Analysis Overview
SHA256
fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
Threat Level: Known bad
The file 0x00070000000146ff-113.dat was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detected Djvu ransomware
Smokeloader family
RedLine
Djvu Ransomware
RedLine payload
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Modifies file permissions
Executes dropped EXE
Themida packer
UPX packed file
Launches sc.exe
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Runs net.exe
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 09:29
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 09:29
Reported
2023-12-11 09:31
Platform
win7-20231020-en
Max time kernel
72s
Max time network
113s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ADDC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bcwgshd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C8A.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bcwgshd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bcwgshd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\bcwgshd | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bcwgshd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"
C:\Users\Admin\AppData\Local\Temp\ADDC.exe
C:\Users\Admin\AppData\Local\Temp\ADDC.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {C8D50174-46F3-4A48-8CEA-8219E7CBB7BB} S-1-5-21-2952504676-3105837840-1406404655-1000:URUOZWGF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\bcwgshd
C:\Users\Admin\AppData\Roaming\bcwgshd
C:\Users\Admin\AppData\Local\Temp\6C8A.exe
C:\Users\Admin\AppData\Local\Temp\6C8A.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\717A.exe
C:\Users\Admin\AppData\Local\Temp\717A.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp" /SL5="$40162,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211093031.log C:\Windows\Logs\CBS\CbsPersist_20231211093031.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E18C.bat" "
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E3ED.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\taskeng.exe
taskeng.exe {19B17FB7-F959-4DA8-B20C-682BB9E83049} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\247.exe
C:\Users\Admin\AppData\Local\Temp\247.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\27E1.exe
C:\Users\Admin\AppData\Local\Temp\27E1.exe
C:\Users\Admin\AppData\Local\Temp\304B.exe
C:\Users\Admin\AppData\Local\Temp\304B.exe
C:\Users\Admin\AppData\Local\Temp\304B.exe
C:\Users\Admin\AppData\Local\Temp\304B.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\12c682ee-73e7-43f6-9821-662c34806eb2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\304B.exe
"C:\Users\Admin\AppData\Local\Temp\304B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\304B.exe
"C:\Users\Admin\AppData\Local\Temp\304B.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\65DD.exe
C:\Users\Admin\AppData\Local\Temp\65DD.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| US | 204.79.197.219:443 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| US | 20.150.79.68:443 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
Files
memory/2160-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2160-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1260-1-0x0000000002120000-0x0000000002136000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ADDC.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2720-12-0x0000000000160000-0x000000000019C000-memory.dmp
memory/2720-17-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2720-18-0x00000000008F0000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ADDC.exe
| MD5 | 8767ea4659e6fa6fd5dc6c43e7ed056f |
| SHA1 | 1e55bd4f0072213e1f45438f796973cd10ce6180 |
| SHA256 | 564a458a5458e699e59c1422fd0afe722eceed4ee8a1a60bf898459135e6590f |
| SHA512 | cf5aa8f03469f0e79279ca06f56120a123ce493a9915db7eed408b826d35321e8cc69bf9f774ddcda54de2c80cddf7cdf8615906be21e07fc033c7f75290189c |
memory/2628-23-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Roaming\bcwgshd
| MD5 | 284868406d6bbc0bf89325b311c325ce |
| SHA1 | eec0e1b6bd29fd60bb980186969d04392fe0a3ca |
| SHA256 | fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0 |
| SHA512 | 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30 |
memory/1260-24-0x0000000002A10000-0x0000000002A26000-memory.dmp
memory/2628-27-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2720-28-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2720-29-0x00000000008F0000-0x0000000000930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6C8A.exe
| MD5 | 8c4fac35879632d30d5c7f27b24eb3e8 |
| SHA1 | 17866de34d0ca45aa51fd99916800444c3f632fb |
| SHA256 | 3a8a79f47dd63663b1e3443cc7f940f79f85aff8e8f6343056490622b9604929 |
| SHA512 | dd1ac5c34d28d7a7905a8e7d516c45f2f11171f94d6c00262e95f2b5ff283aa1dee4159579fbb8ff173db681c6e84da6613b14edc9af21dd61c5685e7bb9c0eb |
C:\Users\Admin\AppData\Local\Temp\6C8A.exe
| MD5 | 9e3bf7b01ba73cbc47fc965ce220dec6 |
| SHA1 | ec2446cc911061372fad44bb1a011e192dcc2fd7 |
| SHA256 | c9a0d224830c1ecee7f2587fbc3050b50a90d503f308be6653ab5a7b01f8da10 |
| SHA512 | e99acd298be396918970e48b1459b250532aaf719c681e8596b5c4071cf6d7f81cab1049a38f3c5359e13f826e9b7b8a19c4fcabf80e0257515a4a2bed27aa14 |
memory/3048-36-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/3048-37-0x0000000000CC0000-0x0000000002176000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | bc4b9023ac86e7832a0b9bb1f2d250c9 |
| SHA1 | 97240c4c61c32a7dde0947dcec0494174038c1e1 |
| SHA256 | d8cd762a5efb54f383d7cf643fc79eeb26c93ce01e943db7d4529c90ab8a7ec8 |
| SHA512 | d536247897fda1f42f639e8e3c40c2db52d66567395044117a646153355325cf2725e7a6f5330bb4f3d749a3e1c6af0eb1ca2267c71e2b0f59e301e5f8c2edbf |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d9c00f35cf8a0eff6075f662df8a443c |
| SHA1 | b52e69e32f48c6458a37b0643a65d9345d6ca4c3 |
| SHA256 | b4b89bda5a5679e8de4599be1ce6b82dc25c741f180d0193b5aabecfbd1371c2 |
