Analysis Overview
SHA256
fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
Threat Level: Known bad
The file 0x00070000000146ff-113.dat was found to be: Known bad.
Malicious Activity Summary
Smokeloader family
Glupteba payload
RedLine payload
Lumma Stealer
Glupteba
RedLine
SmokeLoader
Detect Lumma Stealer payload V4
Modifies Windows Firewall
Stops running service(s)
Downloads MZ/PE file
Executes dropped EXE
Themida packer
Deletes itself
UPX packed file
Launches sc.exe
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Runs net.exe
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 09:20
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 09:20
Reported
2023-12-11 09:23
Platform
win10v2004-20231130-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9933.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\502F.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3260 wrote to memory of 3700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9933.exe |
| PID 3260 wrote to memory of 3700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9933.exe |
| PID 3260 wrote to memory of 3700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9933.exe |
| PID 3260 wrote to memory of 3396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\502F.exe |
| PID 3260 wrote to memory of 3396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\502F.exe |
| PID 3260 wrote to memory of 3396 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\502F.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"
C:\Users\Admin\AppData\Local\Temp\9933.exe
C:\Users\Admin\AppData\Local\Temp\9933.exe
C:\Users\Admin\AppData\Local\Temp\502F.exe
C:\Users\Admin\AppData\Local\Temp\502F.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp" /SL5="$80034,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\5968.exe
C:\Users\Admin\AppData\Local\Temp\5968.exe
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 328
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F192.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFEB.bat" "
C:\Users\Admin\AppData\Local\Temp\E63.exe
C:\Users\Admin\AppData\Local\Temp\E63.exe
C:\Users\Admin\AppData\Local\Temp\1D29.exe
C:\Users\Admin\AppData\Local\Temp\1D29.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3164 -ip 3164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 608
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Users\Admin\AppData\Local\Temp\5707.exe
C:\Users\Admin\AppData\Local\Temp\5707.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 190.7.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | 127.27.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | tcp | |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| BG | 185.82.216.111:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.111:443 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.21.42.224:443 | edarululoom.com | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| AR | 190.224.203.37:80 | brusuax.com | tcp |
| US | 172.67.143.130:80 | tcp | |
| US | 8.8.8.8:53 | diagramfiremonkeyowwa.fun | udp |
| US | 8.8.8.8:53 | 75.181.67.172.in-addr.arpa | udp |
| US | 172.67.183.217:80 | diagramfiremonkeyowwa.fun | tcp |
| US | 8.8.8.8:53 | ratefacilityframw.fun | udp |
| US | 188.114.96.2:80 | ratefacilityframw.fun | tcp |
| US | 8.8.8.8:53 | reviveincapablewew.pw | udp |
| US | 8.8.8.8:53 | 181.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.143.67.172.in-addr.arpa | udp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 217.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cakecoldsplurgrewe.pw | udp |
| US | 8.8.8.8:53 | opposesicknessopw.pw | udp |
| US | 8.8.8.8:53 | politefrightenpowoa.pw | udp |
| US | 172.67.181.75:80 | tcp | |
| US | 172.67.174.181:80 | tcp | |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| US | 162.159.135.233:443 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
Files
memory/4964-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3260-1-0x0000000002ED0000-0x0000000002EE6000-memory.dmp
memory/4964-3-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9933.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\502F.exe
| MD5 | 6988376473ea888909b4abbd324414c4 |
| SHA1 | 9a3e5d782c5317c5ac5d1320e1d84b3b0944dd61 |
| SHA256 | 1e0baeb32d1a7293c6ee10d957a053657cf02e6085ff256e422ab64bdf276e5f |
| SHA512 | 83a77fc0e607f7e8a92b64b37907bcf025c833db7e7ac8b49ec7cd292b9a36faf6135cf2e66fdb72d946ea5ad5d4b94f5848d616639cf752bf4a647a43a9f8ba |
C:\Users\Admin\AppData\Local\Temp\502F.exe
| MD5 | 82db150dc7c62b579396b17b5a2ec9b0 |
| SHA1 | 7bdf2d4b50327042c0e3759bbfb81ce3ce77d582 |
| SHA256 | 1583ab280b27fa61b31a774af4eab2d99218b1a52ebf171af41c74d6f8ae4a7d |
| SHA512 | 0bfbf201aac4e5ae03c69c2bab6424295be0906014cfd175b0fcb1625b4662ed6e81ee4c0288607e99640a84e4918a8f2cc9b0d19fee570b264d7d38e2024951 |
