redline | 9371ca0ca0eb53e4f9359d9a98eaf6230e59da36630eb798e8bed18643026544

Analysis

max time kernel
57s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca627643bb7b7b47e9a5df13b9e3965d.exe
Size

38KB
MD5

ca627643bb7b7b47e9a5df13b9e3965d
SHA1

c2628970d91a3170c169074849ac6e9f1e0a8bbc
SHA256

9371ca0ca0eb53e4f9359d9a98eaf6230e59da36630eb798e8bed18643026544
SHA512

4e305286fc33b0b7c91f4fc8385bd2e9306c69ad98157113255c1505eeb8bb6aaf9b27b1afd0dbd2daaedde4b6b79b0d4ff9654376b90bf817157e894badfc72
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score

10^/10

redline smokeloader 777 livetraffic up3 backdoor evasion infostealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-213-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral2/memory/4856-696-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2452 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3468
Executes dropped EXE 1 IoCs

Processes:

26DC.exe

pid process

2740 26DC.exe

pid	process
2452	netsh.exe

pid	process
3468

pid	process
2740	26DC.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3432 sc.exe

pid	process
3432	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2372	2720	WerFault.exe	toolspub2.exe
3392	1936	WerFault.exe	explorer.exe
2004	4792	WerFault.exe	explorer.exe
2612	1052	WerFault.exe	tuc4.tmp
3460	4864	WerFault.exe	explorer.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CEE8.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\CEE8.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3048 schtasks.exe
2424 schtasks.exe
Runs net.exe

pid	process
3048	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

pid	process
4700	ca627643bb7b7b47e9a5df13b9e3965d.exe
4700	ca627643bb7b7b47e9a5df13b9e3965d.exe
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468
3468

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

pid process

4700 ca627643bb7b7b47e9a5df13b9e3965d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3468 wrote to memory of 2740	3468	26DC.exe
PID 3468 wrote to memory of 2740	3468	26DC.exe
PID 3468 wrote to memory of 2740	3468	26DC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca627643bb7b7b47e9a5df13b9e3965d.exe
"C:\Users\Admin\AppData\Local\Temp\ca627643bb7b7b47e9a5df13b9e3965d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4700

C:\Users\Admin\AppData\Local\Temp\26DC.exe
C:\Users\Admin\AppData\Local\Temp\26DC.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\5494.exe
C:\Users\Admin\AppData\Local\Temp\5494.exe
1⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\is-N3U1K.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N3U1K.tmp\tuc4.tmp" /SL5="$3020C,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:1052

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:1556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:1044

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:3336

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1080
4⤵
- Program crash
PID:2612

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:2220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:884

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2976

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4376

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:3556

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3376

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\nsm7C33.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsm7C33.tmp.exe
3⤵
PID:2772

C:\ProgramData\Java Updater\3q59375o5.exe
/prstb
4⤵
PID:4528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1124
6⤵
- Program crash
PID:2004

C:\ProgramData\Java Updater\3q59375o5.exe
/prstb
4⤵
PID:2976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
5⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1084
6⤵
- Program crash
PID:3460

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 328
2⤵
- Program crash
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\5BF8.exe
C:\Users\Admin\AppData\Local\Temp\5BF8.exe
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2720 -ip 2720
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\C8EC.exe
C:\Users\Admin\AppData\Local\Temp\C8EC.exe
1⤵
PID:1916

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1120
3⤵
- Program crash
PID:3392

C:\Users\Admin\AppData\Local\Temp\CEE8.exe
C:\Users\Admin\AppData\Local\Temp\CEE8.exe
1⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
2⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1936 -ip 1936
1⤵
PID:4320

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3152

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:3432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4792 -ip 4792
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1052 -ip 1052
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4864 -ip 4864
1⤵
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
Filesize
380KB

MD5
9a40dde765696f1d06aea672c280ef43

SHA1
118aa0a4e630475e4d817f29989db930590e4f24

SHA256
9d50f0bc11bcfd9bbf70819f7bef59c8e8b0809031ecf85555a19e9d7171cd7d

SHA512
6d49a3d320bba3972f8ba962e322c17d56d00ffa9039d3ad5525a635f4ea36edf8bb569e9b3dbdaa16fa4389c26ea4dc1ebf5138b8692ea19da1b6d4c98d38ac