| SHA512 | 3a8b852b4af07a0b3e7147c4960db96e29ee7119233dd1b9354c7b44809971cf64323f17222d66214515bce0cc1bc252f646758874d33eecd38100aee9cad963 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | fae5e1fa71d2db363985d0d8886ddcef |
| SHA1 | c3041b61f85e3b21a034685d6df7482151dc3254 |
| SHA256 | 98c0587e79a2289c46cdcc8c591e65e7bcb700e0bb39326e75b04cca60e313b4 |
| SHA512 | 268a03975d017416d78eb8acc61f94b5d9b696f0161095ecb5ae129b4e73d6e3013f3119b347ed4df3ceef585bfe9a2d82cd15299777dfc9a8fd3438d2f31576 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | caf3e0badcd563be68a4ae7720290537 |
| SHA1 | df3883d0816602bedf89f682bf9ee37df53bedab |
| SHA256 | 65a9b8273f04942fe03ed41300d9aed2c379e92951047f16784a4404e64d80fe |
| SHA512 | 029ea0e5e0dc5a15e783558cc33c8d04767902dded48d0e773a48a7ca9cadc7f0c5deac9966a54035cb080807d64ffa6ebf564318d908fda3b58eaf77b4ae1d2 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 5c6e3c9dc68aae7e963c0bfc5d42dc89 |
| SHA1 | 0bd212c25745cb5fd60d6f4c40bbaac1a6b00f97 |
| SHA256 | 444a5e1b31d611c2380a4c65c470f2dc28a1be268141a165941728f2456ad700 |
| SHA512 | 9b525cf35882123dff9edc16a7536ed7e95667c780e79cd02cbf2699f73a5bf9170dffe4b50cbcc188a1b505775fac83aff811dac45c948e78868310582384ae |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 92f8cecba4a3e2662d3ccc60b2d8662c |
| SHA1 | 1f3098e88a0927d278702d49ba044fe5b5d7c2d6 |
| SHA256 | 17358672b2c89b080e8df052d27f2255ea40e2fe6bd9ff94ff9900853f5b8eea |
| SHA512 | 42905543139987da6112bcf0bef41e885127b6a46bd96ae9a9137b060351a0951491c29a80fa6cdc0b5b8e58f933d3d188ad8f85e0ed291b9b2ee5ebc4908143 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 0701a9d3b245833154039f8b67b32ac3 |
| SHA1 | 8aa43627bd1b118bff2ac366acab13d0302c9e97 |
| SHA256 | 6788fc1521a050710b77ba24b652f09fcf8a99a3f80658a0010f29ad990a9213 |
| SHA512 | 4f95cda6ec60e04e8852f7e53f240062e2f79d702962f559c2684e57df5251341275bebeb50ea15b4de650d07fbc35a6be85237e6aa7a6796b26092e4249eac7 |
C:\Users\Admin\AppData\Local\Temp\717A.exe
| MD5 | e45df5e33b87abc7457e3e9dba9ef2f9 |
| SHA1 | 2aa0e129f18536c97cae5b69ab3f99306212ac30 |
| SHA256 | 437f79e6d4efb6594b713f7fa7b58db815b4453437a36db54cb5aba80dcdfa53 |
| SHA512 | 668ef706b442c1ca76bf7ae2a8e44607f5c9461f712f45d38697281cfd5dd5248b6ecc338b43e8cc1e8f4f81b2742392c4f88a2dba44889f5797b12a70b3a7fa |
C:\Users\Admin\AppData\Local\Temp\717A.exe
| MD5 | 5097fa5f018fea8039f7bb7e21d2629b |
| SHA1 | 17d37dd54bfb98d3602145285fb2d605c50fa408 |
| SHA256 | 13edfeeab9e5f5b6c3cd3ac6b4143c842f5175d7391d3cb66d26a4b5233b53fd |
| SHA512 | f641c5290d47816c82edc1787431982550b0ebf6614dc3e2c7a50b4d099462f50c8782345c4cc31a666f8e7db014f11c6e9047144af50ec0b1e412e2f90f09fa |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1f371fd5a35d766100909f81ebbd488d |
| SHA1 | a5cbad7c87f318780385808626c5cf4f7cb410fc |
| SHA256 | 07e3862c6c7068559f56af6a6fb50e97fab38082d4576a43a20b2a1456449970 |
| SHA512 | 649f37b348b8c1e2a9379fa620b5ff841447d19aa3574c46abe55c077f295796e84b210db248a3f8ced6b0c0de14262c1b81a0ac7323b3658d3ab5f41ff41061 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e9ad100185218c9d8d07478f1ade00f2 |
| SHA1 | d3248f4f7209628f2b49cf1d2ba5e2a36d820fea |
| SHA256 | 3cc9f4b6bb4afd6a998b9be024578bb6444d261a5e667c320cf2b90d47876051 |
| SHA512 | 729555a9a7d913af29bbd8ae5bcd4ac6b6489e6229fd611029ba9c59acfbbae70b1ff9f76d8b3866e7c2dd7c5472c77edd6461b59b2983085a76fa8862bd9c8c |
memory/2172-69-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/2172-70-0x0000000000C30000-0x0000000000C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 718f149a011edfe3381c4ff01403b315 |
| SHA1 | 3acc04840a10206e4f6aa29b5e048e9aa8a95a64 |
| SHA256 | b0d62a681705199b4438bd234e0c78b81b615cf2a58e277404a43e890bc25921 |
| SHA512 | abcdb6d199d91a79641af1c93766405a8aaeceab7d1436ae6f07691e50fab93b00e1786e87e972e8a53eeac16fbe4bc4fe63cd1d516258f47f781262d18c59a4 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5da0a5a5e516ee6659201f09d6c77568 |
| SHA1 | 17926ea9a85450bd96de8bdeb051b2801525a5dc |
| SHA256 | cb1dfc241e343938a674a59e3b8b406ac3e81e06634f25151c814d24029665bf |
| SHA512 | 697fd68d6ac7caa29b95ba2d66ed3a84b8d1af501ff939cfd638cbc220738a4328e3ce6646ffed275b5f2b292dc6473f566e72d4f433504bd5bc4495301eb81c |
memory/2172-73-0x00000000071F0000-0x0000000007230000-memory.dmp
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 9204ee81c318ef08fb68ac84f3a8dbea |
| SHA1 | b697434f6ea38ee865c5ea792fbaa190ec558422 |
| SHA256 | 45015451ddae4b2e70b3c352bad88efbf6fbb368a4f2d820300cabda10c644d3 |
| SHA512 | 7e7211daffa5a218df9602066ff02d8669e2ded012280f0515526daa6848ce79b60b295c1a6a47c163c130c185c4d86408231b74814bebb44cf1ba11647791d1 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | bd9a9b270b9e25ea4dd4306e1c7d3441 |
| SHA1 | 883067f0f5628cff11a9f63205058fdc342c7ae8 |
| SHA256 | a39f1a00948079e247cbec1ed1687157fadcc85a65dd05f915cbca237d850597 |
| SHA512 | bf21065297a15dd65418d12d1a53fb3a048db810aa0b2b1b606039a4b601ef6a0d91682b241eb3d5e3a697d6556e1ca9ee80febc137bde9379f9d931311173e7 |
memory/1540-78-0x00000000001C0000-0x00000000001C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | df4774a674283484f67d923d23d00d2e |
| SHA1 | c7df38f259702b88647c3be1837923fd1d62710c |
| SHA256 | b3b06a0972bddee62e8ea7f8ba41078e4517f5331655ea27325389fcb6fb3900 |
| SHA512 | 68ab4c16e6a144752a99cc7ecb82af9719df44ad4cdf3c4f031baf2b921d00280bc42bb7e15a8a0ef284f18c33884a5f180636e6b06f00a3d1a4aad40c5c473f |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1a4c77eb491e8a9e8688abc876b7216c |
| SHA1 | f233e516a2b3712d196993b4f5565723efe28a4d |
| SHA256 | 24cfaef8279d23d15ec724dc61ea42e32934cac61f93f3c987bed125002a64a0 |
| SHA512 | 7171166d779c1cc3d06edd9d2e94eaa7c50ec779f6e13f4c0b5670690684eb5c5e432f40dbfa32de7aef75c4a3f3bb4d83ba281ceb34b788e6fe5277e85089ac |
memory/3028-83-0x00000000026D0000-0x0000000002AC8000-memory.dmp
memory/1668-86-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | a27c0a3eaffb21775567b23ba62038c5 |