memory/3396-16-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/3396-17-0x0000000000E70000-0x0000000002326000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4d23ef69120b8bb88916ab31493a3af5 |
| SHA1 | d2d604148959a45f60b81b07492c87a717986475 |
| SHA256 | 06488ff17cddebfb4f56d9a0e98444e0a68a16ad10334806a79bdf4b6151967b |
| SHA512 | 704d9a9c43bc3b2d2662171bc084287b9c20b4d436097b215170f1e96ea9adc9df3001db9106a3f41fbee68f55ca4a8cc1f664afe9a7ee0be626afb66b52c909 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | a8a4513456393fdcd97eefd40c49271b |
| SHA1 | eaee3b74af9553c3eb96fd4a1901fcaf5e571c0d |
| SHA256 | 89221deb947df9dc7bd1e84335058d7251df65de8d2a56cc44fd89842e94d50e |
| SHA512 | 7dc74bc192f0ef52db4ec540cf12fdd4b9f398680707d9053a9cc7be04fc6f96f790966bc552b5b941bf7bbce3c7d9152580e6a11d254b4c454ad873ac26a951 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ef03e3559ed103ae89ea34cbd14780a0 |
| SHA1 | 37873b16197c28f8670e3f26f31280c06b1ec00c |
| SHA256 | bca23968168d8c205ac2cc65d6f84072eede10e451c51f9afd79f75fcadd4f97 |
| SHA512 | 9d27f8e855d0c9edae25c42190e9b0e287cee04e5eaa222faab3e4bc07b3ccd92ae18e9911536a1372037db95a6f9ea457e1a7264454a0a76a2a651072fd6670 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 398bb75bc6435923f6f01c2a59831802 |
| SHA1 | 61dcc57683bed6d4fc973b9b94b6eadfe25b818f |
| SHA256 | 4e715fd8f1342affa85372d3238c2fd554905debbd0173beab49408cbeb44c10 |
| SHA512 | 3879c24ef4a949c00f8155675e550f8fba20cb1e5397cf6887f98ce3a44d49b5af5de30f620c18a87b22c8a40f2d57674d05167c85550c53400c64b4fe5db492 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 06e7b7f2fc021294acb20ebe6825297b |
| SHA1 | cee06fa6fc1d91c6d64a669326dcac0e284f3c63 |
| SHA256 | 13ab1f7fb7272eda3988614e0bfd3a4e157ecb5f9f29026f949063c8668b0dcf |
| SHA512 | 40efbf825cc54a65d6ed595e4754c35c5d915ea2f0fdc27a8c664cb6a4e37acc5e1070908f0fb7ce8d6c5bdaca44bbaa1bd033580ef769b29fc04860577c8edd |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 280675bd0abfffc9e229b0b6bb8347b1 |
| SHA1 | f33099885de4289c6cfec1643370e1511aa8f66c |
| SHA256 | ff08af74e4556312408be4af25836da018d7c6914ba95059f9ed6f31c02a45a9 |
| SHA512 | d64378df930e721e1ccda950f84624de61178d2c656d03ec7f102af737e84043971c533894fa5e824b6059ec427f2f8f46bc35c1d2f6b8992a1d1fbc6dcd06d7 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | dab3ba66e88da4f3054cadb9243f29dd |
| SHA1 | 52b86e953c068418c9312526b173c54fe4e8b3f7 |
| SHA256 | b9a8fd03026f8fae09191268f085d130f43bbb37603b1bd4e57497037d2301cd |
| SHA512 | cdd2e956716364d4ef2ca77b90229582bf4d00cd42f116ab803aeec6d31e9b6b14162fe8e8498a720ff6aa6ecf8fd2994d70014ad9ebb6d33ed1b17bcf516aca |
memory/2312-60-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4712-62-0x0000000000B30000-0x0000000000B31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5de4024c9568344eaf8b51106af43d4f |
| SHA1 | d553b109e435a292fecc5910ed2a410eb8e04ca4 |
| SHA256 | a0d0b3b0001d3b287a695a78f078639651d88de3cd2f7dd95cd928178ecf00a8 |
| SHA512 | bcc32b311ac201f0f46098ec7bcb657b634a60a3f104fb462dbb0718294ddebd05af76ea233dcfb4a9cfefab434e673264d7608ae2337212f4f555be4a9d4bb0 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 0aaf09d0a08b397e13d2029eab0e3878 |
| SHA1 | bb96a1d3c6b146a4bf890b1c876df1e4d93a9558 |
| SHA256 | c4c5b2e42c190b51f35ecd990c2dec93ae8042d8699a43c1394ba8b70226c87a |
| SHA512 | a8811e2c4d2c0c0cb324845339d3decd281db55f2450d393dbe01f9758dd5395b6276cb0997e29f651b320565b7691b80a2828a8a295cd7ff2576d3a6dd84df4 |
C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp
| MD5 | a0408bfb1eade46f6d40555bbc03e52d |
| SHA1 | 8081ab527becd3c62bfda07d1f651861d784f8dd |
| SHA256 | 2a52fe729797fd778011694da8ec2628b3a48a930d88cdba2e3ddf32b07e24d6 |
| SHA512 | 7658be153229f0039f3c40d9d2891ce0707756099a42ccc52ba130e28a8e73fedf28ea1aeafec8d4fe9f3bb2d649cb463e87bfc3b9bf4b06d68c74c592d60d53 |
memory/3396-76-0x0000000074B60000-0x0000000075310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-G7GVP.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-G7GVP.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 1ff21aaa9f0defece1347d7a2f2e7e90 |
| SHA1 | c860f1c1623926f76d3e04f54a51a081ae28765d |
| SHA256 | 09c29bc4b55493f9dd7aaf464becf8c7b913d134da996dfb8a2804c36b0221ef |
| SHA512 | 57f429d8d4ee094238241427fc58c2572af963c003ce54eae7b1ac42abe64ab5e1377f1fc0de83f1b0bc706ee7e2787b06c1880ef4da4f92f800f814674dbd9d |
C:\Users\Admin\AppData\Local\Temp\5968.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/3332-97-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/3332-98-0x00000000008C0000-0x00000000008FC000-memory.dmp
memory/3332-222-0x0000000007B80000-0x0000000008124000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | f78010ec1b1b0fc490d99e37153f63c4 |
| SHA1 | 0bdbc334bb31d561089c08265ad9abf01b9c6b45 |
| SHA256 | 53d084930d001fd11a520d6e00a297c3f9a6193cb10488c1532099558693927b |