Download Submit
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
Filesize
271KB

MD5
b6590e1c07c5207e471cd280b68b1028

SHA1
fc5b922015ae92e6d9325fddac0d3d30ab3b468c

SHA256
f02d203e5af82347e624d0fce898ad4b39d2f364ecfc18da970ef53d8e14cf4e

SHA512
e95423ed2d7aaf6109fc0c1a704ea9d2abadfc1605b4c3c5e319403c095b639b27ea6b155e1af9fb5ec312cf8f9b36a6337303355430d4a506f8c0ac2b803960

Download Submit
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
Filesize
516KB

MD5
ec3f9a77b76a307e516c3b614071ba26

SHA1
016c173b6cc12f86f3a465afa0bac7277f87c102

SHA256
6ed783fefc2fef386db4f90a71c12079e788a63ee9ac652d0f5cb1bddc56f2b9

SHA512
a05944047df0ab3840607bc298ace120e1c49a9ccf0818431a47d8c3192ff7cfc1fe2a02b383154e8234fd3290b9c4c91c7a80d475d97d7377bd2a376c5159d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
553KB

MD5
1c391108709ec2ff626099b0412bb832

SHA1
17400ca8c1f89ce696ec316b4b06d47bd8207b7e

SHA256
173b755b8bd10eb76e034ee5a2ce29b7e0d0c2422b6e336ce63526e643f4045d

SHA512
aac5a48ab0322e0a6e16be13bc0bd42bd0d678a991c6f31282133c7709d92746a34081045508a707e7d0df9b974a7e5ab7bc79bf70ef119b905d4cdf026974cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8EC.exe
Filesize
306KB

MD5
16dcefd8b5106cef494e49c210c2a267

SHA1
7f1ff510818dfab8f3fec0783f249b97c3d19ec1

SHA256
670661c8bf9bc088f963921f2271754497319bf6d89a4deac68c1593d5e8286c

SHA512
c69d2eae22c574fc097ffafcb05bad1efacb53756fd18104058b011239cdadb4daf4453e3b62def82b69d295e76eabeeb3edbc248e76ad36e34b7fcf6056d7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8EC.exe
Filesize
100KB

MD5
e7c02c363b90ca101430b65ab35b1f61

SHA1
c81da60d946aafaf439e4c778275ae905e3738aa

SHA256
202d884586acd6d453d9a7fc57e2b214263b0a200c1d50e8d27bf09f0e8af7df

SHA512
0dfc9d30a95a54c3de0434fa3407c399b42037f1019e8f5ee5fe47970f5d8d398e5dcfaba93496a64936c629948ff17f96165e90432e08675cba6d496c66c0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE8.exe
Filesize
90KB

MD5
9855a14cc33342ef94a76e755aca5bd3

SHA1
f56e3291dc2a5bfdf905f73c4a51e11f6f0e6267

SHA256
0f31bcc24f864c3514a8b2eac11c34cd089c10faf9d685ba91ac4ec86102c50e

SHA512
3bb3303dcc4d3a995de73876922c443a815e42ab4f721ae398144cdea3c705f3869326b2a77de3d91ddcbbc80c7b56b3f3d3e7ad3b71de1a05604115e2cfba48

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEE8.exe
Filesize
164KB

MD5
dcb2611462bc31e2d09dcdc27ea50ca3

SHA1
16dd62c1c37e83fc280229a45874f38c86a0ca18

SHA256
3de3bb7a251a69eef9988cc4416d77c02cf9e6f7ee0bb26d8031977c6317972d

SHA512
cd947e899f085018b68bc413be52dff137cc833238e502f50bbe81498f4242e8e45a93f19143d1d05df9de8cf41c39b5afffbb4531c0b46510c537d50ab076f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
274KB

MD5
ef82415a1fd5513f897835cb8e1654f7

SHA1
5808d1575fa6cc1f7026f207d2cce68862c557a0

SHA256
1da299e1cc90982bc1b5b39473de7d214d7f9ce85a5df6441511cdcffd614762

SHA512
9e4f8b58deff8c41620173fafd2ca76c30903f5229e29c9ce1177e049f2e109eee28fe1d138d5b17f2814cf762416704ba1752247562d46da06fbef8679ed247