| SHA1 | d145fa3aaae88daf0f0d8032398349c34d1352f6 |
| SHA256 | 3a8403fbde8b291b5eb482509b1a6f0ca9382a7c81147a6e9946d46196f20561 |
| SHA512 | e766bbd0adeab0e6c15c0f966dc2ec977eff05401413a9989f49c25b08a8fe96a767b046dcf77504d23662750a8ebe135be3ee4b178bd253eed0b8c2d07a19e9 |
\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp
| MD5 | a4c9a1032c559370e1af35460f6f2b4f |
| SHA1 | 2644a0d1e03a51a5d7d9d0eec3e99946a474c62d |
| SHA256 | bf69a6d487b94ca891ef263861c5e4d5ae67000f29a2ae6144dd8d044157d3bd |
| SHA512 | f8cb1078f13b50a61dc7ec3640aea8f0a6bdb822813c56e7b2e64805c4e487676c60a47d9b31176e0cb41929cc6c1012f923838e8ea2363dff8eb957995011aa |
C:\Users\Admin\AppData\Local\Temp\is-R450N.tmp\tuc3.tmp
| MD5 | 9d914b9bb619005801e3e4a473efed89 |
| SHA1 | cef7056c1bb834ac3c54d194f38aedc8aab7a894 |
| SHA256 | bc9d25859a7dca211edd45f1f6264c0ba0801b3e4e26e8f7120b1ffccac48c46 |
| SHA512 | 47985273a69ce68195c1d0b27e4b51d9a637ad99bf99eaf8bf98ea18802f4fd2460f3350a6abbb76a0e0070034168ac1715b08f3b2bcee564a79040e25e96e08 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 004fbacfd073c6d65ab6c7d1d36cd835 |
| SHA1 | 7e40e25a91b2673251de8e8a8e8468e61dc650d6 |
| SHA256 | bd9073d3e9e43c90bca08b85a6051d3e3b5f5e8f3fc3064c2378560cfe9e501b |
| SHA512 | dd41d543a389a704144b7fa62f29ec7b3c47b5a274bfab2ce02e58b5b7a2cca8fe6642e2ae6b2dab9f1c913b43be94266631c32bca19346de2fb350169e46ed8 |
memory/2668-113-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3048-114-0x00000000741D0000-0x00000000748BE000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-NUMG3.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\??\c:\users\admin\appdata\local\temp\is-r450n.tmp\tuc3.tmp
| MD5 | 8eae2a6b1522fe5d9d89892c5419ef7c |
| SHA1 | 66c2b1603ac60845eda8f2cbc450a13cd3f1e9dd |
| SHA256 | 8d333309e4c93558e478186dafd6a53006e7eae27afa9966bb9b00a10eb80cf0 |
| SHA512 | 93c4dccb3754856d0b3549c5320cc642507f7ff866f040e77c9c07a7e9369631e12526657db864d80a5fe22fade11a925de07a42526e46d90f1bf336f3dcbf03 |
memory/3028-125-0x00000000026D0000-0x0000000002AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | f8a4662baa347035f5cd9f85a95f3cf7 |
| SHA1 | 99eca4a04586f8bd79aa4a3dbe1b4a859af188fd |
| SHA256 | a8b3c35ce22be4eab96569dd5c3e9d0536c8c0f63e2f1709ceaa2e5720fed7f2 |
| SHA512 | c88c48a1d1f23e5c5dc55bbf5b39720022c623801487bcf25f12030650e7a088c2c8dcc533bb6d6e4f1c8c672b3ff1a151b32bf1ad7936630a3b2bed3009aa44 |
memory/3028-126-0x0000000002AD0000-0x00000000033BB000-memory.dmp
memory/2660-127-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2660-128-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/1208-135-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cfa54fe84ace27f5149367fdd73830f4 |
| SHA1 | 098232b026ec69c145e5a8a342a99b92aa5b1a7c |
| SHA256 | 49a6f3e186cd2e0162460f41375c739248648400373c4b95f3029732ca36d5e1 |
| SHA512 | 2a87ad1b0ecd91ed2b28a4b3f8da65ac5c64a114e2000a4558596a9abf3db302ffa94c936b7e545b2f000ac5c581493efa82c17e0c1bb05fa0de7bfc78875156 |
memory/3028-136-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1208-133-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1208-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 0f138d8f2e34052b460f28536d71a806 |
| SHA1 | e7efaabfc55c81837f18f6314727f2f237114790 |
| SHA256 | 90f792971515ebf668ee5b6b64e26ae1f44ae92f39147775067f53385f5831c9 |
| SHA512 | 79d1796a4989993fc0dd6df12cffb2966b9dea14a9f8aa40c8e15c77e45c1e5dbc02888472215651166d7c7f6ddca69e7bd9fd8bc74e3b9938dee0ba5725560d |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 822d826d3ab8a14ea689aa4da3ca5195 |
| SHA1 | c8337d9e6d25bbbab0e42c9a0a9d938d31126006 |
| SHA256 | 963fd66eef63b73afc61914acbc79e5b4a8588e0fa61a2adbd26b07aca5fc943 |
| SHA512 | 254adddebcc64f203ad25bdd3d8d8dbf4a119888ee205939c9211ad2dc1758bda6441a1f9f40db676ac86a245abfafb4ff6301515b3f10164489066ddcd6ea8e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8235f34b83b1efe07eb32ee9aa6ea374 |
| SHA1 | f5316a17593659ec1501cbed936877363461f399 |
| SHA256 | ae442b4dbcbd93ce4ab164a63d7f1d2e7566ee7b094649e1fab3bd58df130c1a |
| SHA512 | e2a955cae5312ac70228c8ce9cad50128b5741f1242314817021b228df2be76f9ed1dd290846241891c55fe88202e2386499117cf33f5e1d013d1ddf84add820 |
memory/2172-138-0x00000000741D0000-0x00000000748BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 65d3f78af333aabd512d980070bbc73c |
| SHA1 | aeb6ce0fff64c0d604b5075a8995b03e6a0fb1e1 |
| SHA256 | dafb0d98cc8618026c92b8994f1a9402c5ffdb069a1ab1238a2124fc184e4a2d |
| SHA512 | c1c2212b4405292a397413dcc1e60cc7fde1a2e11ca23d7408c756c55c02fdd22bb3c354c5cbc2edbd60f6b9b14500667c24fe42ef524a8ca285f297739dabae |
memory/3028-141-0x0000000002AD0000-0x00000000033BB000-memory.dmp
memory/3028-140-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3028-142-0x00000000026D0000-0x0000000002AC8000-memory.dmp
memory/2172-143-0x00000000071F0000-0x0000000007230000-memory.dmp
memory/2472-144-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/1260-145-0x00000000039D0000-0x00000000039E6000-memory.dmp
memory/1208-146-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1540-150-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2472-151-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/1540-153-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1668-152-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2472-154-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | a6838337bde1e217e8b4558947a05f06 |
| SHA1 | 28c6e43fdb74d3be6739a8336b1cf8ccdbb8e1db |
| SHA256 | f994aa5829feadd1a47ae1a1d5aad91210cb5c009ee2d6d84a0876251db06366 |
| SHA512 | 1c66198e82a31e440859460f25e4e5714c62d153ce0f61c6e7b533ec3aa12d546cec5c9fb33b1c2f26fedaa579e6ce9484ee17c93b4b66ca0f185fb42ca20556 |
\Windows\rss\csrss.exe
| MD5 | dc9e77b81c70b9459d154e163e692da9 |
| SHA1 | 6a59f0bae261fb522541dc148f96ff5e1a5eee3d |
| SHA256 | 620c0153374573886e5ed094ce5dd86ca0017e4c3245cb0763c0d787ee11d764 |
