb984ebb2902d2d18d6000fd6e05763a1992773c776146ddab69ec95383c6327cc56016c8ed5475

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

MD5 8837a89b82d0d3b0259cc9f47b2e599b
SHA1 51dd86a6a717a8f1470fff7a65f96c983aa71f09
SHA256 ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
SHA512 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71

memory/488-86-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3248-87-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/488-88-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F666.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\3BFB.exe

MD5 7d6973a0de674048820bcfdb6f923966
SHA1 0709bb8482008b4198101c3e89e387e979b8482d
SHA256 39d1c2bbce4becc52d24e9c5b532dbfd9a307394cf5c723634491c81972dd1f9
SHA512 b7c4c5687175952182490e2ec9fac09ca318ab155d17560aa509d87ee3af285d2d2dbf58e4d8431a07921cd82806b84a5e84f275f4cb7703c5a537e73322c19d

C:\Users\Admin\AppData\Local\Temp\3BFB.exe

MD5 42425c72772b916019a1279e2c2c0378
SHA1 309a41bb5f617275312fcf4ab3e4b151915d0fc5
SHA256 d3b503d458db5c6325306581b16df075c68131c395343137a4c252b7f27aca1b
SHA512 63d19027274d0688029c43a206d7ee0d663fe4886a654f9a3961f2d9438276e9b5459dee1c2ae025638d54bd42efcbabe19ba23d37ad00d0b25b28d0c94e1964

memory/3352-103-0x0000000001180000-0x00000000011BC000-memory.dmp

memory/1840-105-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2768-107-0x00000000004C0000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D93.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2768-109-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/1840-111-0x00000000001A0000-0x0000000001656000-memory.dmp

memory/3352-112-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2768-113-0x0000000007760000-0x0000000007D04000-memory.dmp

memory/2768-114-0x0000000007270000-0x0000000007302000-memory.dmp

memory/2768-116-0x00000000073F0000-0x0000000007400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 044f38dc91bb128702d1a8a5a8fdc714
SHA1 117ee23e53bb317bcbb6260ac28ad7e41eb25a63
SHA256 7d4b79de4ecbee89d4c55d3c595062ca7713dec535c12c5d2665870cee5b88cb
SHA512 a5359031fc1c5286a6d04f1e29625eda5c45ba899d2ac515683da1748b72b9ded6749cceaa4443b820c90442a0a09a4ca107879746ee868ea987143cb6ed42ae

memory/3352-119-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

memory/2768-125-0x0000000007330000-0x000000000733A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 307bd53fd29c7c6fb0e2aad066d93ca3
SHA1 5a645e3ba96c79a79be03adf192034bdd9b8c154
SHA256 6e2f23d7656f4e7567a0d7b52aa8d8069e2ac385d9d8b1c442007dc4bb9055ce
SHA512 6f7d3eaa3fe81e280a0491fd0232927ce6d727c1b5803b8f7f2776e10e9c98720d3c2c493b896c2fcce15ea03267ecd74f1a159c6d071d5ca965187aa5dd51bc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4d10187cd353d917dea3ad5e103796ed
SHA1 30b0c20a716a1f0754e9db3179b3c0764c6298a3
SHA256 b01e250f112ebc0e0de9132345d6fc9636822aa4eaf46f9f6438909161ac31d5
SHA512 f78d388bc8951fcb46d3319dcdaf3562e77a03b40da5b7b6bda69eaa20d736cc3b98fac5d5f940086795b72463417a7b5e85e9699aa42e48c89e4413984e69f8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a61be5e84ec3bf7d97691671d1f130f5
SHA1 74aaa424e52ca1b12b80b7962cdb15f397c33531
SHA256 d6dfa2c638490bbc58fcc041e70293839cfa0bae2094c729c879a37a95a05690
SHA512 61c5d784bad5a1518af58b1b1d1c92b3940e4dcbf2bba5ef08da20f50ae0cd70c984e9ca225c96f2831680cd4e88e0b634e35247689654623cd535a966305a8d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a9f3e923bcb6de7761cfe1109361041c
SHA1 495e64bebdd0d6250da9afe4325e0a35c8f57eeb
SHA256 eb796a508341ac939ffd9f91a43966c1e500c330dc65803742d665a5720521cc
SHA512 86c02a95a955ef81de23d6d9b89ddcd8a9770f9934b7107f49ad0127eeea4513fc81d1158598ab4fb72bad244196baed53f26fa9e3f2a3f7a736844b8a794c8f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d5a631c19d17673f2aa65650d0cf3cc3
SHA1 1d5695efea655c170d3b9804d1905d4b6cf43ce8
SHA256 88a66d109bc08adcbdf92797431599b940e240c14790c1ce9d25f7e04fb50b04
SHA512 c7691631d4c1fb4632d83d3de1c23cf001f037cfb7c4b7d17ad1e6f9f3c3d650b2b83d410a4647d5dbeaaadd565f64fc5844ab7efa2077dafb65c94841f9f05c