| SHA512 | fc1da7f4ed28400797fe554d360aca52a4bb7b1ab84dd94c63eb78dda747170886dfbe18f2f6406ca405ac6cdb9712a21089038a7fe73858e4eeedcdcae510cb |
memory/3332-227-0x00000000076B0000-0x0000000007742000-memory.dmp
memory/2864-228-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3332-229-0x0000000007810000-0x0000000007820000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 97dcf2fb27ebcdeb36af3cef1c1b440f |
| SHA1 | afba2aa1f323cb7224d5b1e47872fb019edc25bc |
| SHA256 | 87d2db3824a21bc21e741d4ec927e0e59df70c3e77bb05608341666341f23146 |
| SHA512 | 1182776fb029603299ee33400a047de253b6c4d390db78227f2757ee1177b22d4df969a39e07a9695418a27a22cbc6c53e1522e29ba77370250a0c9c43ced91f |
memory/2864-234-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2864-235-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3332-231-0x0000000007680000-0x000000000768A000-memory.dmp
memory/3332-237-0x0000000008130000-0x000000000823A000-memory.dmp
memory/3332-239-0x00000000077F0000-0x0000000007802000-memory.dmp
memory/3332-241-0x0000000007950000-0x000000000798C000-memory.dmp
memory/3332-244-0x00000000079C0000-0x0000000007A0C000-memory.dmp
memory/436-243-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 87194f3e1ecd0d487eef4352eac49efc |
| SHA1 | b1c24f4cd7d3dfba037813a69d5165a4123ea621 |
| SHA256 | 60d339210e3548d0ad231f650bdd789fe3ef4e36b6eaf167c607d1504507480f |
| SHA512 | 36532d013f1a22b996c4bbfe2dbba3599ac0357fdb68f527963970febb6ba54bda29be2d1e7cec80000c73e74a1618a1ad5ca23721a289055a7015bc61b53253 |
memory/3332-236-0x0000000008750000-0x0000000008D68000-memory.dmp
C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe
| MD5 | 6bf48b33a953eb230cea6e47ed76e70d |
| SHA1 | 5ad9f155acdcbb917a578ace42593e9e35ad2b53 |
| SHA256 | 739f64ab20bee915ff250c9c4565629967ab8736b555b8b76572f4ea48c59ce5 |
| SHA512 | 2b901ef593759e2f55e75eb8c9215a3d7f0a3420424cfa2074bc458ee2ebdb13b7f3f5a55332a1cd6dec945f338392a0e2da8baec2414d720018ef6eb7420453 |
memory/2864-230-0x0000000000400000-0x0000000000785000-memory.dmp
memory/1912-94-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 9acff15b75ed7b1316e371334bdc9267 |
| SHA1 | 77a2b3a3b88f7c539625936fc9b762165c3f6ba8 |
| SHA256 | 82a57e3731ac510133074cff92bee3b92c33cea3be660ef485593aa4e7408a61 |
| SHA512 | 57e07349dae3b93e9c2b8cd087561db7afde03d175fbc2c556865977fe69c3863115c0a7e4bb541b678fd63d3fb64406252729987bd48a1bde3af4128999f450 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6db9e2efc14c5447008cb3d5bd82ce3a |
| SHA1 | a9a873c9ca2aec4a68c479aa8164fb71f9fdd862 |
| SHA256 | 3a390df381e49500ac5f14c52aa833ccbf060135f237cf9ee7363e6900ca40de |
| SHA512 | c005f53525234fd53557efd31b5bfe167c68699166765fe7a754ad2a5c4e9d0596b649976e50080b70d034a8eb2b7a55c7d8013a1aaa2864914f4ddcb57cb58b |
memory/2312-246-0x0000000000400000-0x0000000000414000-memory.dmp
memory/768-247-0x0000000002970000-0x0000000002D72000-memory.dmp
memory/768-248-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/768-249-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3088-250-0x0000000000850000-0x0000000000859000-memory.dmp
memory/4712-251-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/3088-252-0x00000000009E0000-0x0000000000AE0000-memory.dmp
memory/116-256-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1912-254-0x0000000000610000-0x0000000000611000-memory.dmp
memory/116-253-0x0000000000400000-0x0000000000409000-memory.dmp
memory/116-257-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 9380749dd41d8f0f831b3f1121d17572 |
| SHA1 | d14f9551bf90de41373042116eb121ca5929a57e |
| SHA256 | 9291e0820ef73ccb6d6b36a5e4685a5c84e4e62710f53d3ffdfe97b5fba684b7 |
| SHA512 | 48de795eb64279361b3005ee0cdd25112c2aaaede8033a4373d65e6d272a23ec248bcb2eb8398939ee5bfdfcaca0627307e4a797d43cc7f2782ea75394aef466 |
memory/968-258-0x0000000005010000-0x0000000005046000-memory.dmp
memory/3332-260-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/968-259-0x00000000056E0000-0x0000000005D08000-memory.dmp
memory/968-261-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/968-263-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/968-262-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/968-264-0x0000000005610000-0x0000000005632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1kq1ua0.too.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/968-266-0x0000000005F70000-0x0000000005FD6000-memory.dmp
memory/968-265-0x0000000005E00000-0x0000000005E66000-memory.dmp
memory/968-276-0x00000000060E0000-0x0000000006434000-memory.dmp
memory/968-277-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/968-278-0x0000000006B60000-0x0000000006BA4000-memory.dmp
memory/968-279-0x0000000007920000-0x0000000007996000-memory.dmp
memory/968-280-0x0000000008020000-0x000000000869A000-memory.dmp
memory/968-281-0x00000000079C0000-0x00000000079DA000-memory.dmp