| SHA512 | 29fd3982c434a1dee22d9a8180e1ec2e8212722d4d0e5d640be4169561d2d85deb7a5a396ffbfc4b39eae0d048dd54b90c1e06495b89f39cafa9e46541cf9bbe |
memory/2472-162-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 9527a61054974bddce055d7ae153cc14 |
| SHA1 | 19c31b09d3076d1825f02731ab2641c2535f6122 |
| SHA256 | c7c08d9086d5e5881c9db16bede49736ef6cc742cfa56ae47bd39b9bcb1a6ab8 |
| SHA512 | bba6ba92117a32d696e1739a205946770a06a773ed5ad9ed537110c021c6f6dc07e5e4d3b7366a83888c82a3740daa4db2f22c249229bdcc9628ea0b61201d09 |
memory/2668-165-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1936-166-0x000000013F920000-0x000000013FEC1000-memory.dmp
memory/872-178-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/872-179-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/872-181-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 0a86ce90e355f030ca42e1dcdb7c2557 |
| SHA1 | 9e291d7e622b110b5aa6d985c6ffe145c9cb8d09 |
| SHA256 | c3602f6ec8464cfdadbf75326b2376f95479dba2f58a634f15dc97226650dab0 |
| SHA512 | 20d76602bace817786768ecd3ae9017061309ba7d4cf396067abd44eb3e83671e89e22d71880f3c27b78acfa71573b2873a69fe37672075dd675955fd6e54f95 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | c4e31b94c7da4a10490a107d2d3ec839 |
| SHA1 | c6a36917ddc367d900ac990ef4b9682921660203 |
| SHA256 | 999b95d3635b56e9be74512a405b13d1abd86ca13b130192303d818d4402b923 |
| SHA512 | 023f84247d6aa7a16141639aaf9c70adafd22fbe1d1ea4819d25f3ad75a4b32eb902eb624c96c1cce1350fd46d290e5d04d0eeda77bb6f1808c399c17a5d73df |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 238c439733a2a6e5dbf094271c53e326 |
| SHA1 | 16d92cb096efb4d40f30d8319553b7eba07e779d |
| SHA256 | 8cc48a751f7616816e754200f82882ad33bdf7772ad45a8dc2c44d17d891b027 |
| SHA512 | fd0b80e07cf44e151a48a1ef5dfef2fa17c882ed8478d52332d6a853c4709bc2f2fc2f5d2f8639374297affb02f5ee56adbcf186dacd2e1582eac00f89b84155 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 7fa4610b43fda76a8bd28aa093a087b2 |
| SHA1 | 2532820bf7e5630d1b88967189b1371ae81c965e |
| SHA256 | 4c61dc8c2a95cc209b4777da3a17bec715ff15a0ab3ca30010ea18551cef53fd |
| SHA512 | eff3230416211a5a12210e100ab3504d0d009062e0dc521a3355363db1902f28133a6d1422b0ce0142350b9b91b42c32b2aa8dba025d09444b8ef1ed5dd0fa8b |
memory/592-187-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1f9906337850eb71dece57a969df8b26 |
| SHA1 | aa6e3163998ef3df3ea1f210e47f8c32c8293717 |
| SHA256 | c0d2980ca1f1b1f97cd77acb41b6078eeb90712424999784a2eba511a7a97293 |
| SHA512 | d44d6247e5196546526304a52bb3f1a56d9a34b8e6da060a01305d7fea5d2cc3ed5e2ee335cfead2c3d83a11901280f3dd3d36945b8d6ef8c8f323f1326c035f |
memory/592-201-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | eb1ef2c65e2194c0d49b06cae30fbbce |
| SHA1 | 23c60b9e2b77d39c59ec864e6e9707c61c418dc6 |
| SHA256 | a6810435971611cc690b1d0f76fcc0a1557c50a7624a0d695f78f447e79c7507 |
| SHA512 | b3e4b15841abd297953264216ce51c0d888ff6afb6229d06d32cf1b8313085dd005d35689f22654f2c216374d076ceb2c864c39528baa4233bb542d4e0e47d6a |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 326d1d5466e7a31056d5c9e281242851 |
| SHA1 | 92df6612cd3c6d79c6a18fc1a52a40ca41874ce7 |
| SHA256 | 51e509f6f154fa45c508e3ff114934ce640d800efcc6b817dc8dd1083c1906ce |
| SHA512 | 1617a257bcc3eefcfa02b4047bdedd12bb20c4de4339d826c4f8996162b9458743b028ff5c6590627143aa107e8aa6294df05481a2d57e673cf376b86a00eb46 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 03e03703fe5fc79e7f1d5e44e3c27b1e |
| SHA1 | 8f25ba10b5e479ae63c4c3867475502e1a6499fa |
| SHA256 | 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e |
| SHA512 | 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 4cf9033e2926e25c657fbaa72a2edba6 |
| SHA1 | 79378a8b2327d38e6148fd358bf9b45b51339d9e |
| SHA256 | 1038b904e5535dee9375d7cdf08fa087ebd1436075229d6d92c478c19e8ce2ee |
| SHA512 | 65d3dc379e382632aa769ed3cd7608a10fcd9820ef1af67a062293a82c8f1fb2d84695622d6b3452208547f50887c56b767a88e5073f051dcb92123b9c63138b |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 5cc612ea585af3f5ed8d9b1939f49b29 |
| SHA1 | 42efa5082257d8f230b2318ec4f1f95ee5a09d9d |
| SHA256 | 1bcc7c897fce5f98fea7f5f7ea5de672e0b916875e23bb8b11b964197eaa800f |
| SHA512 | 8bc587f395eff7487170a36e7bd6ff8b2134a1f35c455565bd6127c723114545f042366f546c576ff31c89408400c6dbb7c9ce3e87bb71a78f99b71222a8cec9 |
memory/2172-219-0x00000000741D0000-0x00000000748BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC535.tmp
| MD5 | 68bb904702f1b8722377e62fd541d9cd |
| SHA1 | 6297c71b832c74d4e3a4ff0855082c5c20c7fa46 |
| SHA256 | bf5cf3e0918c906c0713dba835d89f2ab1fa362212f8b9fa6ae877e29ae2a78c |
| SHA512 | 9b81f062d1380a946e326061f133ab66759ba20fc969e4d2d27333165848a049893cf80de1996511fd7c66bb982d04724929f38713424618dda1fea96000f58d |
memory/872-230-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarC77D.tmp
| MD5 | 1e4e42b27b3ba902ab5f160f8947aa28 |
| SHA1 | 158c0252a0497bcc20b6220d9f72739830008eba |
| SHA256 | 49de5a4e12fa979dadba123ea9115d0a3dfd435d4b24463fa7d6bf5f9acafb67 |
| SHA512 | 354d3cdff448405ce3bde36bf12218b78c19a129e4c8de73bf3e8e5311bc1a28d80f723c60fbc287793bd421809048687cc3af28b1f6715d9c47d112115490e2 |
C:\Users\Admin\AppData\Local\Temp\E18C.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/872-289-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/872-293-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/872-294-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2364-299-0x000000001B140000-0x000000001B422000-memory.dmp
memory/2364-300-0x0000000002000000-0x0000000002008000-memory.dmp
memory/2364-301-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp
memory/2364-302-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2364-303-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp
memory/2364-305-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2364-306-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2364-304-0x0000000002480000-0x0000000002500000-memory.dmp
memory/2364-307-0x000007FEF4CF0000-0x000007FEF568D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\63F97Z8AH51LIUYDG2GB.temp