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 576719024fce2733fe53738168240c53
SHA1 3242ff55f75495e3faf566c7b6f1e41f530d2a04
SHA256 8039b34f4bc9d6388c6a7899adbaf08f6fc40dc382f6b02235e55a12be3dbbc7
SHA512 6349bd0f78597be0dc6d8df8aee6c8fa6f5e050844b3a9f0884308635d29f13a7c766b43665a481ebaef6ea9ed88beeff7c1399682562b6e5b5ecb93cfd0513a

memory/2768-157-0x0000000007650000-0x000000000775A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b559f081333fb9269bdce3f80d62fff4
SHA1 3b171534654568577d8c61028169bb74c91a1b1a
SHA256 0220f13c38cbd81eb662bba1243acef2421ae847c476a474d2d909ded5c54010
SHA512 5e767764a6dacd6d0c9d77392795da8cf7d632bbeb337e05a6532e8611ed127304f94713a6dc3f4ae1e1fa577090485af5ae5c23e016098702001e297e404216

memory/3352-165-0x0000000008E30000-0x0000000008E7C000-memory.dmp

memory/792-166-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 92a4648e6bd828a2cd21f159907e656f
SHA1 c7206a3ffcf581e8adee5d62430a98cd070078ef
SHA256 15be7dc1c4532a2ab948f973b7062c32f81ac703fd20e4f4ae9d0c747b658d84
SHA512 89cafc5adaa7749233ef11919ac4f9ae41342989e3442e340f53d9b635cf6bd4004cca379393194942d8529a41bd45c736e235eba761b2162cafbd18391ff827

memory/2768-160-0x0000000007580000-0x00000000075BC000-memory.dmp

memory/3352-158-0x0000000008CC0000-0x0000000008CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 23e1b6398d0abb70248755df81746efe
SHA1 820788fafcff2fea965f552858885effc69cdda0
SHA256 731b4597b871e64cbfbfbd4f169d97e31aba964e6932c77027ef3966a01f559e
SHA512 01eb9f7d579d03d112f6c797e8fe25ba9b5356381b131be00549af7f7c81c3a158406e8c99265c053928794ece91eb3d6ed5654cdf6337b7b3475e4e2ea105fc

memory/2768-146-0x0000000008330000-0x0000000008948000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5N0KV.tmp\tuc3.tmp

MD5 c77ad9a444f152192db37898a099f438
SHA1 bb7ea693b648fc2f4c8b84a5a4ce6ce72fa8ce40
SHA256 0e8580001fdadc06c29176b4575fb8867022d7151372fae30c3da3e81ad104dc
SHA512 fed8e7ce5f3ed93f97cfd087584dfa9d7c9949b0f2d1a901b9c0f821153b6027e24575287970c0c43b4cef381c6a5e4749b1cc69f0a1fcc7c3087effcd35ecb1

C:\Users\Admin\AppData\Local\Temp\is-5N0KV.tmp\tuc3.tmp

MD5 28293d84f7f85e70bfb83f0a738f3b86
SHA1 1f5216c5623078664b5acc56ee58e708276cbcd6
SHA256 6750f158b5f19b2f2e34bdb80a97c053cd5e7d81fbe72acd3849f3011ef0b087
SHA512 f9309c703b262aefa4cb3b8d7a5582c3eebd7d08aebbb5775e9b73341c295d88f1d8d08ac8bb0518d99c7d6f31a5752e338228dc0411d0ca6d88050992f5c3f9

