Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-lfxtbabagn
Target 0x00070000000146ff-113.dat
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
Tags
smokeloader djvu redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer ransomware themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0

Threat Level: Known bad

The file 0x00070000000146ff-113.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader djvu redline @oleh_ps livetraffic up3 backdoor discovery evasion infostealer ransomware themida trojan upx

SmokeLoader

Detected Djvu ransomware

Smokeloader family

RedLine

Djvu Ransomware

RedLine payload

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Modifies file permissions

Executes dropped EXE

Themida packer

UPX packed file

Launches sc.exe

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Runs net.exe

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 09:29

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 09:29

Reported

2023-12-11 09:31

Platform

win7-20231020-en

Max time kernel

72s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ADDC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bcwgshd N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C8A.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bcwgshd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bcwgshd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bcwgshd N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bcwgshd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADDC.exe
PID 1260 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADDC.exe
PID 1260 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADDC.exe
PID 1260 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADDC.exe
PID 2644 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bcwgshd
PID 2644 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bcwgshd
PID 2644 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bcwgshd
PID 2644 wrote to memory of 2628 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\bcwgshd
PID 1260 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C8A.exe
PID 1260 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C8A.exe
PID 1260 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C8A.exe
PID 1260 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C8A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

C:\Users\Admin\AppData\Local\Temp\ADDC.exe

C:\Users\Admin\AppData\Local\Temp\ADDC.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {C8D50174-46F3-4A48-8CEA-8219E7CBB7BB} S-1-5-21-2952504676-3105837840-1406404655-1000:URUOZWGF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\bcwgshd

C:\Users\Admin\AppData\Roaming\bcwgshd

C:\Users\Admin\AppData\Local\Temp\6C8A.exe

C:\Users\Admin\AppData\Local\Temp\6C8A.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\717A.exe

C:\Users\Admin\AppData\Local\Temp\717A.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp" /SL5="$40162,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211093031.log C:\Windows\Logs\CBS\CbsPersist_20231211093031.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E18C.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E3ED.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\taskeng.exe

taskeng.exe {19B17FB7-F959-4DA8-B20C-682BB9E83049} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\247.exe

C:\Users\Admin\AppData\Local\Temp\247.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\27E1.exe

C:\Users\Admin\AppData\Local\Temp\27E1.exe

C:\Users\Admin\AppData\Local\Temp\304B.exe

C:\Users\Admin\AppData\Local\Temp\304B.exe

C:\Users\Admin\AppData\Local\Temp\304B.exe

C:\Users\Admin\AppData\Local\Temp\304B.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\12c682ee-73e7-43f6-9821-662c34806eb2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\304B.exe

"C:\Users\Admin\AppData\Local\Temp\304B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\304B.exe

"C:\Users\Admin\AppData\Local\Temp\304B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\65DD.exe

C:\Users\Admin\AppData\Local\Temp\65DD.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 204.79.197.219:443 tcp
RU 77.105.132.87:6731 tcp
US 20.150.79.68:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp

Files

memory/2160-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2160-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1260-1-0x0000000002120000-0x0000000002136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADDC.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2720-12-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2720-17-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2720-18-0x00000000008F0000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADDC.exe

MD5 8767ea4659e6fa6fd5dc6c43e7ed056f
SHA1 1e55bd4f0072213e1f45438f796973cd10ce6180
SHA256 564a458a5458e699e59c1422fd0afe722eceed4ee8a1a60bf898459135e6590f
SHA512 cf5aa8f03469f0e79279ca06f56120a123ce493a9915db7eed408b826d35321e8cc69bf9f774ddcda54de2c80cddf7cdf8615906be21e07fc033c7f75290189c

memory/2628-23-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Roaming\bcwgshd

MD5 284868406d6bbc0bf89325b311c325ce
SHA1 eec0e1b6bd29fd60bb980186969d04392fe0a3ca
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
SHA512 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30

memory/1260-24-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/2628-27-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2720-28-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2720-29-0x00000000008F0000-0x0000000000930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C8A.exe

MD5 8c4fac35879632d30d5c7f27b24eb3e8
SHA1 17866de34d0ca45aa51fd99916800444c3f632fb
SHA256 3a8a79f47dd63663b1e3443cc7f940f79f85aff8e8f6343056490622b9604929
SHA512 dd1ac5c34d28d7a7905a8e7d516c45f2f11171f94d6c00262e95f2b5ff283aa1dee4159579fbb8ff173db681c6e84da6613b14edc9af21dd61c5685e7bb9c0eb

C:\Users\Admin\AppData\Local\Temp\6C8A.exe

MD5 9e3bf7b01ba73cbc47fc965ce220dec6
SHA1 ec2446cc911061372fad44bb1a011e192dcc2fd7
SHA256 c9a0d224830c1ecee7f2587fbc3050b50a90d503f308be6653ab5a7b01f8da10
SHA512 e99acd298be396918970e48b1459b250532aaf719c681e8596b5c4071cf6d7f81cab1049a38f3c5359e13f826e9b7b8a19c4fcabf80e0257515a4a2bed27aa14

memory/3048-36-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/3048-37-0x0000000000CC0000-0x0000000002176000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 bc4b9023ac86e7832a0b9bb1f2d250c9
SHA1 97240c4c61c32a7dde0947dcec0494174038c1e1
SHA256 d8cd762a5efb54f383d7cf643fc79eeb26c93ce01e943db7d4529c90ab8a7ec8
SHA512 d536247897fda1f42f639e8e3c40c2db52d66567395044117a646153355325cf2725e7a6f5330bb4f3d749a3e1c6af0eb1ca2267c71e2b0f59e301e5f8c2edbf

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d9c00f35cf8a0eff6075f662df8a443c
SHA1 b52e69e32f48c6458a37b0643a65d9345d6ca4c3
SHA256 b4b89bda5a5679e8de4599be1ce6b82dc25c741f180d0193b5aabecfbd1371c2
SHA512 3a8b852b4af07a0b3e7147c4960db96e29ee7119233dd1b9354c7b44809971cf64323f17222d66214515bce0cc1bc252f646758874d33eecd38100aee9cad963

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 fae5e1fa71d2db363985d0d8886ddcef
SHA1 c3041b61f85e3b21a034685d6df7482151dc3254
SHA256 98c0587e79a2289c46cdcc8c591e65e7bcb700e0bb39326e75b04cca60e313b4
SHA512 268a03975d017416d78eb8acc61f94b5d9b696f0161095ecb5ae129b4e73d6e3013f3119b347ed4df3ceef585bfe9a2d82cd15299777dfc9a8fd3438d2f31576