| MD5 | 8f40afafa8e279d51438712cad8d1ade |
| SHA1 | db1ee39e7c6ce064d3dc70ff7ad3eab2f10c2c1b |
| SHA256 | ca49210571ccb5805b4716be00779732c3d5a75c98e1d3fb5b2facd726aaf6d5 |
| SHA512 | 4217ec32b8397bbda338cc36469f2f5020926b4ca4dacade37d2704435e5437efc01dfd0895fa52da4d22aa81a61737f2fcdf70fda8ba3d7b12f501f2f8ba60b |
memory/2116-315-0x00000000026B0000-0x00000000026B8000-memory.dmp
memory/2116-314-0x000000001AFE0000-0x000000001B2C2000-memory.dmp
memory/2116-316-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2116-317-0x00000000021F0000-0x0000000002270000-memory.dmp
memory/2116-321-0x00000000021F4000-0x00000000021F7000-memory.dmp
memory/2116-320-0x00000000021F0000-0x0000000002270000-memory.dmp
memory/2116-322-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/1936-325-0x000000013F920000-0x000000013FEC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\247.exe
| MD5 | 8a52e9d08d77eba2cd1998f8d7e62174 |
| SHA1 | a3774602d5a8ba200e418af70360d2aa3050a5bf |
| SHA256 | 21ebdc0ca4dc59239f4ab6863e0b9b91d78a9ace1ec57dd763f6d3e7284537dc |
| SHA512 | b40b748d28c6ee4b6cd9061cb6d598208b0683ca64008445465f82dae31941c44c81e5a36aac890eb9d357639d958ae82f8ca139d177fb6ffd655d571d9c1a80 |
memory/2000-330-0x0000000001340000-0x0000000001E0A000-memory.dmp
memory/2000-331-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-332-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-334-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-335-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-336-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-337-0x0000000076400000-0x0000000076510000-memory.dmp
memory/2000-333-0x0000000076400000-0x0000000076510000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 956214e033b1a4236b14ae06af53d610 |
| SHA1 | 04c68c247ac2ee9e88469bd4f9f56f24ba014dec |
| SHA256 | 4b1dd4dca895b730c696ac21dc01943654d4c5a8c920d8c8d29c1b28a89858d9 |
| SHA512 | 3d67e22c4191ee186173bdf10b9f8db8b313251b5c55f18216019e56d24ebd5ffd252d5f7758f87191e31529955621d4ce48a80a75b9207f5a08c3e32a004d33 |
memory/2116-319-0x00000000021F0000-0x0000000002270000-memory.dmp
memory/2116-318-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
\Program Files\Google\Chrome\updater.exe
| MD5 | 67df9905bd0353bc5d12e7ca26d0675b |
| SHA1 | def4c1cd7222c01e9e1234fd39d99b36a0c8dfda |
| SHA256 | 0ce615331005ba772eeca988c8ceeaf496f321567ed27f693c6c8ed79e85712e |
| SHA512 | cf98d4c707fc562517d15b957aeb453d762a92c3a56174e0e5a2a3d9c8e7a24b7dd1688d8d9c52ceb741b94dd3f9c09dda3bbeccdad1248fa829e1b29a391be7 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 93e7d320eedda6f56782c1d987830344 |
| SHA1 | 3c731d0c70d8000de467369ded2a2d494a07ed40 |
| SHA256 | 0e545970ba1e06eca9a4349514308b4513c5c7994367a7bf2242f7658ba5be18 |
| SHA512 | e30feb6c8a92528282ad123f08f075422ad07690f81efb8fe36c5d5d7475c42bea410f4615988ed7ad17be353cd0a74be0b25d0bf7839298cbb8b0af03920352 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 9b8fe2f443c647584a6209137f959269 |
| SHA1 | 0943f46a9810bd0287c8e4ff03337a5cfeea25ef |
| SHA256 | 42c68a3e81af37d34d51580062efd1dde8a957d433c279084896959f80633e58 |
| SHA512 | d76c4daf5fb70c0da69e3a2b501b3c1af198c2930bcbbbaa1bb44803aaefd031deba85905ea596baa847e59a8ccd438c363fe58dc5be96ecb7d3fe4914e8ea3a |
memory/872-367-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\27E1.exe
| MD5 | a232a434e17ff84f6051dd80c438e800 |
| SHA1 | fceb633655f6d6a3c7e9981b6c042dac9bccde41 |
| SHA256 | 20e8d266cbeed21354ef942d17011c54314973b9e81f4260c721053c3b55acdb |
| SHA512 | bbbd5a8910dcf67c6d8e589349f83ad1dc98292a8e21105c66cd2ef9408ead91e49bf8784ecf85b1023468b2ab93a4170908f3e6fc7df0058c99b81904d41f71 |
C:\Users\Admin\AppData\Local\Temp\27E1.exe
| MD5 | 71ea672db9d86b923900c0f3b94c7821 |
| SHA1 | 98462a0587c7149ca3cf3d2dbce0c6fd5bf731d6 |
| SHA256 | f0f02ab000122169320b06374a34308307cebaa95c8292f7ec81823045fd8349 |
| SHA512 | 54cc7bad3d9129b102fb33d9f244b7286ccdcbdf77f877c8d01a8c06bcb76cacc9782352c054095525437e79a1cead522bc6bea6b0c4aaa4d154b9a0e6f187fc |
C:\Users\Admin\AppData\Local\Temp\304B.exe
| MD5 | f084ad968bc44bb8e96cde8388093c63 |
| SHA1 | 6c9658bb241fa52944a9701a94cba44eb11d61b7 |
| SHA256 | 83cfaf08eaa416269d41271ce0b47808b9cc552df240055b5ef58a50b24ede42 |
| SHA512 | b71d57616e49409feee18c540213783dd20fbb99031800672a0520fc0023bfac941ebba4443d62b72eafb8246dc34ffbfb2144484c2b9b0689a018c98c2aaa83 |
C:\Users\Admin\AppData\Local\Temp\304B.exe
| MD5 | 126a0ffd69efc5da1423d22a17608859 |
| SHA1 | c5ca5432dce9c0a6fb8fbea2bc4f6ed312a0e947 |
| SHA256 | a25352d06c0a58d508eccb21c4013daa8c67eeaa8ddfd2f4a0446ce09518e816 |
| SHA512 | cb24591ba9335f4da7e2de754f12ecf41463367a0734643136166b2f986d9b594b6722fef7b3eb51ed3d18580aa87f99eb18e4ffd52c0938027005ea30c4afaf |
memory/1904-385-0x00000000020A0000-0x0000000002132000-memory.dmp
memory/2540-384-0x000000013F960000-0x000000013FF01000-memory.dmp
memory/2260-388-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\304B.exe
| MD5 | 40ed442405732df986eecfc6f8efd233 |
| SHA1 | abaf6aa860a2475b1e8d7676f1b58d6b5ca43d46 |
| SHA256 | 4bdcd81b49e9836d08f7a4d63d9909d75e993327fc8a15c1cd08bcf3e6d81554 |
| SHA512 | c550f310a12f62325d53f5ae4168d274f734d4d43580aeb928c72461cadd49018eac0beb91d41daf673f9c33c86ccb7ba29de89b1045bddb90c74a1ecfc23bed |
memory/2260-392-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2260-396-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\304B.exe
| MD5 | 2f62c16c8492a26b47971302b5a54d17 |
| SHA1 | ab49d6a7eb0554608f38334769efcfa3ca21acff |
| SHA256 | 5b7251846f2d7e64cf9fad4d4f2573936cd0edbaeecb72cfe21ab3f9f05d5422 |
| SHA512 | 98280be6d7a952b7dde29e361b019b607c17ac8ed575e247143f748e77eff97156b4f73ace38d6b631c493c2676ddd5228657f4efaf2e82a51d3b130d07ce30b |
\Users\Admin\AppData\Local\Temp\304B.exe
| MD5 | f6a5b803ab673b33de4fafc6b1bb7eff |
| SHA1 | 6e0e54a9c20164da67b24aca7bfc7ee35910efb0 |
| SHA256 | 3c1a69928cf0c4c157c7af16d67fe607f1286544306c53a124b3436b8f7effde |