memory/3332-283-0x0000000007810000-0x0000000007820000-memory.dmp
memory/968-285-0x000000006CB20000-0x000000006CE74000-memory.dmp
memory/968-296-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/968-297-0x0000000007BD0000-0x0000000007C73000-memory.dmp
memory/968-295-0x0000000007BB0000-0x0000000007BCE000-memory.dmp
memory/968-298-0x0000000007CC0000-0x0000000007CCA000-memory.dmp
memory/968-284-0x0000000072430000-0x000000007247C000-memory.dmp
memory/968-299-0x0000000007D80000-0x0000000007E16000-memory.dmp
memory/968-282-0x0000000007B70000-0x0000000007BA2000-memory.dmp
memory/968-300-0x0000000007CE0000-0x0000000007CF1000-memory.dmp
memory/968-301-0x0000000007D20000-0x0000000007D2E000-memory.dmp
memory/968-303-0x0000000007E20000-0x0000000007E3A000-memory.dmp
memory/968-302-0x0000000007D30000-0x0000000007D44000-memory.dmp
memory/968-304-0x0000000007D70000-0x0000000007D78000-memory.dmp
memory/968-307-0x0000000074B60000-0x0000000075310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 79d91353447f7d43583bf0275a512792 |
| SHA1 | f26bdaca906cc1a8f5048abaa733d499e49cdda9 |
| SHA256 | f70ac8c3a8b3085cb46e8d5b58f5db992f333d382fc80a86deaba8c033ff507f |
| SHA512 | db307e8b8617368326c778389c614fcfc45212aa6003b7d224dcd97365b94d5e75bad5ff7994587ef38f6f6d52482f83a088cfe07e6b4ebeee0a84a9f3c17201 |
memory/3260-309-0x0000000002EF0000-0x0000000002F06000-memory.dmp
memory/3332-313-0x0000000009140000-0x0000000009302000-memory.dmp
memory/3332-314-0x0000000009840000-0x0000000009D6C000-memory.dmp
memory/116-315-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4712-318-0x0000000000400000-0x0000000000965000-memory.dmp
memory/768-317-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1912-321-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3164-320-0x00007FF77D680000-0x00007FF77DC21000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 536d87c86d902aae4694ba6bb8057b0b |
| SHA1 | 0ecdb10d36c5a2ea118efe7d56c6843967fa14e8 |
| SHA256 | adf60ac6767fd07bfda24d541c2550dbe93d938f3c15fbda7f7fa7f564ccf51f |
| SHA512 | bed8f1bc76f42db4780b0ac456eb7623656e7ccffecfabbceac0f94937eacb5c5aaeac4b7961a37f46e6b8198ae0a341b12d596e3b5866c5060b82c6c98178fe |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bac6637ada6f7def8263b9e7fcdeeb95 |
| SHA1 | 62f520f274d6de9741f4ce7cbf8a67eec7592372 |
| SHA256 | b6cd9b2d5ae327a818edb05919fb64e6ef6b17b82837dd3f8bf92bc090a4c313 |
| SHA512 | d7c1a52456d5edc6b4c59217f4732dfaae008b0d02c6bc0924c3f23e04accb146296635754048a462a1cf289311b1c9e19e3dccf50c21e7f3ee072465a497b24 |
C:\Windows\rss\csrss.exe
| MD5 | 6687be7a2fa4234b8a8dfaba4bb94822 |
| SHA1 | f242e0708a4d8e5558acffa89efc12f9cd51070a |
| SHA256 | e4f6c27a9587e0f476814a22fae0fca51362c6d25422e0a03d2f09f3ead7b114 |
| SHA512 | 1c0eb066c8a371fb5a16dba59786f8939ed3eac8948c01c7e32d8351df7567c5cd31df197b6dab48c157349de6c4adfe2125593801cccdec6a1c1f74aea156dd |
C:\Windows\rss\csrss.exe
| MD5 | f138c3ce20c5f41dc2ebc3530f095d97 |
| SHA1 | c6b8c623877694c015ccd1f8b9f585c29e5379c8 |
| SHA256 | f19b5b82139be23128a36185649760d98ad509a8f1b588c4fdcdc3cffbf2c1b2 |
| SHA512 | 1b4a343ea53337510d6eddf15e737cf6d40d39a24b338991096db69c736d649fd0e13b47bf51896dd730915a0b4daf49c40e9dda9161a902a1e6d264530d21c3 |
memory/1704-425-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fdc591e1449459e405bdf8e508409e7a |
| SHA1 | f425d145067db155bd5a8bef1d79d885c8b39714 |
| SHA256 | 7a85ec9be3af7ef7e9a32b6d6d15d431e9211ea16e88c246cc1e6d215d55eac5 |
| SHA512 | 44dc1627b145a8a74788329d423384f0056b4fbdb78490633285c95f43b84eee66897a11b16928d414c55f7e6d2e0abdcb4c9ad75bda0a9b53b990fb42fe397a |
memory/436-455-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9d09fc72b4b5beca52593b38171b17e5 |
| SHA1 | 786ca35bd58ee22c8ea843141a1601bc09cf303d |
| SHA256 | fb22414d0f6ae6b39b172f1c257db4f6e535443841d231945f90b3e5670b11b8 |
| SHA512 | a53663e6f0797baf8f10b7ddc5418304f07e96bbbd4e5e237cf86e4c8bea8a01e2b6f55fe35fbc816b0afab8b1ca421cb0310830d2e1926f457950bd6f34fb93 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 511de048744300ffca50086f34876911 |
| SHA1 | 5855ee21b5f1bbce440252ed4c5c353841ecbcde |
| SHA256 | 4675c181bc379d8716b63eb78564f0d8b0ea049d2a4fcb821b448e4042a526ab |
| SHA512 | 10e297ca6771a983381e125477b18ca278960d34b15ee03a2a0a19a16ca66638a525600e94b744a06dedc51dac7b6c612258343692dcd88f0685837cc6048cd5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4688-528-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 392316748996c39b597d1aafefc5a267 |
| SHA1 | ac1ee4e8d37a5c9e2572ade87aea772e77c6233a |
| SHA256 | a0afee698813e75d99c551cb08603753a9cd951fca8590e099a09af9d8ae3b0b |
| SHA512 | f401e8f5d504b26b9f1b65fca5e46c59f8c020b17c4ea95d989c183ab9fe86444808804bb75f94b676c5ea979dfdef050ffde38a3bc83add4188d726acc866ca |
memory/3164-565-0x00007FF77D680000-0x00007FF77DC21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 73abe04f6d6c5f45aac88912695eca04 |