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 caf3e0badcd563be68a4ae7720290537
SHA1 df3883d0816602bedf89f682bf9ee37df53bedab
SHA256 65a9b8273f04942fe03ed41300d9aed2c379e92951047f16784a4404e64d80fe
SHA512 029ea0e5e0dc5a15e783558cc33c8d04767902dded48d0e773a48a7ca9cadc7f0c5deac9966a54035cb080807d64ffa6ebf564318d908fda3b58eaf77b4ae1d2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5c6e3c9dc68aae7e963c0bfc5d42dc89
SHA1 0bd212c25745cb5fd60d6f4c40bbaac1a6b00f97
SHA256 444a5e1b31d611c2380a4c65c470f2dc28a1be268141a165941728f2456ad700
SHA512 9b525cf35882123dff9edc16a7536ed7e95667c780e79cd02cbf2699f73a5bf9170dffe4b50cbcc188a1b505775fac83aff811dac45c948e78868310582384ae

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 92f8cecba4a3e2662d3ccc60b2d8662c
SHA1 1f3098e88a0927d278702d49ba044fe5b5d7c2d6
SHA256 17358672b2c89b080e8df052d27f2255ea40e2fe6bd9ff94ff9900853f5b8eea
SHA512 42905543139987da6112bcf0bef41e885127b6a46bd96ae9a9137b060351a0951491c29a80fa6cdc0b5b8e58f933d3d188ad8f85e0ed291b9b2ee5ebc4908143

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 0701a9d3b245833154039f8b67b32ac3
SHA1 8aa43627bd1b118bff2ac366acab13d0302c9e97
SHA256 6788fc1521a050710b77ba24b652f09fcf8a99a3f80658a0010f29ad990a9213
SHA512 4f95cda6ec60e04e8852f7e53f240062e2f79d702962f559c2684e57df5251341275bebeb50ea15b4de650d07fbc35a6be85237e6aa7a6796b26092e4249eac7

C:\Users\Admin\AppData\Local\Temp\717A.exe

MD5 e45df5e33b87abc7457e3e9dba9ef2f9
SHA1 2aa0e129f18536c97cae5b69ab3f99306212ac30
SHA256 437f79e6d4efb6594b713f7fa7b58db815b4453437a36db54cb5aba80dcdfa53
SHA512 668ef706b442c1ca76bf7ae2a8e44607f5c9461f712f45d38697281cfd5dd5248b6ecc338b43e8cc1e8f4f81b2742392c4f88a2dba44889f5797b12a70b3a7fa

C:\Users\Admin\AppData\Local\Temp\717A.exe

MD5 5097fa5f018fea8039f7bb7e21d2629b
SHA1 17d37dd54bfb98d3602145285fb2d605c50fa408
SHA256 13edfeeab9e5f5b6c3cd3ac6b4143c842f5175d7391d3cb66d26a4b5233b53fd
SHA512 f641c5290d47816c82edc1787431982550b0ebf6614dc3e2c7a50b4d099462f50c8782345c4cc31a666f8e7db014f11c6e9047144af50ec0b1e412e2f90f09fa

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1f371fd5a35d766100909f81ebbd488d
SHA1 a5cbad7c87f318780385808626c5cf4f7cb410fc
SHA256 07e3862c6c7068559f56af6a6fb50e97fab38082d4576a43a20b2a1456449970
SHA512 649f37b348b8c1e2a9379fa620b5ff841447d19aa3574c46abe55c077f295796e84b210db248a3f8ced6b0c0de14262c1b81a0ac7323b3658d3ab5f41ff41061

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e9ad100185218c9d8d07478f1ade00f2
SHA1 d3248f4f7209628f2b49cf1d2ba5e2a36d820fea
SHA256 3cc9f4b6bb4afd6a998b9be024578bb6444d261a5e667c320cf2b90d47876051
SHA512 729555a9a7d913af29bbd8ae5bcd4ac6b6489e6229fd611029ba9c59acfbbae70b1ff9f76d8b3866e7c2dd7c5472c77edd6461b59b2983085a76fa8862bd9c8c

memory/2172-69-0x00000000741D0000-0x00000000748BE000-memory.dmp

memory/2172-70-0x0000000000C30000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 718f149a011edfe3381c4ff01403b315
SHA1 3acc04840a10206e4f6aa29b5e048e9aa8a95a64
SHA256 b0d62a681705199b4438bd234e0c78b81b615cf2a58e277404a43e890bc25921
SHA512 abcdb6d199d91a79641af1c93766405a8aaeceab7d1436ae6f07691e50fab93b00e1786e87e972e8a53eeac16fbe4bc4fe63cd1d516258f47f781262d18c59a4

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5da0a5a5e516ee6659201f09d6c77568
SHA1 17926ea9a85450bd96de8bdeb051b2801525a5dc
SHA256 cb1dfc241e343938a674a59e3b8b406ac3e81e06634f25151c814d24029665bf
SHA512 697fd68d6ac7caa29b95ba2d66ed3a84b8d1af501ff939cfd638cbc220738a4328e3ce6646ffed275b5f2b292dc6473f566e72d4f433504bd5bc4495301eb81c

memory/2172-73-0x00000000071F0000-0x0000000007230000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 9204ee81c318ef08fb68ac84f3a8dbea
SHA1 b697434f6ea38ee865c5ea792fbaa190ec558422
SHA256 45015451ddae4b2e70b3c352bad88efbf6fbb368a4f2d820300cabda10c644d3
SHA512 7e7211daffa5a218df9602066ff02d8669e2ded012280f0515526daa6848ce79b60b295c1a6a47c163c130c185c4d86408231b74814bebb44cf1ba11647791d1

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 bd9a9b270b9e25ea4dd4306e1c7d3441
SHA1 883067f0f5628cff11a9f63205058fdc342c7ae8
SHA256 a39f1a00948079e247cbec1ed1687157fadcc85a65dd05f915cbca237d850597
SHA512 bf21065297a15dd65418d12d1a53fb3a048db810aa0b2b1b606039a4b601ef6a0d91682b241eb3d5e3a697d6556e1ca9ee80febc137bde9379f9d931311173e7

memory/1540-78-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 df4774a674283484f67d923d23d00d2e
SHA1 c7df38f259702b88647c3be1837923fd1d62710c
SHA256 b3b06a0972bddee62e8ea7f8ba41078e4517f5331655ea27325389fcb6fb3900
SHA512 68ab4c16e6a144752a99cc7ecb82af9719df44ad4cdf3c4f031baf2b921d00280bc42bb7e15a8a0ef284f18c33884a5f180636e6b06f00a3d1a4aad40c5c473f

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1a4c77eb491e8a9e8688abc876b7216c
SHA1 f233e516a2b3712d196993b4f5565723efe28a4d
SHA256 24cfaef8279d23d15ec724dc61ea42e32934cac61f93f3c987bed125002a64a0
SHA512 7171166d779c1cc3d06edd9d2e94eaa7c50ec779f6e13f4c0b5670690684eb5c5e432f40dbfa32de7aef75c4a3f3bb4d83ba281ceb34b788e6fe5277e85089ac

memory/3028-83-0x00000000026D0000-0x0000000002AC8000-memory.dmp

memory/1668-86-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 a27c0a3eaffb21775567b23ba62038c5
SHA1 d145fa3aaae88daf0f0d8032398349c34d1352f6
SHA256 3a8403fbde8b291b5eb482509b1a6f0ca9382a7c81147a6e9946d46196f20561
SHA512 e766bbd0adeab0e6c15c0f966dc2ec977eff05401413a9989f49c25b08a8fe96a767b046dcf77504d23662750a8ebe135be3ee4b178bd253eed0b8c2d07a19e9