| SHA512 | 8a444ac7a0820cd37a240afda8d767d0240e6c88c76cb66fe005c221c7e37794a51e501f34f2f81700ac99dee4147f6bab28f6d86b201131e502b3978c2fc93f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 6978599ee5ce8a0ba68cf18bad088ec8 |
| SHA1 | 4ce4f129211a49f472871e3f2feb9a10479333f9 |
| SHA256 | 7450bedfa0cbc01d583c81fdcc63847332bc25d014fa176d2cdf9b578c08336c |
| SHA512 | 849d6ee708eccc42a2c77a97bf41a5e56aa44839fee3dbdd307187ea05267bd332d9dd76e883bacfbf3180046fa8d2ebf449e1361e24d6450e91772f52ca1ddd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35ac957f243b87ab40baff5076f1ed60 |
| SHA1 | ea1b5e685cbf7f33ee801d843919bc7918accfb7 |
| SHA256 | 68855b71a6fab9725c8c79c6fe017ffed9353c44c22c679e8201094700bbc0c7 |
| SHA512 | b97fcbbdf477a03ac7b63e3c795a1c3961fa96c5874d5daeebc56588049aa3090d774a224afda36db45c920d1bd0780d0e988cf094c6c8c9c27bfea86352b425 |
C:\Users\Admin\AppData\Local\12c682ee-73e7-43f6-9821-662c34806eb2\304B.exe
| MD5 | 7282b7e58cdfff787e4fad9c0318f6a3 |
| SHA1 | ee2b23d29115fd5992874aeda03d1c5625751076 |
| SHA256 | 257f33f1b9a4cbebd5d41ba25dd252f46a15af986373f7cf12e778f54825353d |
| SHA512 | 0cdd4b8d6d288ba98c11ab72f7aaaf4c48f55776a45518f5828f0708cdad45ee87be746ebc056f5504605d927aecdf09181b354e85c06b78ce68fab8d22192a0 |
memory/2260-430-0x0000000000400000-0x0000000000537000-memory.dmp
memory/268-432-0x0000000000260000-0x00000000002F2000-memory.dmp
memory/872-438-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 09:29
Reported
2023-12-11 09:31
Platform
win10v2004-20231130-en
Max time kernel
115s
Max time network
102s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A066.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gigvugs | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gigvugs | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gigvugs | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gigvugs | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gigvugs | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3244 wrote to memory of 3740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A066.exe |
| PID 3244 wrote to memory of 3740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A066.exe |
| PID 3244 wrote to memory of 3740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A066.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000146ff-113.exe"
C:\Users\Admin\AppData\Local\Temp\A066.exe
C:\Users\Admin\AppData\Local\Temp\A066.exe
C:\Users\Admin\AppData\Roaming\gigvugs
C:\Users\Admin\AppData\Roaming\gigvugs
C:\Users\Admin\AppData\Local\Temp\5550.exe
C:\Users\Admin\AppData\Local\Temp\5550.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp" /SL5="$70206,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\5929.exe
C:\Users\Admin\AppData\Local\Temp\5929.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3656 -ip 3656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 328
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\E01D.exe
C:\Users\Admin\AppData\Local\Temp\E01D.exe
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F319.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F993.bat" "
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\B08.exe
C:\Users\Admin\AppData\Local\Temp\B08.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.33:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.33:80 | tcp | |
| GB | 88.221.134.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 88.221.134.33:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| N/A | 87.248.205.0:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| GB | 96.17.178.211:80 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d65248f9-4dbf-44de-8dec-412310ffd212.uuid.myfastupdate.org | udp |
| US | 93.184.221.240:80 | tcp |
Files
memory/3132-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3132-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3244-1-0x0000000002F50000-0x0000000002F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A066.exe
| MD5 | 921da1871f9e8b02b04492fe7a1496a3 |
| SHA1 | 9493ef9925b57c3ec73141e629e2d720de6a79f4 |
| SHA256 | 0b4c041ea625b40baee5649321a514182ec7ca2e51ea024258092d56d5bc80ec |
| SHA512 | 11b7c579fef0d329fe23a0e36d545c68c67beefbe5e3900dca9277aa1bc01e131c06c37806a1d66472d7e39985bbe40b425fa12513bfed9e0d6754ec15e95d58 |
C:\Users\Admin\AppData\Local\Temp\A066.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Roaming\gigvugs
| MD5 | 284868406d6bbc0bf89325b311c325ce |
| SHA1 | eec0e1b6bd29fd60bb980186969d04392fe0a3ca |
| SHA256 | fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0 |
| SHA512 | 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30 |
memory/2772-14-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3244-15-0x0000000002D50000-0x0000000002D66000-memory.dmp
memory/2772-18-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5550.exe
| MD5 | 3a872e27d4179be5943b1392626b7896 |
| SHA1 | 0e877ddd4e3f3bf94de1ae0e1eee183c7971be6b |
| SHA256 | 5619320553c8d582880ca58d8af99eaf3b23980e5cb40f48f234d03b2652eb84 |
| SHA512 | 579b5c1299e58a9058dbd1554b1f7410f154e027b9c63f7ce4831ec4f41d799b9cff58a46ec216b90d6dfcbe66ffb5f849cdc3c570c5c516ae4e45aedc41e4e0 |
C:\Users\Admin\AppData\Local\Temp\5550.exe
| MD5 | 12fe4e81def25a33fc8c7616d2170a81 |
| SHA1 | eab1943255dc2581e782ed080889d788773db289 |
| SHA256 | 409fc168007cfe3c41a703bf71b26c2c9cb3f0ef37451368d76c7f572c9f1cca |
| SHA512 | b2decd83931f6a83f5395344adde020fe61e3afc2b1e95a4b068d42214f54eedfe13762d55fdd4b68cc003be476f301f40121b3aea61589ae5b8ec5e5f9ce7c0 |
memory/1756-23-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/1756-24-0x0000000000970000-0x0000000001E26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 1355b2f99ad038b464b264f46ec911ca |
| SHA1 | 2f036e87087714d51843a15e18bc965e2cfe4deb |
| SHA256 | cddec560d5d73d53d41160f108d73a4116022a9a82848c1fdb9cb2d1b6231265 |