| SHA1 | 8e95811e13a5a2ad2210e7113bacffbf9107ee58 |
| SHA256 | 01587b9fdb8cd0036c0d402e78df3870ed9c80ee42313846673e9dba3be53cf6 |
| SHA512 | 15af7ea879933473105297e853180dd0885f584403dec00b70c454adc5eeeb3071fcfe075d7c8ac6bdce56490d6a66deae5a505312eff606522405739b2537e0 |
memory/436-570-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 764d564e6a2939edcd488b08e64d21a6 |
| SHA1 | 86c133e2e777d3f6d1debaa16561a74483e5f481 |
| SHA256 | a1301d970b4a4062190c6f473b46b5f70d8cc034aea91da0d099a1c6d9cc8cda |
| SHA512 | 328585c6d4954264597fc6b5b448cdbae40daa28d22efe0b7519d24893eadf85e3c29753a059c7a2be4831741534f13eb7518856326cf9b1a762cfd0820c53fc |
C:\Windows\windefender.exe
| MD5 | 20ca3ce63e4480010e83f471f9cfe051 |
| SHA1 | 80650ed1253bfb74b5a5e0a7b6cbcdafb15e9504 |
| SHA256 | f432ab5182cf1ba7e3bb118ae0a023eb7fe43dd9164258c9d1bd628a4f60c99e |
| SHA512 | d152b7e69cc248f179cdd55d090cda120b4c08b559fcfc683bb7019cca36da4aa450246080f74ee4ffe9aed31cb90613bb28262ca5fc6ec7e3495919f9574a7e |
C:\Windows\windefender.exe
| MD5 | d0cdb1635765dd73baa02238f037c118 |
| SHA1 | 91b7c804025805e17544c03d578dbb2a54aa3fab |
| SHA256 | b19d6d0908b21c759f341d11b3f2d0f770db66683246a0a2edbb8ff7815ccded |
| SHA512 | 40df98b0d5d86a24f05a50fb7e4b5a4a35bcf29cd735935059c14fd9ea307322b6f93901cedc07f8225e0762353c72903d804f3d059be2bec99e835bc3aa7ed8 |
memory/3420-578-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F192.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/4688-588-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/436-593-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3760-594-0x00007FF6FADB0000-0x00007FF6FB351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E63.exe
| MD5 | e95bb6836f66491c243adc56f70435d9 |
| SHA1 | 3440f0759e967f576006c9db86fbdf61ad6f8ed1 |
| SHA256 | 1beb16fb81436290008041e9090018e2215550d050c46fd4273f4b5338de1211 |
| SHA512 | 70495e02fca292dcd1fd5847c25961c384590a687df009db14d7f1b0591e1d933faa7dc3546a810023d59b0a7eb97ccbacb6d6d6c19b45454423a1498cb08c3c |
C:\Users\Admin\AppData\Local\Temp\E63.exe
| MD5 | 2e7b947e83d54e09ded7768f437ebd69 |
| SHA1 | 04c89a5f39841ac90a7c6aef268ca13fa646a7ec |
| SHA256 | b061680016f0aebf823828995838d77618dab0cf46fcf80fd34520a6f0e2bbaf |
| SHA512 | 13c00f21d33deb07b10f73b20afe1b3fd1848fb615c5c069bf2660a861165d5099fd5b6da213cd0f0d5104781efc337e79259b43fad55968a270fb8c902ee464 |
memory/3700-595-0x0000000000650000-0x000000000068C000-memory.dmp
memory/4688-614-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1980-615-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D29.exe
| MD5 | d074429526d0cea8175c328dfd7dfb6e |
| SHA1 | 0e5125abfdfda7f2f63547e2779535252d55d560 |
| SHA256 | 73bb85b2eb1c6324fca7c53663e5cff3baa62f10aab20ba8f188fa3b03c820bb |
| SHA512 | 568315c4816ade03b7c2fb675f0a49ab33622e8870bbe8bc74a8ffa213705c65808a004be7c50ced54afdadf3cf50e968afde399c77cb06d386414e64dc2decd |
C:\Users\Admin\AppData\Local\Temp\1D29.exe
| MD5 | 31437c1d673773e143f51355a2b1640a |
| SHA1 | 8d99a5d4a9aafc3e2a349ca661add885f3339653 |
| SHA256 | 511c583a578f60d99c6ac29d379baa8c7c76dd31c1c3443d527554ca67863c8c |
| SHA512 | 37a8bf70178fba5082962e627ae0b3bb4dac5817676ea0333cd9dcd21da383288406d8b844c989f9c165b4a97f2ba13a2d7fa42d0c6d5e79b4aa00207b31c962 |
memory/436-624-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | e7e93c800f74b84706a6cf60844e8e03 |
| SHA1 | 24fa13318c0393f37d632e41cf7eebf4ed1cf826 |
| SHA256 | 80e2132f3e5b995b1128cb69991f0f02f01fb5b9323cf9b275b3b71b98805b46 |
| SHA512 | bbc9367dba2618c5ffb4f20a301d4637e9326d42786472eb034b71a12be83635c70f8d4779ff454aa5c91ae63fd191ef90f17d60bb98bba358530bc287faa6b6 |
memory/3164-638-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3164-640-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3164-644-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 1c6c5c49d2bbb6f245f22b9e2c9bb9b0 |
| SHA1 | 152e7e42f07bf0853c32239ef4867a4a3ff17ec7 |
| SHA256 | 4b3805db265a263e62c82af3f283485fe92ffc67223a49b76900f98d0e94d702 |
| SHA512 | 1c6c7bd3f1111e4e84c62bafbf9d377397b6e6bbd5a874c1431516d880dd2f89b862f49721c74b7aeebaead9db6ce86a8bf5dbf02d15cbabc902bcfbac3ff273 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 09:20
Reported
2023-12-11 09:23
Platform
win7-20231023-en
Max time kernel
70s
Max time network
151s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B424.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B962.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1220 wrote to memory of 2080 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C31.exe |
| PID 1220 wrote to memory of 2080 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C31.exe |
| PID 1220 wrote to memory of 2080 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C31.exe |