\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp

MD5 a4c9a1032c559370e1af35460f6f2b4f
SHA1 2644a0d1e03a51a5d7d9d0eec3e99946a474c62d
SHA256 bf69a6d487b94ca891ef263861c5e4d5ae67000f29a2ae6144dd8d044157d3bd
SHA512 f8cb1078f13b50a61dc7ec3640aea8f0a6bdb822813c56e7b2e64805c4e487676c60a47d9b31176e0cb41929cc6c1012f923838e8ea2363dff8eb957995011aa

C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp

MD5 9d914b9bb619005801e3e4a473efed89
SHA1 cef7056c1bb834ac3c54d194f38aedc8aab7a894
SHA256 bc9d25859a7dca211edd45f1f6264c0ba0801b3e4e26e8f7120b1ffccac48c46
SHA512 47985273a69ce68195c1d0b27e4b51d9a637ad99bf99eaf8bf98ea18802f4fd2460f3350a6abbb76a0e0070034168ac1715b08f3b2bcee564a79040e25e96e08

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 004fbacfd073c6d65ab6c7d1d36cd835
SHA1 7e40e25a91b2673251de8e8a8e8468e61dc650d6
SHA256 bd9073d3e9e43c90bca08b85a6051d3e3b5f5e8f3fc3064c2378560cfe9e501b
SHA512 dd41d543a389a704144b7fa62f29ec7b3c47b5a274bfab2ce02e58b5b7a2cca8fe6642e2ae6b2dab9f1c913b43be94266631c32bca19346de2fb350169e46ed8

memory/2668-113-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3048-114-0x00000000741D0000-0x00000000748BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-r450n.tmp\tuc3.tmp

MD5 8eae2a6b1522fe5d9d89892c5419ef7c
SHA1 66c2b1603ac60845eda8f2cbc450a13cd3f1e9dd
SHA256 8d333309e4c93558e478186dafd6a53006e7eae27afa9966bb9b00a10eb80cf0
SHA512 93c4dccb3754856d0b3549c5320cc642507f7ff866f040e77c9c07a7e9369631e12526657db864d80a5fe22fade11a925de07a42526e46d90f1bf336f3dcbf03

memory/3028-125-0x00000000026D0000-0x0000000002AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 f8a4662baa347035f5cd9f85a95f3cf7
SHA1 99eca4a04586f8bd79aa4a3dbe1b4a859af188fd
SHA256 a8b3c35ce22be4eab96569dd5c3e9d0536c8c0f63e2f1709ceaa2e5720fed7f2
SHA512 c88c48a1d1f23e5c5dc55bbf5b39720022c623801487bcf25f12030650e7a088c2c8dcc533bb6d6e4f1c8c672b3ff1a151b32bf1ad7936630a3b2bed3009aa44

memory/3028-126-0x0000000002AD0000-0x00000000033BB000-memory.dmp

memory/2660-127-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2660-128-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1208-135-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cfa54fe84ace27f5149367fdd73830f4
SHA1 098232b026ec69c145e5a8a342a99b92aa5b1a7c
SHA256 49a6f3e186cd2e0162460f41375c739248648400373c4b95f3029732ca36d5e1
SHA512 2a87ad1b0ecd91ed2b28a4b3f8da65ac5c64a114e2000a4558596a9abf3db302ffa94c936b7e545b2f000ac5c581493efa82c17e0c1bb05fa0de7bfc78875156

memory/3028-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1208-133-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1208-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 0f138d8f2e34052b460f28536d71a806
SHA1 e7efaabfc55c81837f18f6314727f2f237114790
SHA256 90f792971515ebf668ee5b6b64e26ae1f44ae92f39147775067f53385f5831c9
SHA512 79d1796a4989993fc0dd6df12cffb2966b9dea14a9f8aa40c8e15c77e45c1e5dbc02888472215651166d7c7f6ddca69e7bd9fd8bc74e3b9938dee0ba5725560d

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 822d826d3ab8a14ea689aa4da3ca5195
SHA1 c8337d9e6d25bbbab0e42c9a0a9d938d31126006
SHA256 963fd66eef63b73afc61914acbc79e5b4a8588e0fa61a2adbd26b07aca5fc943
SHA512 254adddebcc64f203ad25bdd3d8d8dbf4a119888ee205939c9211ad2dc1758bda6441a1f9f40db676ac86a245abfafb4ff6301515b3f10164489066ddcd6ea8e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8235f34b83b1efe07eb32ee9aa6ea374
SHA1 f5316a17593659ec1501cbed936877363461f399
SHA256 ae442b4dbcbd93ce4ab164a63d7f1d2e7566ee7b094649e1fab3bd58df130c1a
SHA512 e2a955cae5312ac70228c8ce9cad50128b5741f1242314817021b228df2be76f9ed1dd290846241891c55fe88202e2386499117cf33f5e1d013d1ddf84add820

memory/2172-138-0x00000000741D0000-0x00000000748BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 65d3f78af333aabd512d980070bbc73c
SHA1 aeb6ce0fff64c0d604b5075a8995b03e6a0fb1e1
SHA256 dafb0d98cc8618026c92b8994f1a9402c5ffdb069a1ab1238a2124fc184e4a2d
SHA512 c1c2212b4405292a397413dcc1e60cc7fde1a2e11ca23d7408c756c55c02fdd22bb3c354c5cbc2edbd60f6b9b14500667c24fe42ef524a8ca285f297739dabae

memory/3028-141-0x0000000002AD0000-0x00000000033BB000-memory.dmp

memory/3028-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3028-142-0x00000000026D0000-0x0000000002AC8000-memory.dmp

memory/2172-143-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/2472-144-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/1260-145-0x00000000039D0000-0x00000000039E6000-memory.dmp

memory/1208-146-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1540-150-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2472-151-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/1540-153-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1668-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2472-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 a6838337bde1e217e8b4558947a05f06
SHA1 28c6e43fdb74d3be6739a8336b1cf8ccdbb8e1db
SHA256 f994aa5829feadd1a47ae1a1d5aad91210cb5c009ee2d6d84a0876251db06366
SHA512 1c66198e82a31e440859460f25e4e5714c62d153ce0f61c6e7b533ec3aa12d546cec5c9fb33b1c2f26fedaa579e6ce9484ee17c93b4b66ca0f185fb42ca20556