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e6398c572d3912e95d67990db42f7b65
SHA1 1caeb92853c065336109a4b63813aedcab048aad
SHA256 46d152bb29f8bff9153f8e357b8b06d56b865e3aadd43a67e5a5645878c1359c
SHA512 d6986cc29c6fac52959ab3945c398e28369dbd3a0654d8c3186227855dd5639685cd7ba3e308bc78189dfc5dd8aca894d30c4029b8d0c019b16080377346576d

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 fe7f311a77bca3af8e5de01990b67547
SHA1 87832f858dc48ea543cd2d4816164a4f8446e316
SHA256 30bff50cff8c28371e7692377a2879486bc67e564dfcfd7fab53a805dd3b62e0
SHA512 b473d2f3ff75b5c9e775fbcd13b71dd8bf7ef16646a8feffeb04bac4f40eb7b7fff08f391fc681ff5464577f8d43ab944cf5f47ddc5955e5ed0f61cbd64441b6

memory/3800-168-0x0000000002830000-0x0000000002831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-2LQCC.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-2LQCC.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1840-227-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/2776-196-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 cd89923baff9292472e9880bb91bf5ed
SHA1 84af3335eed089e251a596cd59cd4aacc8fccaf4
SHA256 80e99e56fa3ba62165d9cf95f188ea1607ff898b0952c90d8f12c6f492a90e2d
SHA512 3298a5152a37b98d43bfafda35318c2e7df4436fb33a71ebb4d8a24d152b5f4df8e1651d910d07a88ed366b7baba4c6dfd896a5bf17eb80417e5a8c2a5c0bfa7

memory/1036-329-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 c0635e38e1f7f2cb9cc423297495b176
SHA1 c49d2730a898331cb3d9bdbbb8bb884e9782bfe6
SHA256 bd13abb2a902f1151b4c9a296aae4f83f22db2e600a38de66badb8498dde3083
SHA512 b72a1879ba510534ea1c24f8dcc8c57423e81991f451b5dcaed934059b8b27cd158997aced1004ed16ee0dc1d929bacadc1124f6d9be83dd6580d968e809951e

memory/1036-326-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 b430d48ce740cab8b06fe41d33158fa8
SHA1 c4dd40706d3542079595d539b5c167371aacace6
SHA256 95b63ab9fd5744b8cbcd76aa4cab40c55352fecd29f0f73e0b6e99b1d202dc6f
SHA512 467dfceaec96521dd8af13ce7bc87dc9ac03f932c373bad5c347e2cb949b7e8f00e68a16f3ee41113f45087eb4f4beb9f022b399c5ad44de891c07d4949b2e42

memory/484-332-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2768-334-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/484-335-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\584F.exe

MD5 c2540da23bb29562fd6b199df29d9ca7
SHA1 49416fd1391c65c1c49fa398244fb46a8afc36c1
SHA256 64b03f06e6fc3291a55124bd81f6e941e5b9cb608f1ddf1800465875bce76888
SHA512 bef255008d250c4c8e5979138a74b906caae3e1985cfdfb43edcb7026356939094587b171c36b2da19d838256f8d8916680473497ab5c6d4401484a3cc4ac387

C:\Users\Admin\AppData\Local\Temp\584F.exe

MD5 2acdcfd6b406d4733af32c5cc7b036e7
SHA1 2cbf73b1693bc2c07d49c0f8c7c8eb73faf280f4
SHA256 a9765d5a92a87366238ee76224b59a6ae7f856588f96352b328319c6e9e761a7
SHA512 b1ac652bc934d667eaf3530d194474daf83002e7c9f303f70644dc9c7f28a6fe9094e5e7b11d155dcff8c6e9119d09a491c9132faefa927958e426b728339622

memory/3352-341-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3884-342-0x0000000000990000-0x0000000000F42000-memory.dmp

memory/3884-343-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/3884-344-0x0000000005A80000-0x0000000005B1C000-memory.dmp

memory/2768-346-0x00000000073F0000-0x0000000007400000-memory.dmp

memory/3352-347-0x00000000095D0000-0x0000000009636000-memory.dmp