| PID 1220 wrote to memory of 2080 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C31.exe |
| PID 1220 wrote to memory of 2532 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B424.exe |
| PID 1220 wrote to memory of 2532 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B424.exe |
| PID 1220 wrote to memory of 2532 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B424.exe |
| PID 1220 wrote to memory of 2532 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B424.exe |
| PID 1220 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B962.exe |
| PID 1220 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B962.exe |
| PID 1220 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B962.exe |
| PID 1220 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B962.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"
C:\Users\Admin\AppData\Local\Temp\C31.exe
C:\Users\Admin\AppData\Local\Temp\C31.exe
C:\Users\Admin\AppData\Local\Temp\B424.exe
C:\Users\Admin\AppData\Local\Temp\B424.exe
C:\Users\Admin\AppData\Local\Temp\B962.exe
C:\Users\Admin\AppData\Local\Temp\B962.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp" /SL5="$B0016,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211092208.log C:\Windows\Logs\CBS\CbsPersist_20231211092208.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\4379.exe
C:\Users\Admin\AppData\Local\Temp\4379.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {C0F010CB-BB92-4761-8B10-3FC9D7772C85} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\ACB7.exe
C:\Users\Admin\AppData\Local\Temp\ACB7.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp |
Files
memory/2116-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2116-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1220-1-0x0000000002B00000-0x0000000002B16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C31.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2080-12-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/2080-17-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2080-18-0x00000000075E0000-0x0000000007620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B424.exe
| MD5 | c94b24f6518a3f4284e7123b0086af8e |
| SHA1 | 5b1260b8ee49750d16ea0313af7165f5f1f9b4a2 |
| SHA256 | 701195cafc919bccf2c06b20e3f74c3f5419b15556905f31daa92dd3d841915a |
| SHA512 | ff6dee6aa4777a1356b87af187ac50d6f56836248c7732f6b813e483f97655fcccd04e4da5e2a9ddd5308453eee2975410e4b5cc1702808caf26133ff27181be |
C:\Users\Admin\AppData\Local\Temp\B424.exe
| MD5 | 9082c31e554840c3795c2afc093a873c |
| SHA1 | a654430ddc1a55d0d357647f0690e502c7febb1c |
| SHA256 | a380fd5028c4adb5a9149b6f71c35632060c96e3bbb9b3a05946e0067e5b037b |
| SHA512 | d5d0ac48b922970a18f80708404ab8c87a4b9b94dabc0b45aca19c4b0eef5e116d031856640d0de981833c2c018a31074f2a8755b58d01b1c23f867b1e9ae796 |
memory/2080-26-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2532-27-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2532-28-0x0000000001110000-0x00000000025C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B962.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2080-35-0x00000000075E0000-0x0000000007620000-memory.dmp
memory/2560-36-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2560-37-0x00000000012C0000-0x00000000012FC000-memory.dmp
memory/2560-38-0x00000000071F0000-0x0000000007230000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f56c473b355a63144812937b3efff4c4 |
| SHA1 | c7037c6aafb5b9be457faee4d0b629ac1a9edcb3 |
| SHA256 | 7734c5cedf78d64944ac55f8dddbc40440184202c94edabb5cb4c058db53fabb |
| SHA512 | 49efc1311a88245ffb3496f265428bdad03ce7429e52af218cfbcb3dbd7d37fa018f6ab79a8008b3c305a2cbeef0172409b97d5db2789ab3b1f16796367e6956 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4a9e40fa8264d6e63bf044600ae92ec1 |
| SHA1 | 917d952821b9c1ae38205a036ee4540afdf48f8a |
| SHA256 | 611487839bfadd009afa344945503a08ea240b2b966b924ab6c0cc160995798d |
| SHA512 | 1a1a1eb60e1710e6ad89bc3c4e7d87d032a463f905d03ff7f1a8bfc18ed81cb96951fe315659526b2ce40a55d05de3601c19643a17b915c1bb4efed43aaeea20 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6200a658245d0bf4fab336e6018a8fef |
| SHA1 | c4bd77e3561eeda70eb68432fa0b146e8777a648 |
| SHA256 | 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66 |
| SHA512 | 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5ac65af3e0f66483939df609c943687b |
| SHA1 | 78c3ecf5ba7e83af38c9757106c7e6f707ff3d06 |
| SHA256 | 91e915c23f1af380e877a0ccd735aabd48291c2db113665d690134749b80c351 |
| SHA512 | afc52e4ef3fc76258372f0d5ec7cbce31c8b238c62f8007217ba34f327e1a122da6f5715d5f6e3159f8673470a7f1dda4ddccb844f655377eada578801bfa6ab |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 98eff24d7fa8551dd0b43091ba9e863d |
| SHA1 | e8443f8d734e425c6251c69518552f0bcd1c22a9 |
| SHA256 | 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451 |