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
Filesize
131KB

MD5
95d092fbc38e648cdce1900541ae77a7

SHA1
38cce2210c3f6cca8be3087da51a2afdfba99b79

SHA256
d4bc3a00c1e324d6627300ad8dac2d6867f5ad0040763ed33df09ed0a0c60d4c

SHA512
9ef4ee2704fa149b9ed4bb7ac534a3a3aec57e271285e35445cec2974e1a6107218cd37d5ca1120d2747e6f65da423c2e2f105d03aa19d41cc60f0a0a6ecba37

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
Filesize
71KB

MD5
34d19ef78dffd13491c8cb71d0647816

SHA1
a42ed922ffb7738412500aec05b0cd8dd0f70441

SHA256
808ba1ff464426125d1df97957952e6d1d27285a739378b6b5eadc69a88837d1

SHA512
129cac556b264c673e74d5109b61f62b15f2f7c85583f5a931ec06a633fcaa81d529cb5fcb423103ab0649254dc80e564c8667fe58417ca5e7a8b4585061ecb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
Filesize
139KB

MD5
158f8cc01e008080e5646b14ec3eba91

SHA1
619ed3b67807466c31b0880199021190d9714aa0

SHA256
32e42787ef5817afe574208372906c33d167d79c78df33284a899c8335004b8b

SHA512
16db8536eac827f0a9fa839b114c89a39cd7b8a79a5a6ac00bb3910845771c7ae6e8e1b6525aa3072431c4f702b6dc48ac56d26446deb69dab3def8bd41599ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvijtgvs.w0r.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
200KB

MD5
a941425edf3b8ce72b7f9f8b93018c91

SHA1
69d5ae0d670c53ca4e3b50972df51f0161e8964a

SHA256
5e5681bf09d88576a67882e98b5654f6db5e91d0754f7c477b851dffee0819d3

SHA512
b9143342125eaa5e276dfd083f749a9becab61ecf9c33146af6e4ce2db7db64bd5333656ac3d309ac7d6ead86180a417864bed6f98c877c1be19d0f8f692c64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lib.dll
Filesize
130KB

MD5
925625b0b4a9955bfd087c1c1eb3f8a9

SHA1
95b8ada897b256c28329952fdc3a21da6fc0886d

SHA256
ca8b1afa647502deb22dc8c3b9d9fb4063aaa28e97862d6e9b12b395744c64f4

SHA512
097000c42bad5a0189e73e59f74476e8ea68c33cdeaf254a292069d2fe4ab341060cf9652a81dfa9628be2760b74b66d1f1dcda6ed98f6a6e8d29a8686b993c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm7C33.tmp.exe
Filesize
203KB

MD5
f2c2ace5cf5586561435ad976cec504f

SHA1
3b5f659bc71af6a43aef7e84cde376851a4180cf

SHA256
1079c8fcce2384decedb0ac36050f57174ea968187a96e17d16f773cc619a801

SHA512
b82b3d79b33a9c2a6da278661c5656e7366a051839a932651a9a9c0ccdcd54232c4f3a0c826fe6fe566f47437832164482797c5b7e4ddd21ece0ea33c1ff72b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn588D.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspCFFE.tmp\System.dll
Filesize
12KB

MD5
dd87a973e01c5d9f8e0fcc81a0af7c7a

SHA1
c9206ced48d1e5bc648b1d0f54cccc18bf643a14

SHA256
7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

SHA512
4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk
Filesize
1KB

MD5
3e7ae4395ac1a2eb5553abc2df077960

SHA1
374f2c0228716755c24278d8bb061ed3099256a8

SHA256
409d60a370891fcf4042491a72131ba7ddd4de527378eb3d3e36f9279f8fca53

SHA512
ac7b6cb02368b8b7d8c31e1f920bbf003abba41c34fd098bcb393af85b92d897ccff8ac4d838673cd7864b38861a2c1132162857f831b974f321316c336231fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
Filesize
810B

MD5
a0cd396c552636b8ee258d5749addbd0

SHA1
2733a6b57d7e4a18116d9cb7d0e60e3bf8992d58

SHA256
dd628d9d02685c4596aff637fe804d545abda5b693eefcb5b7d39f798d0e33ee

SHA512
e7169a8160823f292fc05f79ea2221f62a08074dc24f38dc523ead68bd4f2812579107c8d714607d671e43c7d2c22f0ffed5448f606679188ea470caea14af14