\Windows\rss\csrss.exe

MD5 dc9e77b81c70b9459d154e163e692da9
SHA1 6a59f0bae261fb522541dc148f96ff5e1a5eee3d
SHA256 620c0153374573886e5ed094ce5dd86ca0017e4c3245cb0763c0d787ee11d764
SHA512 29fd3982c434a1dee22d9a8180e1ec2e8212722d4d0e5d640be4169561d2d85deb7a5a396ffbfc4b39eae0d048dd54b90c1e06495b89f39cafa9e46541cf9bbe

memory/2472-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9527a61054974bddce055d7ae153cc14
SHA1 19c31b09d3076d1825f02731ab2641c2535f6122
SHA256 c7c08d9086d5e5881c9db16bede49736ef6cc742cfa56ae47bd39b9bcb1a6ab8
SHA512 bba6ba92117a32d696e1739a205946770a06a773ed5ad9ed537110c021c6f6dc07e5e4d3b7366a83888c82a3740daa4db2f22c249229bdcc9628ea0b61201d09

memory/2668-165-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1936-166-0x000000013F920000-0x000000013FEC1000-memory.dmp

memory/872-178-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/872-179-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/872-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 0a86ce90e355f030ca42e1dcdb7c2557
SHA1 9e291d7e622b110b5aa6d985c6ffe145c9cb8d09
SHA256 c3602f6ec8464cfdadbf75326b2376f95479dba2f58a634f15dc97226650dab0
SHA512 20d76602bace817786768ecd3ae9017061309ba7d4cf396067abd44eb3e83671e89e22d71880f3c27b78acfa71573b2873a69fe37672075dd675955fd6e54f95

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 c4e31b94c7da4a10490a107d2d3ec839
SHA1 c6a36917ddc367d900ac990ef4b9682921660203
SHA256 999b95d3635b56e9be74512a405b13d1abd86ca13b130192303d818d4402b923
SHA512 023f84247d6aa7a16141639aaf9c70adafd22fbe1d1ea4819d25f3ad75a4b32eb902eb624c96c1cce1350fd46d290e5d04d0eeda77bb6f1808c399c17a5d73df

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 238c439733a2a6e5dbf094271c53e326
SHA1 16d92cb096efb4d40f30d8319553b7eba07e779d
SHA256 8cc48a751f7616816e754200f82882ad33bdf7772ad45a8dc2c44d17d891b027
SHA512 fd0b80e07cf44e151a48a1ef5dfef2fa17c882ed8478d52332d6a853c4709bc2f2fc2f5d2f8639374297affb02f5ee56adbcf186dacd2e1582eac00f89b84155

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 7fa4610b43fda76a8bd28aa093a087b2
SHA1 2532820bf7e5630d1b88967189b1371ae81c965e
SHA256 4c61dc8c2a95cc209b4777da3a17bec715ff15a0ab3ca30010ea18551cef53fd
SHA512 eff3230416211a5a12210e100ab3504d0d009062e0dc521a3355363db1902f28133a6d1422b0ce0142350b9b91b42c32b2aa8dba025d09444b8ef1ed5dd0fa8b

memory/592-187-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1f9906337850eb71dece57a969df8b26
SHA1 aa6e3163998ef3df3ea1f210e47f8c32c8293717
SHA256 c0d2980ca1f1b1f97cd77acb41b6078eeb90712424999784a2eba511a7a97293
SHA512 d44d6247e5196546526304a52bb3f1a56d9a34b8e6da060a01305d7fea5d2cc3ed5e2ee335cfead2c3d83a11901280f3dd3d36945b8d6ef8c8f323f1326c035f

memory/592-201-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 eb1ef2c65e2194c0d49b06cae30fbbce
SHA1 23c60b9e2b77d39c59ec864e6e9707c61c418dc6
SHA256 a6810435971611cc690b1d0f76fcc0a1557c50a7624a0d695f78f447e79c7507
SHA512 b3e4b15841abd297953264216ce51c0d888ff6afb6229d06d32cf1b8313085dd005d35689f22654f2c216374d076ceb2c864c39528baa4233bb542d4e0e47d6a

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 326d1d5466e7a31056d5c9e281242851
SHA1 92df6612cd3c6d79c6a18fc1a52a40ca41874ce7
SHA256 51e509f6f154fa45c508e3ff114934ce640d800efcc6b817dc8dd1083c1906ce
SHA512 1617a257bcc3eefcfa02b4047bdedd12bb20c4de4339d826c4f8996162b9458743b028ff5c6590627143aa107e8aa6294df05481a2d57e673cf376b86a00eb46

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 03e03703fe5fc79e7f1d5e44e3c27b1e
SHA1 8f25ba10b5e479ae63c4c3867475502e1a6499fa
SHA256 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e
SHA512 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 4cf9033e2926e25c657fbaa72a2edba6
SHA1 79378a8b2327d38e6148fd358bf9b45b51339d9e
SHA256 1038b904e5535dee9375d7cdf08fa087ebd1436075229d6d92c478c19e8ce2ee
SHA512 65d3dc379e382632aa769ed3cd7608a10fcd9820ef1af67a062293a82c8f1fb2d84695622d6b3452208547f50887c56b767a88e5073f051dcb92123b9c63138b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 5cc612ea585af3f5ed8d9b1939f49b29
SHA1 42efa5082257d8f230b2318ec4f1f95ee5a09d9d
SHA256 1bcc7c897fce5f98fea7f5f7ea5de672e0b916875e23bb8b11b964197eaa800f
SHA512 8bc587f395eff7487170a36e7bd6ff8b2134a1f35c455565bd6127c723114545f042366f546c576ff31c89408400c6dbb7c9ce3e87bb71a78f99b71222a8cec9

memory/2172-219-0x00000000741D0000-0x00000000748BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC535.tmp

MD5 68bb904702f1b8722377e62fd541d9cd
SHA1 6297c71b832c74d4e3a4ff0855082c5c20c7fa46
SHA256 bf5cf3e0918c906c0713dba835d89f2ab1fa362212f8b9fa6ae877e29ae2a78c
SHA512 9b81f062d1380a946e326061f133ab66759ba20fc969e4d2d27333165848a049893cf80de1996511fd7c66bb982d04724929f38713424618dda1fea96000f58d

memory/872-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarC77D.tmp

MD5 1e4e42b27b3ba902ab5f160f8947aa28
SHA1 158c0252a0497bcc20b6220d9f72739830008eba
SHA256 49de5a4e12fa979dadba123ea9115d0a3dfd435d4b24463fa7d6bf5f9acafb67
SHA512 354d3cdff448405ce3bde36bf12218b78c19a129e4c8de73bf3e8e5311bc1a28d80f723c60fbc287793bd421809048687cc3af28b1f6715d9c47d112115490e2

C:\Users\Admin\AppData\Local\Temp\E18C.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/872-289-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/872-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/872-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2364-299-0x000000001B140000-0x000000001B422000-memory.dmp

memory/2364-300-0x0000000002000000-0x0000000002008000-memory.dmp

memory/2364-301-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

memory/2364-302-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2364-303-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

memory/2364-305-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2364-306-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2364-304-0x0000000002480000-0x0000000002500000-memory.dmp

memory/2364-307-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63F97Z8AH51LIUYDG2GB.temp