| SHA512 | 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | ec84319ca2e52e8ddc444fdbcb1e4666 |
| SHA1 | fe7d89bae5c7c5bd8563b9dc4da9a52da2f4549c |
| SHA256 | 7b48e22bf0054e327336eeb35ea7dea0ece5db17ae5a3ed7e416f0e4db09ab4b |
| SHA512 | 22a1f636bd2cf22cdd807aa022088b7f84dca12b2b906cfc703db4438bf58eaaeea5bbb87f0e37ad578281bcc0f19812443303b2540eeaa7e43680921a787a54 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 0b603f86939ba69bf133915c6871d0e6 |
| SHA1 | 8998a419786e1d3722835962cdc0f0d942909a24 |
| SHA256 | 6d0caf948329a7fb4628073c51188ab5877a942fdded1b63706855653c795d48 |
| SHA512 | d139849db2417729e1ca0ff4c91520b41513da366258f44077dd57ccc16bdaf38b79f937668740bfeeb766e715ea7bcfbd386ff8f8930768c9445ea6cab12089 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | f673b327203f45d0c12815e59a175ced |
| SHA1 | 105c6133f8d4d05dd44ccbf2214210b2eb45be95 |
| SHA256 | 70b4a85c674d6b17bfd114b2b97adafcb07ba97586b62d59bde8ad179d3d9be8 |
| SHA512 | de74814594a5405603ff38b3377ae84d1bf3c2bd7d737fa0160c6e4f45e27058de75115fba468ca0f3f7ab01ffa66689d193af29c451d3684bfbf925f62510e9 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 555f59366510e35bd7191edededd052b |
| SHA1 | 4507fc4a52a76efcfd8afb28f6c95023fd953bcd |
| SHA256 | d70008131c459e2d73aa0c2894005e12c8c33fb0417df61b9c4ce424cdbb93e4 |
| SHA512 | 98c85e611ea1edfcf83d8622ab5af02f05968a9a377635050af5f4f435313515510f7c72ca85ba51123dc139e929375709f085af97879bdc9a11755b49551bc4 |
memory/1968-75-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 315283edfb9669f4e36189fe591a9741 |
| SHA1 | 8b428b50643a688e73eaea880e3fba39c2addca9 |
| SHA256 | 31643fc0c9205763f3a8afc73ebbf7b3a47d613cd74d0d6f1fc3857429427f19 |
| SHA512 | 50bfc177cc511e3efa893b6e57d979b539dadb31af4e9cbca7059f40d3a981a7b3d4d8227b9e004c73c97fbe2f08e54a7af2efc336485e5e6eb51eb79eeca247 |
memory/1332-78-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/1740-86-0x0000000000C20000-0x0000000000D20000-memory.dmp
memory/1740-87-0x0000000000220000-0x0000000000229000-memory.dmp
memory/268-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2756-95-0x0000000000240000-0x0000000000241000-memory.dmp
memory/268-118-0x0000000000400000-0x0000000000409000-memory.dmp
memory/268-120-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2532-121-0x0000000073F10000-0x00000000745FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 98c988e77ef14ba858e40be58ded5b04 |
| SHA1 | c66a760f7662c95fb449b247c9fad43edb85a7e3 |
| SHA256 | 737d88407dfd3b56fe8e8e018ff963d66ce4641b527c796599e44c3575d5fea2 |
| SHA512 | f302f0c7522e67cfb24322520df8032d3e0147a1e930510123c5ff41b82d46cbb5ee464c2c4ed61b72f4159c4690b1f3a77c6e9234de514ee71e41d4cf4525f0 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2532-125-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/944-126-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/944-127-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/2560-128-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/944-129-0x0000000002B30000-0x000000000341B000-memory.dmp
memory/2560-130-0x00000000071F0000-0x0000000007230000-memory.dmp
memory/944-131-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e7695b7404683e52db6fe2e5c645ca43 |
| SHA1 | f3075bb0fb6e7ca4d195062ee779250b0d2926e7 |
| SHA256 | 1d8d40f0548bf6a00d849798a4d6ef7734ac31f43eae2942bc14a292470f7d82 |
| SHA512 | 4efea23dde463f7b9367535ac71b966a89d7a713430dabef15bc077396ace6c201e8cddfbd18cc82d96ca6f7f2ae85c73a387f283026f4fd2081651add2e7c33 |
memory/1220-134-0x0000000002B60000-0x0000000002B76000-memory.dmp
memory/944-133-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1332-135-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1968-136-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2756-137-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/268-138-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2060-139-0x000000013FFB0000-0x0000000140551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | abb5a57c59b4f6a3d8b4f0cac0b43b8c |
| SHA1 | 3ae95d220b37aa73cae850952417586222c2dda2 |
| SHA256 | e06d2a34e0221ecc2d1d4052a6513cb7be5fef90b7f22947e0ddcc40e6cfe7ca |
| SHA512 | 0b4ce0bc6ddf53faa9971ac7ab938771b5c7308541b87b4b7e4c7baf2d0508b0565d0771c329c74ac8971213f5ea63c7f31100ea54e0bb1e3e6e834856ce5abe |
memory/944-141-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/944-142-0x0000000002B30000-0x000000000341B000-memory.dmp
memory/944-143-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/1332-146-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2952-149-0x00000000025B0000-0x00000000029A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4379.exe
| MD5 | 37a9cca03d6d8aae8fe676aea4297e47 |
| SHA1 | d082a9bfa4e3f5f8af6cd810b12500aa9310a246 |
| SHA256 | 628ff3a1bb708fd04d69da7857b743233672695725a93aaf6f1301459bd32035 |