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
9a2693ddeab0126e138164b6aa8d3562

SHA1
4559a1857bce864ba25a526f407c1d6fbc712007

SHA256
b411a5454405fcc4204d61fa9108f2da57cb2555ac18f6e517c2f25cc8f7777b

SHA512
7f72ee1c34e835b6f08da649c382f0a2900bec030b45bf99f736ea465f42c248fee3211162b0034d5a6c652b45b4a1836f8ed8af006d62c54ae225718867bbbf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2554b042a692ec2a269caf4c28781d6f

SHA1
fbf11eb95a01951d81cd002efede2150493b7269

SHA256
6036b94163fccc1b643b65774c509e5ae22d0974c7396ecd9d2abb125dbaee2e

SHA512
0806ec820a9b21444b64c6dd24421b1d9e973cf4bdd6f0245cd24c740f24b05d6bb8982a6ce0be049ac8f27884aa7cf2039060f7d46ac2bba8beeea70d8f987f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
181199697f45cbd395645df289ae02ae

SHA1
007a93db1a04fdbd69db3ee263c91b1c63fbdf55

SHA256
f6b2aece8081360b874ed6de33bce440dcd911331404826d33df9796526680b8

SHA512
905f474aa22d5c154ff493e97cdcca22a97b88465a1a454749953badd351f8b8b118763488675e3f4c97ad6a84fd3eaa0fabaf988bd658c48b86b362305a36ea

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
57ca6f3f6af2f2267427b0c3b4437fd9

SHA1
e7986459aeb76c3f30dd7de8eac1c826ce96dd88

SHA256
180270470f1581a18545d1eacc2241286a3253c21515bbf6ae7d311e08167c91

SHA512
9102bb134a0581c3a4c48318eaa9faa83436e7a8ca4ca35f82e74a9c1c290b8c2c344a959f5112e085b17ccb130bc65f328a899b34cca272a0d954f57096cf13

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
dc7ddc77b895c2f639d17692b6ed9cfe

SHA1
8b3e05fe29c027377d6257845a89edd9967fe90b

SHA256
2dda5442511662946f8e028658930bbd4a7c080c6be0a735a724ef63db69c6a9

SHA512
eadc64f2b6191639e1f0edc90140cfbc84bb79892a06edd95072dec4eed6245da88b5b057330099480cbe1e38b281c1144b7863aef36b3697bfa3739ff4d39da

Download Submit
C:\Windows\rss\csrss.exe
Filesize
335KB

MD5
fce059c787b0520a6a97313c9d734769

SHA1
8a65976b0c461a20e2bd333ffbe527bab50cb60c

SHA256
08cbbbfda85824d8a8173927b843ce5131f53cb24a0debb4daa8666e93b1d643

SHA512
6df36d63aa9c74f7df3f50d050524120b9f1922fcfc14c3ac139149e5a83c6778d0081b5676bac2131991d417d378d5da7d9f5a4e1090a0d5fe4cd8f173ff558

Download Submit
C:\Windows\windefender.exe
Filesize
102KB

MD5
d162efa8c03e4a67e82f898912786736

SHA1
e64912d39f274a6ac929e4d16dd5f203fcaad203

SHA256
b82d694e92141296f00847570a3a180dee5d34946391b963053c8a5f5369bbc9

SHA512
1b8b9426908209af82ba0cc52a81b82818a0e01e7f0ef7ed8b500a5bf24043544c052e7041bd2a20eaef84cc4dc792597409f90c2b93101195cab5fd8045b79f

Download Submit
memory/552-150-0x00000000005A0000-0x0000000000640000-memory.dmp

Filesize
640KB

Download
memory/552-221-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/552-196-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/552-205-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/552-178-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/552-211-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/552-266-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/920-757-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1052-132-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1052-589-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1428-844-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1916-833-0x0000000000920000-0x0000000000986000-memory.dmp

Filesize
408KB

Download
memory/1916-828-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/1936-841-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1936-838-0x0000000000660000-0x0000000000A94000-memory.dmp