MD5 8f40afafa8e279d51438712cad8d1ade
SHA1 db1ee39e7c6ce064d3dc70ff7ad3eab2f10c2c1b
SHA256 ca49210571ccb5805b4716be00779732c3d5a75c98e1d3fb5b2facd726aaf6d5
SHA512 4217ec32b8397bbda338cc36469f2f5020926b4ca4dacade37d2704435e5437efc01dfd0895fa52da4d22aa81a61737f2fcdf70fda8ba3d7b12f501f2f8ba60b

memory/2116-315-0x00000000026B0000-0x00000000026B8000-memory.dmp

memory/2116-314-0x000000001AFE0000-0x000000001B2C2000-memory.dmp

memory/2116-316-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/2116-317-0x00000000021F0000-0x0000000002270000-memory.dmp

memory/2116-321-0x00000000021F4000-0x00000000021F7000-memory.dmp

memory/2116-320-0x00000000021F0000-0x0000000002270000-memory.dmp

memory/2116-322-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

memory/1936-325-0x000000013F920000-0x000000013FEC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\247.exe

MD5 8a52e9d08d77eba2cd1998f8d7e62174
SHA1 a3774602d5a8ba200e418af70360d2aa3050a5bf
SHA256 21ebdc0ca4dc59239f4ab6863e0b9b91d78a9ace1ec57dd763f6d3e7284537dc
SHA512 b40b748d28c6ee4b6cd9061cb6d598208b0683ca64008445465f82dae31941c44c81e5a36aac890eb9d357639d958ae82f8ca139d177fb6ffd655d571d9c1a80

memory/2000-330-0x0000000001340000-0x0000000001E0A000-memory.dmp

memory/2000-331-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-332-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-334-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-335-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-336-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-337-0x0000000076400000-0x0000000076510000-memory.dmp

memory/2000-333-0x0000000076400000-0x0000000076510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 956214e033b1a4236b14ae06af53d610
SHA1 04c68c247ac2ee9e88469bd4f9f56f24ba014dec
SHA256 4b1dd4dca895b730c696ac21dc01943654d4c5a8c920d8c8d29c1b28a89858d9
SHA512 3d67e22c4191ee186173bdf10b9f8db8b313251b5c55f18216019e56d24ebd5ffd252d5f7758f87191e31529955621d4ce48a80a75b9207f5a08c3e32a004d33

memory/2116-319-0x00000000021F0000-0x0000000002270000-memory.dmp

memory/2116-318-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp

\Program Files\Google\Chrome\updater.exe

MD5 67df9905bd0353bc5d12e7ca26d0675b
SHA1 def4c1cd7222c01e9e1234fd39d99b36a0c8dfda
SHA256 0ce615331005ba772eeca988c8ceeaf496f321567ed27f693c6c8ed79e85712e
SHA512 cf98d4c707fc562517d15b957aeb453d762a92c3a56174e0e5a2a3d9c8e7a24b7dd1688d8d9c52ceb741b94dd3f9c09dda3bbeccdad1248fa829e1b29a391be7

C:\Program Files\Google\Chrome\updater.exe

MD5 93e7d320eedda6f56782c1d987830344
SHA1 3c731d0c70d8000de467369ded2a2d494a07ed40
SHA256 0e545970ba1e06eca9a4349514308b4513c5c7994367a7bf2242f7658ba5be18
SHA512 e30feb6c8a92528282ad123f08f075422ad07690f81efb8fe36c5d5d7475c42bea410f4615988ed7ad17be353cd0a74be0b25d0bf7839298cbb8b0af03920352

C:\Program Files\Google\Chrome\updater.exe

MD5 9b8fe2f443c647584a6209137f959269
SHA1 0943f46a9810bd0287c8e4ff03337a5cfeea25ef
SHA256 42c68a3e81af37d34d51580062efd1dde8a957d433c279084896959f80633e58
SHA512 d76c4daf5fb70c0da69e3a2b501b3c1af198c2930bcbbbaa1bb44803aaefd031deba85905ea596baa847e59a8ccd438c363fe58dc5be96ecb7d3fe4914e8ea3a

memory/872-367-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27E1.exe

MD5 a232a434e17ff84f6051dd80c438e800
SHA1 fceb633655f6d6a3c7e9981b6c042dac9bccde41
SHA256 20e8d266cbeed21354ef942d17011c54314973b9e81f4260c721053c3b55acdb
SHA512 bbbd5a8910dcf67c6d8e589349f83ad1dc98292a8e21105c66cd2ef9408ead91e49bf8784ecf85b1023468b2ab93a4170908f3e6fc7df0058c99b81904d41f71

C:\Users\Admin\AppData\Local\Temp\27E1.exe

MD5 71ea672db9d86b923900c0f3b94c7821
SHA1 98462a0587c7149ca3cf3d2dbce0c6fd5bf731d6
SHA256 f0f02ab000122169320b06374a34308307cebaa95c8292f7ec81823045fd8349
SHA512 54cc7bad3d9129b102fb33d9f244b7286ccdcbdf77f877c8d01a8c06bcb76cacc9782352c054095525437e79a1cead522bc6bea6b0c4aaa4d154b9a0e6f187fc

C:\Users\Admin\AppData\Local\Temp\304B.exe

MD5 f084ad968bc44bb8e96cde8388093c63
SHA1 6c9658bb241fa52944a9701a94cba44eb11d61b7
SHA256 83cfaf08eaa416269d41271ce0b47808b9cc552df240055b5ef58a50b24ede42
SHA512 b71d57616e49409feee18c540213783dd20fbb99031800672a0520fc0023bfac941ebba4443d62b72eafb8246dc34ffbfb2144484c2b9b0689a018c98c2aaa83

C:\Users\Admin\AppData\Local\Temp\304B.exe

MD5 126a0ffd69efc5da1423d22a17608859
SHA1 c5ca5432dce9c0a6fb8fbea2bc4f6ed312a0e947
SHA256 a25352d06c0a58d508eccb21c4013daa8c67eeaa8ddfd2f4a0446ce09518e816
SHA512 cb24591ba9335f4da7e2de754f12ecf41463367a0734643136166b2f986d9b594b6722fef7b3eb51ed3d18580aa87f99eb18e4ffd52c0938027005ea30c4afaf

memory/1904-385-0x00000000020A0000-0x0000000002132000-memory.dmp

memory/2540-384-0x000000013F960000-0x000000013FF01000-memory.dmp

memory/2260-388-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\304B.exe

MD5 40ed442405732df986eecfc6f8efd233
SHA1 abaf6aa860a2475b1e8d7676f1b58d6b5ca43d46
SHA256 4bdcd81b49e9836d08f7a4d63d9909d75e993327fc8a15c1cd08bcf3e6d81554
SHA512 c550f310a12f62325d53f5ae4168d274f734d4d43580aeb928c72461cadd49018eac0beb91d41daf673f9c33c86ccb7ba29de89b1045bddb90c74a1ecfc23bed

memory/2260-392-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2260-396-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\304B.exe