| SHA512 | d98e6fd2d3db0ccc85aabf6c6b70a3dbbf4a8b66bf4a8060d0d1c234c7e1582827c6462c766e697ab92168276584a288f9907590e9b52747bea0d0d7257b8f83 |
C:\Users\Admin\AppData\Local\Temp\4379.exe
| MD5 | acd4e9d2d0fbb96258d6567cf0c12316 |
| SHA1 | 264f55756ff65419628398a3679a8c3dd588d926 |
| SHA256 | 68cda7a9788d1e38965b6fecdcc6a852e90acb531b45eb8aa15f11c61aea4fd9 |
| SHA512 | e3cbff560b263351877a42f3d2e1e445dafb5d61cb1daa774259f0a7f68e1284226efb5c4a0024ee6ca6b34a30ca808b08facabeceb693013565cba1fc8d010c |
memory/1304-157-0x00000000003F0000-0x00000000009A2000-memory.dmp
memory/2756-159-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1304-160-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/1304-161-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/2952-165-0x00000000025B0000-0x00000000029A8000-memory.dmp
memory/2952-166-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2592-182-0x000000001B170000-0x000000001B452000-memory.dmp
memory/2592-183-0x0000000002450000-0x0000000002458000-memory.dmp
memory/2592-184-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
memory/2592-185-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/2592-186-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
memory/2592-187-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/2592-188-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/2592-189-0x00000000026A0000-0x0000000002720000-memory.dmp
memory/2952-190-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2592-191-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 45a2067cbf4567e288d07019eb7a68cd |
| SHA1 | 5fefc731d044d6247050f76db9ac383c269f7794 |
| SHA256 | 65b53059a7831dc2b6cd29a953868361b3b37af0b258a64ec1cc605806e2d007 |
| SHA512 | 2259f13c74d96f13d2160c581dd97d7cb57fb8f9cc51b87bdbff4f2c755f218fab0f94ad67b8ace0bc93da43fd4656ca5b986a7285027d2b7f818516f862a35a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AJIFV1B30XNNZQ6MKOG8.temp
| MD5 | 822597e8d9d3e1702f58d8b759ebb98e |
| SHA1 | aee89a768cf79e544e9313d63b8bfaa70c8fbafb |
| SHA256 | 01da5f43fad9a532f576f8baf2b2a77057db2638dadec03b10321f43a3fc4670 |
| SHA512 | e978b06fc674de11a0c6ae8c30ea57798208e750c3488bc2b3383e746bd369702ed0b6933412123eb7e206c136888faefbbe6d3619fde97dc969be12617fc402 |
memory/1876-202-0x0000000001F50000-0x0000000001F58000-memory.dmp
memory/1876-201-0x000000001B160000-0x000000001B442000-memory.dmp
memory/1876-203-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp
memory/1876-204-0x00000000023E0000-0x0000000002460000-memory.dmp
memory/1876-205-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp
memory/1876-206-0x00000000023E0000-0x0000000002460000-memory.dmp
memory/1876-207-0x00000000023E0000-0x0000000002460000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 9890563f729fd6204fe444239ef96712 |
| SHA1 | 1e326dce79e8fbd7b3fbb58c42ee8cbd0f19b01c |
| SHA256 | 2cf2533ea3dc8865b0de7abb4e8e44feb0d3eb5964eed911adad73924331d4a5 |
| SHA512 | 54e3dd8913a6cbe1545476a861308505f05e75b5b0b9051ffeb04ac952378564a6385419db3f86d6a5130d292aab8ae9614fe253bd78db20402bb8ef12535e67 |
memory/1304-210-0x00000000054B0000-0x0000000005642000-memory.dmp
memory/2952-218-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | be7a91954af6ada6a01c772ed847bf34 |
| SHA1 | a63ff4ee47dd98cb1a8421829fecdbfaebc05cfd |
| SHA256 | 870521d8d909645904244a2c6b1716569e633156fe30868c5590041dde4e63a5 |
| SHA512 | 1d2f3c88a71183531b1c4c319832f54f9070fe1b64bdb35e3ab3dc26fd45cc11ec16ab4f5a4b7b492cfdc8d46258f5c916fc12ce393edf789a42b377f4f4418d |
memory/1876-219-0x00000000023E0000-0x0000000002460000-memory.dmp
memory/1876-220-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | f36c6dc3ceca249d70b66af7b97492b3 |
| SHA1 | 0a798a00dd9ab4716535116987acc22b7fe3f933 |
| SHA256 | 9de3209114a3274f94cc8fc05bdb4cd361908ffcd8b769e91e827fcbecce4c6d |
| SHA512 | 08e99b720f9e499c7ef018e17f921932a90d16e416df3b1d680121b7866efd4c2693b00fdaeacaf85cac927a1e13beeaf9546e92e9f64e08478aacd80ae3a97f |
memory/2060-223-0x000000013FFB0000-0x0000000140551000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1304-228-0x0000000002320000-0x0000000002330000-memory.dmp
memory/1304-229-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/1304-230-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-231-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-232-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-233-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-234-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-236-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-237-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-238-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1304-240-0x0000000005A70000-0x0000000005B70000-memory.dmp
memory/1304-241-0x0000000005270000-0x00000000052B0000-memory.dmp
memory/1964-243-0x00000000025B0000-0x00000000029A8000-memory.dmp
memory/1964-246-0x0000000000400000-0x0000000000D1C000-memory.dmp