Filesize
4.2MB

Download
memory/1936-840-0x0000000000660000-0x0000000000A94000-memory.dmp

Filesize
4.2MB

Download
memory/2220-758-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2428-89-0x0000000002AD0000-0x0000000002ED0000-memory.dmp

Filesize
4.0MB

Download
memory/2428-566-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2428-94-0x0000000002ED0000-0x00000000037BB000-memory.dmp

Filesize
8.9MB

Download
memory/2428-520-0x0000000002AD0000-0x0000000002ED0000-memory.dmp

Filesize
4.0MB

Download
memory/2428-518-0x0000000002ED0000-0x00000000037BB000-memory.dmp

Filesize
8.9MB

Download
memory/2428-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2428-725-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2720-85-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-76-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-539-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2740-128-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2740-13-0x0000000000C70000-0x0000000001036000-memory.dmp

Filesize
3.8MB

Download
memory/2740-14-0x0000000005A20000-0x0000000005ABC000-memory.dmp

Filesize
624KB

Download
memory/2740-12-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2772-877-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2956-108-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2956-131-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2956-133-0x00000000045D0000-0x00000000051F8000-memory.dmp

Filesize
12.2MB

Download
memory/2956-206-0x0000000002B90000-0x0000000002BCA000-memory.dmp

Filesize
232KB

Download
memory/3264-20-0x0000000000410000-0x00000000016EE000-memory.dmp

Filesize
18.9MB

Download
memory/3264-19-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3264-92-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3336-599-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3336-593-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3468-522-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/3468-1-0x00000000079D0000-0x00000000079E6000-memory.dmp

Filesize
88KB

Download
memory/3720-538-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/3720-524-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/3720-551-0x000000007FA40000-0x000000007FA50000-memory.dmp

Filesize
64KB

Download
memory/3720-567-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/3720-572-0x0000000007540000-0x00000000075D6000-memory.dmp

Filesize
600KB

Download
memory/3720-575-0x00000000074A0000-0x00000000074B1000-memory.dmp

Filesize
68KB

Download
memory/3720-576-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/3720-577-0x00000000074F0000-0x0000000007504000-memory.dmp

Filesize
80KB

Download
memory/3720-565-0x0000000007390000-0x0000000007433000-memory.dmp

Filesize
652KB

Download
memory/3720-585-0x00000000075E0000-0x00000000075FA000-memory.dmp

Filesize
104KB

Download
memory/3720-507-0x0000000002480000-0x00000000024B6000-memory.dmp

Filesize
216KB

Download
memory/3720-564-0x0000000007370000-0x000000000738E000-memory.dmp

Filesize
120KB

Download
memory/3720-554-0x000000006B6B0000-0x000000006BA04000-memory.dmp

Filesize
3.3MB

Download
memory/3720-553-0x0000000070930000-0x000000007097C000-memory.dmp

Filesize
304KB

Download
memory/3720-549-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/3720-550-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/3720-548-0x0000000006EE0000-0x0000000006F56000-memory.dmp

Filesize
472KB

Download
memory/3720-547-0x00000000062E0000-0x0000000006324000-memory.dmp

Filesize
272KB

Download
memory/3720-511-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/3720-508-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3720-537-0x00000000057E0000-0x0000000005B34000-memory.dmp

Filesize
3.3MB

Download
memory/3720-519-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3720-526-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3720-552-0x0000000007330000-0x0000000007362000-memory.dmp

Filesize
200KB

Download
memory/3720-523-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/3720-521-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3876-81-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/3876-268-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/3876-586-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/4076-269-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4076-237-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/4076-213-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4076-248-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-276-0x0000000008430000-0x000000000847C000-memory.dmp

Filesize
304KB

Download
memory/4076-275-0x00000000082B0000-0x00000000082EC000-memory.dmp

Filesize
240KB

Download
memory/4076-274-0x0000000008250000-0x0000000008262000-memory.dmp

Filesize
72KB

Download
memory/4076-273-0x0000000008320000-0x000000000842A000-memory.dmp

Filesize
1.0MB

Download
memory/4076-272-0x00000000068B0000-0x0000000006EC8000-memory.dmp

Filesize
6.1MB

Download
memory/4076-253-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/4076-270-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/4336-267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4336-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4700-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4700-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4788-72-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/4788-75-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/4856-696-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download