MD5 2f62c16c8492a26b47971302b5a54d17
SHA1 ab49d6a7eb0554608f38334769efcfa3ca21acff
SHA256 5b7251846f2d7e64cf9fad4d4f2573936cd0edbaeecb72cfe21ab3f9f05d5422
SHA512 98280be6d7a952b7dde29e361b019b607c17ac8ed575e247143f748e77eff97156b4f73ace38d6b631c493c2676ddd5228657f4efaf2e82a51d3b130d07ce30b

\Users\Admin\AppData\Local\Temp\304B.exe

MD5 f6a5b803ab673b33de4fafc6b1bb7eff
SHA1 6e0e54a9c20164da67b24aca7bfc7ee35910efb0
SHA256 3c1a69928cf0c4c157c7af16d67fe607f1286544306c53a124b3436b8f7effde
SHA512 8a444ac7a0820cd37a240afda8d767d0240e6c88c76cb66fe005c221c7e37794a51e501f34f2f81700ac99dee4147f6bab28f6d86b201131e502b3978c2fc93f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 6978599ee5ce8a0ba68cf18bad088ec8
SHA1 4ce4f129211a49f472871e3f2feb9a10479333f9
SHA256 7450bedfa0cbc01d583c81fdcc63847332bc25d014fa176d2cdf9b578c08336c
SHA512 849d6ee708eccc42a2c77a97bf41a5e56aa44839fee3dbdd307187ea05267bd332d9dd76e883bacfbf3180046fa8d2ebf449e1361e24d6450e91772f52ca1ddd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35ac957f243b87ab40baff5076f1ed60
SHA1 ea1b5e685cbf7f33ee801d843919bc7918accfb7
SHA256 68855b71a6fab9725c8c79c6fe017ffed9353c44c22c679e8201094700bbc0c7
SHA512 b97fcbbdf477a03ac7b63e3c795a1c3961fa96c5874d5daeebc56588049aa3090d774a224afda36db45c920d1bd0780d0e988cf094c6c8c9c27bfea86352b425

C:\Users\Admin\AppData\Local\12c682ee-73e7-43f6-9821-662c34806eb2\304B.exe

MD5 7282b7e58cdfff787e4fad9c0318f6a3
SHA1 ee2b23d29115fd5992874aeda03d1c5625751076
SHA256 257f33f1b9a4cbebd5d41ba25dd252f46a15af986373f7cf12e778f54825353d
SHA512 0cdd4b8d6d288ba98c11ab72f7aaaf4c48f55776a45518f5828f0708cdad45ee87be746ebc056f5504605d927aecdf09181b354e85c06b78ce68fab8d22192a0

memory/2260-430-0x0000000000400000-0x0000000000537000-memory.dmp

memory/268-432-0x0000000000260000-0x00000000002F2000-memory.dmp

memory/872-438-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 09:29

Reported

2023-12-11 09:31

Platform

win10v2004-20231130-en

Max time kernel

115s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A066.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gigvugs N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gigvugs N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gigvugs N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gigvugs N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gigvugs N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 3740 N/A N/A C:\Users\Admin\AppData\Local\Temp\A066.exe
PID 3244 wrote to memory of 3740 N/A N/A C:\Users\Admin\AppData\Local\Temp\A066.exe
PID 3244 wrote to memory of 3740 N/A N/A C:\Users\Admin\AppData\Local\Temp\A066.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"

C:\Users\Admin\AppData\Local\Temp\A066.exe

C:\Users\Admin\AppData\Local\Temp\A066.exe

C:\Users\Admin\AppData\Roaming\gigvugs

C:\Users\Admin\AppData\Roaming\gigvugs

C:\Users\Admin\AppData\Local\Temp\5550.exe

C:\Users\Admin\AppData\Local\Temp\5550.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp" /SL5="$70206,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\5929.exe

C:\Users\Admin\AppData\Local\Temp\5929.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\E01D.exe

C:\Users\Admin\AppData\Local\Temp\E01D.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F319.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F993.bat" "

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\B08.exe

C:\Users\Admin\AppData\Local\Temp\B08.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 93.184.221.240:80 tcp
GB 96.17.178.211:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.33:80 tcp
GB 88.221.134.33:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.33:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
N/A 87.248.205.0:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
N/A 87.248.205.0:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
N/A 87.248.205.0:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 d65248f9-4dbf-44de-8dec-412310ffd212.uuid.myfastupdate.org udp
US 93.184.221.240:80 tcp

Files

memory/3132-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3132-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3244-1-0x0000000002F50000-0x0000000002F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A066.exe

MD5 921da1871f9e8b02b04492fe7a1496a3
SHA1 9493ef9925b57c3ec73141e629e2d720de6a79f4
SHA256 0b4c041ea625b40baee5649321a514182ec7ca2e51ea024258092d56d5bc80ec
SHA512 11b7c579fef0d329fe23a0e36d545c68c67beefbe5e3900dca9277aa1bc01e131c06c37806a1d66472d7e39985bbe40b425fa12513bfed9e0d6754ec15e95d58

C:\Users\Admin\AppData\Local\Temp\A066.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Roaming\gigvugs

MD5 284868406d6bbc0bf89325b311c325ce
SHA1 eec0e1b6bd29fd60bb980186969d04392fe0a3ca
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
SHA512 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30

memory/2772-14-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3244-15-0x0000000002D50000-0x0000000002D66000-memory.dmp

memory/2772-18-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5550.exe

MD5 3a872e27d4179be5943b1392626b7896
SHA1 0e877ddd4e3f3bf94de1ae0e1eee183c7971be6b
SHA256 5619320553c8d582880ca58d8af99eaf3b23980e5cb40f48f234d03b2652eb84
SHA512 579b5c1299e58a9058dbd1554b1f7410f154e027b9c63f7ce4831ec4f41d799b9cff58a46ec216b90d6dfcbe66ffb5f849cdc3c570c5c516ae4e45aedc41e4e0