| SHA512 | 75ebe981d7f76a726babc579dda8857e071179892f729ac2b208cfc0e91ee25c96bbf037fc6201a59b68321751181fa81a88491cb52e75a793f3a477824dafcc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8f6bceeeaed6ed15e872515cd3271010 |
| SHA1 | b83ed167d990670b2d0ef75effaeda7486482650 |
| SHA256 | 1058e97a69c01cbebd7e1f191761095a0691c774be868bc0521eedcd6d3f5f51 |
| SHA512 | eaf7b48f7b4cfe623a77627c08eaf67bfa0c21971966d4e84f83fd77aabe4410f985b58ad1dba4fac0463f95b313e4e7213a1ced4961cc8b190df14ebc37e4c5 |
memory/4412-60-0x00000000008A0000-0x00000000008DC000-memory.dmp
memory/324-64-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/4412-71-0x0000000007B40000-0x00000000080E4000-memory.dmp
memory/4412-58-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/4412-74-0x0000000007670000-0x0000000007702000-memory.dmp
memory/4412-86-0x0000000004B00000-0x0000000004B0A000-memory.dmp
memory/1756-90-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/4412-95-0x00000000079E0000-0x0000000007AEA000-memory.dmp
memory/4412-96-0x0000000007830000-0x0000000007842000-memory.dmp
memory/4412-114-0x00000000078D0000-0x000000000790C000-memory.dmp
memory/4412-115-0x0000000007860000-0x00000000078AC000-memory.dmp
memory/1124-113-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2620-243-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2620-244-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2620-248-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3956-252-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2620-247-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BO7JO.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/4412-91-0x0000000008710000-0x0000000008D28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CA23O.tmp\tuc3.tmp
| MD5 | 35de099cde3be3a71ebdc1a33b49d8c5 |
| SHA1 | cffa49a75e0a8a2c1f8fa28325a0e41cfc23a5ba |
| SHA256 | 07c3223e34f91793e1b90f982895d775d536fefa60c5f4bd557e6820cc1946c6 |
| SHA512 | 12f949a46102b7f5fb6b9c3f47831c303e2b39141cdfc40ffe20b36e164d61ac1015284fdd1c44e7ff522eae706bd50f8ea2a33431379e4dac95bdbf72cec109 |
memory/2144-254-0x0000000002A10000-0x0000000002E15000-memory.dmp
memory/4412-255-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/2144-257-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/324-258-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2144-256-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/4412-83-0x00000000078C0000-0x00000000078D0000-memory.dmp
memory/2848-259-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3656-260-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3656-264-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4412-265-0x00000000078C0000-0x00000000078D0000-memory.dmp
memory/3960-263-0x0000000000A40000-0x0000000000A49000-memory.dmp
memory/3960-261-0x0000000000AF0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | f1fc1711dfece7a3d1bf443958c40fd5 |
| SHA1 | 0722e90d47b0cdec25c77418f49739b9a26247e2 |
| SHA256 | ca86af541528359ed6f0b89038adc5acc125759451de14688ced1a6be3fe6c96 |
| SHA512 | cfb10f4d6b0b138e14d3df7ff10d15e484b515bbdee329a0c08fe5851fd5832fcfb8848da1b59859721fa6cce088092a77065e7193bfdb6e26dc76a68f32cfc6 |
memory/2848-76-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 3b93c970bd35ee2573e897b2fad05229 |
| SHA1 | 47cd1ebc5b6158b0043711bd2a8da5c373f9f181 |
| SHA256 | d287dcfcd3fb380e0dc6ddaa961659919dc916cfcdb50d4d2bc9af1cefdc202a |
| SHA512 | d8aa559adc75f8e409dface0b71a9a0b72c6c05ea297eaba99c3fbc349292d406caceb7906966fd04176295891ebe749e3f5128ec94aeb175c1a295ca6c06428 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 966d29df1c138b0473de934dccb82408 |
| SHA1 | f444cfc98e6bf6966dfe103904326faa3f6d902d |
| SHA256 | 16eba7f7f676acccc13e640eabb4b8f5453a8f808224c9ab602d15c4a6e23ac7 |
| SHA512 | a8a9a95b765e79b72361fe987f419c247f47614a94b61b9e182c66b5755c8c6739103cf1867cbcf3c602760d0c742f8e68c3571739c5c32bb7aae25df56d853f |
memory/628-268-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/1124-267-0x0000000000540000-0x0000000000541000-memory.dmp
memory/628-270-0x0000000005070000-0x0000000005080000-memory.dmp
memory/628-271-0x00000000056B0000-0x0000000005CD8000-memory.dmp
memory/628-269-0x0000000005070000-0x0000000005080000-memory.dmp
memory/628-272-0x00000000053C0000-0x00000000053E2000-memory.dmp
memory/628-273-0x00000000054A0000-0x0000000005506000-memory.dmp
memory/628-274-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/628-284-0x0000000005EC0000-0x0000000006214000-memory.dmp
memory/628-266-0x0000000002A50000-0x0000000002A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 86efd3606640f7024b60c48f8d202373 |
| SHA1 | 204f7d904c3e7d1e91415c1dd93e4047f4799526 |
| SHA256 | d0e0b5bcfbc3d81f39680cec6eea39ee2efb4214c8e8a5dec35d149f18c6a9c0 |
| SHA512 | 6a796633b049ab5bb85342b52ffdc341daf6d16854b41196cc5378524553ed654f5feb3462171c38bb2de84ac1a22d670c6f83055199c6bfdfd2227f3a730b13 |
memory/628-285-0x0000000006390000-0x00000000063AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 18b414da213d720c6666c6af7dbda045 |
| SHA1 | fc2d35e01d06f579c99341ab8109e204188cc43e |
| SHA256 | 2610b59707af017b55f8ecec5b00deed79f0b9a3bfabdb9e025fb5790df759b2 |
| SHA512 | c47845e97fb43cf57b6cf5c1732f9a5b7625585fb40627a51991e0d9c02aefad139e78b73ff80a00fe23f198a6fb2156e1c835bd7402dfee4a696397974b9afb |
C:\Users\Admin\AppData\Local\Temp\5929.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/628-286-0x00000000068E0000-0x0000000006924000-memory.dmp
memory/628-287-0x00000000076C0000-0x0000000007736000-memory.dmp
memory/628-288-0x0000000007DC0000-0x000000000843A000-memory.dmp
memory/628-289-0x0000000007740000-0x000000000775A000-memory.dmp
memory/628-291-0x000000007F490000-0x000000007F4A0000-memory.dmp
memory/628-292-0x0000000071690000-0x00000000716DC000-memory.dmp
memory/628-290-0x0000000007900000-0x0000000007932000-memory.dmp
memory/628-293-0x000000006CC20000-0x000000006CF74000-memory.dmp
memory/628-305-0x0000000007960000-0x0000000007A03000-memory.dmp
memory/628-306-0x0000000007A50000-0x0000000007A5A000-memory.dmp