C:\Users\Admin\AppData\Local\Temp\5550.exe

MD5 12fe4e81def25a33fc8c7616d2170a81
SHA1 eab1943255dc2581e782ed080889d788773db289
SHA256 409fc168007cfe3c41a703bf71b26c2c9cb3f0ef37451368d76c7f572c9f1cca
SHA512 b2decd83931f6a83f5395344adde020fe61e3afc2b1e95a4b068d42214f54eedfe13762d55fdd4b68cc003be476f301f40121b3aea61589ae5b8ec5e5f9ce7c0

memory/1756-23-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/1756-24-0x0000000000970000-0x0000000001E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 1355b2f99ad038b464b264f46ec911ca
SHA1 2f036e87087714d51843a15e18bc965e2cfe4deb
SHA256 cddec560d5d73d53d41160f108d73a4116022a9a82848c1fdb9cb2d1b6231265
SHA512 75ebe981d7f76a726babc579dda8857e071179892f729ac2b208cfc0e91ee25c96bbf037fc6201a59b68321751181fa81a88491cb52e75a793f3a477824dafcc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8f6bceeeaed6ed15e872515cd3271010
SHA1 b83ed167d990670b2d0ef75effaeda7486482650
SHA256 1058e97a69c01cbebd7e1f191761095a0691c774be868bc0521eedcd6d3f5f51
SHA512 eaf7b48f7b4cfe623a77627c08eaf67bfa0c21971966d4e84f83fd77aabe4410f985b58ad1dba4fac0463f95b313e4e7213a1ced4961cc8b190df14ebc37e4c5

memory/4412-60-0x00000000008A0000-0x00000000008DC000-memory.dmp

memory/324-64-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/4412-71-0x0000000007B40000-0x00000000080E4000-memory.dmp

memory/4412-58-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4412-74-0x0000000007670000-0x0000000007702000-memory.dmp

memory/4412-86-0x0000000004B00000-0x0000000004B0A000-memory.dmp

memory/1756-90-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4412-95-0x00000000079E0000-0x0000000007AEA000-memory.dmp

memory/4412-96-0x0000000007830000-0x0000000007842000-memory.dmp

memory/4412-114-0x00000000078D0000-0x000000000790C000-memory.dmp

memory/4412-115-0x0000000007860000-0x00000000078AC000-memory.dmp

memory/1124-113-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2620-243-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2620-244-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2620-248-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3956-252-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2620-247-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BO7JO.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4412-91-0x0000000008710000-0x0000000008D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp

MD5 35de099cde3be3a71ebdc1a33b49d8c5
SHA1 cffa49a75e0a8a2c1f8fa28325a0e41cfc23a5ba
SHA256 07c3223e34f91793e1b90f982895d775d536fefa60c5f4bd557e6820cc1946c6
SHA512 12f949a46102b7f5fb6b9c3f47831c303e2b39141cdfc40ffe20b36e164d61ac1015284fdd1c44e7ff522eae706bd50f8ea2a33431379e4dac95bdbf72cec109

memory/2144-254-0x0000000002A10000-0x0000000002E15000-memory.dmp

memory/4412-255-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/2144-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/324-258-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2144-256-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4412-83-0x00000000078C0000-0x00000000078D0000-memory.dmp

memory/2848-259-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3656-260-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3656-264-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4412-265-0x00000000078C0000-0x00000000078D0000-memory.dmp

memory/3960-263-0x0000000000A40000-0x0000000000A49000-memory.dmp

memory/3960-261-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 f1fc1711dfece7a3d1bf443958c40fd5
SHA1 0722e90d47b0cdec25c77418f49739b9a26247e2
SHA256 ca86af541528359ed6f0b89038adc5acc125759451de14688ced1a6be3fe6c96
SHA512 cfb10f4d6b0b138e14d3df7ff10d15e484b515bbdee329a0c08fe5851fd5832fcfb8848da1b59859721fa6cce088092a77065e7193bfdb6e26dc76a68f32cfc6

memory/2848-76-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 3b93c970bd35ee2573e897b2fad05229
SHA1 47cd1ebc5b6158b0043711bd2a8da5c373f9f181
SHA256 d287dcfcd3fb380e0dc6ddaa961659919dc916cfcdb50d4d2bc9af1cefdc202a
SHA512 d8aa559adc75f8e409dface0b71a9a0b72c6c05ea297eaba99c3fbc349292d406caceb7906966fd04176295891ebe749e3f5128ec94aeb175c1a295ca6c06428

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 966d29df1c138b0473de934dccb82408
SHA1 f444cfc98e6bf6966dfe103904326faa3f6d902d
SHA256 16eba7f7f676acccc13e640eabb4b8f5453a8f808224c9ab602d15c4a6e23ac7
SHA512 a8a9a95b765e79b72361fe987f419c247f47614a94b61b9e182c66b5755c8c6739103cf1867cbcf3c602760d0c742f8e68c3571739c5c32bb7aae25df56d853f

memory/628-268-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/1124-267-0x0000000000540000-0x0000000000541000-memory.dmp

memory/628-270-0x0000000005070000-0x0000000005080000-memory.dmp

memory/628-271-0x00000000056B0000-0x0000000005CD8000-memory.dmp

memory/628-269-0x0000000005070000-0x0000000005080000-memory.dmp

memory/628-272-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/628-273-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/628-274-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/628-284-0x0000000005EC0000-0x0000000006214000-memory.dmp

memory/628-266-0x0000000002A50000-0x0000000002A86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 86efd3606640f7024b60c48f8d202373
SHA1 204f7d904c3e7d1e91415c1dd93e4047f4799526
SHA256 d0e0b5bcfbc3d81f39680cec6eea39ee2efb4214c8e8a5dec35d149f18c6a9c0
SHA512 6a796633b049ab5bb85342b52ffdc341daf6d16854b41196cc5378524553ed654f5feb3462171c38bb2de84ac1a22d670c6f83055199c6bfdfd2227f3a730b13

memory/628-285-0x0000000006390000-0x00000000063AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 18b414da213d720c6666c6af7dbda045
SHA1 fc2d35e01d06f579c99341ab8109e204188cc43e
SHA256 2610b59707af017b55f8ecec5b00deed79f0b9a3bfabdb9e025fb5790df759b2
SHA512 c47845e97fb43cf57b6cf5c1732f9a5b7625585fb40627a51991e0d9c02aefad139e78b73ff80a00fe23f198a6fb2156e1c835bd7402dfee4a696397974b9afb

C:\Users\Admin\AppData\Local\Temp\5929.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/628-286-0x00000000068E0000-0x0000000006924000-memory.dmp

memory/628-287-0x00000000076C0000-0x0000000007736000-memory.dmp

memory/628-288-0x0000000007DC0000-0x000000000843A000-memory.dmp

memory/628-289-0x0000000007740000-0x000000000775A000-memory.dmp

memory/628-291-0x000000007F490000-0x000000007F4A0000-memory.dmp

memory/628-292-0x0000000071690000-0x00000000716DC000-memory.dmp

memory/628-290-0x0000000007900000-0x0000000007932000-memory.dmp

memory/628-293-0x000000006CC20000-0x000000006CF74000-memory.dmp

memory/628-305-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/628-306-0x0000000007A50000-0x0000000007A5A000-memory.dmp

memory/3956-304-0x0000000000400000-0x0000000000785000-memory.dmp

memory/628-303-0x0000000007940000-0x000000000795E000-memory.dmp

memory/628-307-0x0000000007B10000-0x0000000007BA6000-memory.dmp

memory/628-308-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/628-309-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

memory/628-310-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

memory/628-311-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/628-312-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

memory/628-315-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/3244-317-0x0000000002ED0000-0x0000000002EE6000-memory.dmp

memory/2144-322-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3656-324-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1124-327-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1644-325-0x00007FF78A410000-0x00007FF78A9B1000-memory.dmp

memory/324-321-0x0000000000400000-0x0000000000965000-memory.dmp

memory/3956-343-0x0000000000400000-0x0000000000785000-memory.dmp

memory/3956-452-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 341d0e0ad849e9d414287058381d6c2c
SHA1 3ac01cff9072d3f6230ed9540c08559dd5ead7af
SHA256 271cd2d04c77bdafe0ac5820b12a3d39263025ac217a6b9ddcfb5910c8b66e0b
SHA512 83b225effd5021cd0d23fab7380373688851b7e19b7699c1887f810503dee1ed72b61527a93a526d0f8f2ab02852dddbc429c6d02017e110670b27d9873cf131