memory/3956-304-0x0000000000400000-0x0000000000785000-memory.dmp
memory/628-303-0x0000000007940000-0x000000000795E000-memory.dmp
memory/628-307-0x0000000007B10000-0x0000000007BA6000-memory.dmp
memory/628-308-0x0000000007A70000-0x0000000007A81000-memory.dmp
memory/628-309-0x0000000007AB0000-0x0000000007ABE000-memory.dmp
memory/628-310-0x0000000007AC0000-0x0000000007AD4000-memory.dmp
memory/628-311-0x0000000007BB0000-0x0000000007BCA000-memory.dmp
memory/628-312-0x0000000007AF0000-0x0000000007AF8000-memory.dmp
memory/628-315-0x0000000074C10000-0x00000000753C0000-memory.dmp
memory/3244-317-0x0000000002ED0000-0x0000000002EE6000-memory.dmp
memory/2144-322-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3656-324-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1124-327-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1644-325-0x00007FF78A410000-0x00007FF78A9B1000-memory.dmp
memory/324-321-0x0000000000400000-0x0000000000965000-memory.dmp
memory/3956-343-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3956-452-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 341d0e0ad849e9d414287058381d6c2c |
| SHA1 | 3ac01cff9072d3f6230ed9540c08559dd5ead7af |
| SHA256 | 271cd2d04c77bdafe0ac5820b12a3d39263025ac217a6b9ddcfb5910c8b66e0b |
| SHA512 | 83b225effd5021cd0d23fab7380373688851b7e19b7699c1887f810503dee1ed72b61527a93a526d0f8f2ab02852dddbc429c6d02017e110670b27d9873cf131 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8306c1b91c2f0f476ef9c280b498be09 |
| SHA1 | 656d3d53a023a5b193e87ee8a330077d9b7baa00 |
| SHA256 | 534b91c59b9872830b38dd9b63e9403fbe210dd801d87fc20094d8ee79ef1190 |
| SHA512 | ac5496aa2539963f9d80cf04204dd1452ce4406cdd8a264f42a396ff0d9c1faeec9bfe0ca8055f579df7156dd0f937514247afdb8c7dac44c2955aba5e7faefe |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | ae7230ec58e68d2de83404f3cd71eb56 |
| SHA1 | a9d397d4462c709cb8d11726b5f11900b5e18eca |
| SHA256 | 6d2905371b4b5678622b952998acc9ce6da969e05ddedee5968c997742e9fd8f |
| SHA512 | c7ba8c1778b9497c1c8c03cb05e046b795f7673227684852654186bd11fa83eaef30993431f098c6bff2ea7ed69f6bb551c31bc46d40c5b90f596bf9b2409a36 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | a1b8f9d64331687ab95e3fbe7d27fee4 |
| SHA1 | a90fc7b065cec0332d3856acf2a7f7a231680f9e |
| SHA256 | f62b678813a07c1fcfb3f905351fdcbeabc97820a61d9f45529b77bffc23d0ed |
| SHA512 | 0ef6a98fcefa00d309cf2195743124cf4960a71b3c65ee0c143ff87797fa1b780073f92141d4055f9857d5da39cf37042e8a2ce2469e4605ae9a9d25637754fc |
memory/4324-545-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5072-546-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/3956-578-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 5e5032296d50435725b3dbeab1ee3dba |
| SHA1 | 212c1bf92d18bd04f1bbcfcdb641881552660b94 |
| SHA256 | 06f6fd83dfe8245ac6acdf50a762e406854af8f6f962be65fcfae87eeaf5b4a9 |
| SHA512 | 1e82416120baf9bf880eecfc546565fc5c575f3e80365bc459ccce1befae0c3e220712683f24c4a94e899e69728f3f4ae7377538bf1f0a1121fb173e3ce4820f |
memory/1644-583-0x00007FF78A410000-0x00007FF78A9B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E01D.exe
| MD5 | eba58cca44ab2e7b9a9be4688056fc57 |
| SHA1 | 0e289ff1dcf359bf5a63239b75977e3703faed7b |
| SHA256 | f434c5e93238f46c4c74a3c639cb282e9cd9dad42e3ce551905710c8ba9fdaf2 |
| SHA512 | 26d6f454a662566ce3c770c5d88baea9563b85a04bd903ddbdff19ca83e9c1e1eef70ce412cf03a23ed4ac4d801b8cf12c4a9861a921e901f69a7d837fee4055 |
C:\Users\Admin\AppData\Local\Temp\E01D.exe
| MD5 | af465b78b80d64928d8d665e44826b0a |
| SHA1 | 3b797341aa9264b27e6c9e32e0d6ce9d486347d9 |
| SHA256 | 26bbcacee66197b06087fd4c78feec4e14a18bd301573558193f72fbee2717ce |
| SHA512 | fb3ec65627ac6f97be1a49254227fc9a530971b83b7842426b5af6ef36b9c0c353589d3dd4c6b1608dbdb2fa3add58b3e4221d722f42a9b2b1acd1f00df0353e |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 8c36e758cc4028b355fd05bd3367e08e |
| SHA1 | ea07e4c961dcf242ec452f9b35d459bb78689018 |
| SHA256 | 351159751953139da330016a64e7884dbe20a929a2a38a70eb97ad49f1f91502 |
| SHA512 | 95ec076d66bdfee679f48e9b0a05ac7ce99b87b101db2e490dbbd30195c3c72f068a839c8b63788012b176a6136c68c7810287929a1baf3e9f039c13fccc5ef7 |
C:\Users\Admin\AppData\Local\Temp\F319.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/5072-609-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\windefender.exe
| MD5 | d76badadb5d24d4c6bfd550ad15be9a5 |
| SHA1 | fae90c9eb05b89a39b9fb1d4e17c67c96fc2714b |
| SHA256 | 1ef161c26b3803cf5e539bca1ee357c6bfc7281bd4ff1d7b5dea378fa19567fe |
| SHA512 | 402640c7d2ff643e028761b27cfdc41c3690eabd0fb6edd5f8562a8cf2ab36ebfdca0f591654a10375304b26c21d4130cddb9c624bab6c2d62808516499e60d2 |
C:\Windows\windefender.exe
| MD5 | 7aecda68668c42afc88bae0dcfa0e01d |
| SHA1 | fd668968aae5d64ba4aff0310e27cea016629097 |
| SHA256 | 41c2ca554b14dc011c52916f7beabac57942507d69d223e6013cfd544261cdc7 |
| SHA512 | 4bc8890025994bae15f11013b58dbab80c5806a009260acf575d294e106cf16a7a4b4fcab9ebe96314113eada8372890383116de79aae096b40fd319b6e2c6a2 |
memory/3956-617-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4004-618-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | e0682f4022e499a83c723bbcc9354b8f |
| SHA1 | b50dad3dff37b057a4ba53fb8029c1c59be8cbbc |
| SHA256 | 56833bcb7684207ae7bbdaa5fbcb57bb53ad29ef09935b29794ad6ae2c1ba641 |
| SHA512 | 431a976d4f29dd84394564c1cdc0bc65c9e3aa6a8d0f893aeef77ece645a971a5eb042303f8f655cfec5e1b5cc1c9987e137ee806384c9f01d2514e8fbd99e29 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 2796f38d31fd9052eae9764ab56a4aaa |
| SHA1 | d12f844536c114c467ae5e74d4c943ddab5ca90a |
| SHA256 | fc1c16a7e4c080b7e35a7d8a1408159f8162a2fabf4fef162042e6244012a809 |
| SHA512 | 9fd4a70a519a2eafee5a443e05f9860f00742119dbb6c6bd9af47d81f57470a7f3a74b9bac29c5bd6e4026e3e8dd91d8c26a674af462b6f6054af331697b2b2a |
memory/2628-626-0x00007FF702CE0000-0x00007FF703281000-memory.dmp
memory/2808-629-0x0000000000400000-0x000000000047E000-memory.dmp