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8306c1b91c2f0f476ef9c280b498be09
SHA1 656d3d53a023a5b193e87ee8a330077d9b7baa00
SHA256 534b91c59b9872830b38dd9b63e9403fbe210dd801d87fc20094d8ee79ef1190
SHA512 ac5496aa2539963f9d80cf04204dd1452ce4406cdd8a264f42a396ff0d9c1faeec9bfe0ca8055f579df7156dd0f937514247afdb8c7dac44c2955aba5e7faefe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 ae7230ec58e68d2de83404f3cd71eb56
SHA1 a9d397d4462c709cb8d11726b5f11900b5e18eca
SHA256 6d2905371b4b5678622b952998acc9ce6da969e05ddedee5968c997742e9fd8f
SHA512 c7ba8c1778b9497c1c8c03cb05e046b795f7673227684852654186bd11fa83eaef30993431f098c6bff2ea7ed69f6bb551c31bc46d40c5b90f596bf9b2409a36

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 a1b8f9d64331687ab95e3fbe7d27fee4
SHA1 a90fc7b065cec0332d3856acf2a7f7a231680f9e
SHA256 f62b678813a07c1fcfb3f905351fdcbeabc97820a61d9f45529b77bffc23d0ed
SHA512 0ef6a98fcefa00d309cf2195743124cf4960a71b3c65ee0c143ff87797fa1b780073f92141d4055f9857d5da39cf37042e8a2ce2469e4605ae9a9d25637754fc

memory/4324-545-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5072-546-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3956-578-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 5e5032296d50435725b3dbeab1ee3dba
SHA1 212c1bf92d18bd04f1bbcfcdb641881552660b94
SHA256 06f6fd83dfe8245ac6acdf50a762e406854af8f6f962be65fcfae87eeaf5b4a9
SHA512 1e82416120baf9bf880eecfc546565fc5c575f3e80365bc459ccce1befae0c3e220712683f24c4a94e899e69728f3f4ae7377538bf1f0a1121fb173e3ce4820f

memory/1644-583-0x00007FF78A410000-0x00007FF78A9B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E01D.exe

MD5 eba58cca44ab2e7b9a9be4688056fc57
SHA1 0e289ff1dcf359bf5a63239b75977e3703faed7b
SHA256 f434c5e93238f46c4c74a3c639cb282e9cd9dad42e3ce551905710c8ba9fdaf2
SHA512 26d6f454a662566ce3c770c5d88baea9563b85a04bd903ddbdff19ca83e9c1e1eef70ce412cf03a23ed4ac4d801b8cf12c4a9861a921e901f69a7d837fee4055

C:\Users\Admin\AppData\Local\Temp\E01D.exe

MD5 af465b78b80d64928d8d665e44826b0a
SHA1 3b797341aa9264b27e6c9e32e0d6ce9d486347d9
SHA256 26bbcacee66197b06087fd4c78feec4e14a18bd301573558193f72fbee2717ce
SHA512 fb3ec65627ac6f97be1a49254227fc9a530971b83b7842426b5af6ef36b9c0c353589d3dd4c6b1608dbdb2fa3add58b3e4221d722f42a9b2b1acd1f00df0353e

C:\Program Files\Google\Chrome\updater.exe

MD5 8c36e758cc4028b355fd05bd3367e08e
SHA1 ea07e4c961dcf242ec452f9b35d459bb78689018
SHA256 351159751953139da330016a64e7884dbe20a929a2a38a70eb97ad49f1f91502
SHA512 95ec076d66bdfee679f48e9b0a05ac7ce99b87b101db2e490dbbd30195c3c72f068a839c8b63788012b176a6136c68c7810287929a1baf3e9f039c13fccc5ef7

C:\Users\Admin\AppData\Local\Temp\F319.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/5072-609-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 d76badadb5d24d4c6bfd550ad15be9a5
SHA1 fae90c9eb05b89a39b9fb1d4e17c67c96fc2714b
SHA256 1ef161c26b3803cf5e539bca1ee357c6bfc7281bd4ff1d7b5dea378fa19567fe
SHA512 402640c7d2ff643e028761b27cfdc41c3690eabd0fb6edd5f8562a8cf2ab36ebfdca0f591654a10375304b26c21d4130cddb9c624bab6c2d62808516499e60d2

C:\Windows\windefender.exe

MD5 7aecda68668c42afc88bae0dcfa0e01d
SHA1 fd668968aae5d64ba4aff0310e27cea016629097
SHA256 41c2ca554b14dc011c52916f7beabac57942507d69d223e6013cfd544261cdc7
SHA512 4bc8890025994bae15f11013b58dbab80c5806a009260acf575d294e106cf16a7a4b4fcab9ebe96314113eada8372890383116de79aae096b40fd319b6e2c6a2

memory/3956-617-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4004-618-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 e0682f4022e499a83c723bbcc9354b8f
SHA1 b50dad3dff37b057a4ba53fb8029c1c59be8cbbc
SHA256 56833bcb7684207ae7bbdaa5fbcb57bb53ad29ef09935b29794ad6ae2c1ba641
SHA512 431a976d4f29dd84394564c1cdc0bc65c9e3aa6a8d0f893aeef77ece645a971a5eb042303f8f655cfec5e1b5cc1c9987e137ee806384c9f01d2514e8fbd99e29

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 2796f38d31fd9052eae9764ab56a4aaa
SHA1 d12f844536c114c467ae5e74d4c943ddab5ca90a
SHA256 fc1c16a7e4c080b7e35a7d8a1408159f8162a2fabf4fef162042e6244012a809
SHA512 9fd4a70a519a2eafee5a443e05f9860f00742119dbb6c6bd9af47d81f57470a7f3a74b9bac29c5bd6e4026e3e8dd91d8c26a674af462b6f6054af331697b2b2a

memory/2628-626-0x00007FF702CE0000-0x00007FF703281000-memory.dmp

memory/2808-629-0x0000000000400000-0x000000000047E000-memory.dmp