Analysis

  • max time kernel
    69s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 13:01

General

  • Target

    056d02ea6dc581ad442aee7313ac4a3b.exe

  • Size

    254KB

  • MD5

    056d02ea6dc581ad442aee7313ac4a3b

  • SHA1

    700f0c0942dbe394c770af54034460f5890081bd

  • SHA256

    ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86

  • SHA512

    d5f3510f604cf8fe33f5055e490c14a1952f8ae2a66c3ae5a24e7e90783c48e7c7d5774b1dc8e17391a9c3c9551f523ffd9693ffb0263dff05621ad3cd8c6190

  • SSDEEP

    3072:nTyaDCKblRBnWMG9ZVeQfLYbEtbtExMub+nf0LOAtmAGqTgREilXzdQ5zpq/:GHMNU2Qf0gtKxR+nfEmAdT2EihJ2k

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://kamsmad.com/tmp/index.php

http://souzhensil.ru/tmp/index.php

http://teplokub.com.ua/tmp/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 4 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe
    "C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5428
  • C:\Users\Admin\AppData\Local\Temp\80E8.exe
    C:\Users\Admin\AppData\Local\Temp\80E8.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\80E8.exe
      C:\Users\Admin\AppData\Local\Temp\80E8.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:836
  • C:\Users\Admin\AppData\Local\Temp\9442.exe
    C:\Users\Admin\AppData\Local\Temp\9442.exe
    1⤵
    • Executes dropped EXE
    PID:3140
  • C:\Users\Admin\AppData\Local\Temp\96D3.exe
    C:\Users\Admin\AppData\Local\Temp\96D3.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:1912
  • C:\Users\Admin\AppData\Local\Temp\9CC0.exe
    C:\Users\Admin\AppData\Local\Temp\9CC0.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp" /SL5="$A0230,2248936,56832,C:\Users\Admin\AppData\Local\Temp\9CC0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
        "C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
        3⤵
        • Executes dropped EXE
        PID:4960
      • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
        "C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
        3⤵
        • Executes dropped EXE
        PID:4584
  • C:\Users\Admin\AppData\Local\Temp\B058.exe
    C:\Users\Admin\AppData\Local\Temp\B058.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 2364
          4⤵
          • Program crash
          PID:1944
      • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        3⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:4648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:4376
        • C:\Windows\system32\cmd.exe
          C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
          4⤵
            PID:4912
      • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
          C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Windows\SysWOW64\chcp.com
              chcp 1251
              5⤵
                PID:512
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                5⤵
                • Creates scheduled task(s)
                PID:4512
          • C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
            C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            PID:4804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2340
              4⤵
              • Program crash
              PID:1676
        • C:\Users\Admin\AppData\Local\Temp\FourthX.exe
          "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
          2⤵
          • Executes dropped EXE
          PID:3408
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            3⤵
              PID:3576
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe delete "UTIXDCVF"
              3⤵
              • Launches sc.exe
              PID:4876
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
                PID:1372
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
                3⤵
                • Launches sc.exe
                PID:3676
          • C:\Users\Admin\AppData\Local\Temp\BFBB.exe
            C:\Users\Admin\AppData\Local\Temp\BFBB.exe
            1⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: MapViewOfSection
            PID:5148
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C922.dll
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:5740
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Users\Admin\AppData\Local\Temp\C922.dll
              2⤵
              • Loads dropped DLL
              PID:4220
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5800 -ip 5800
            1⤵
              PID:3720
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4804 -ip 4804
              1⤵
                PID:4004

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Are.docx

                Filesize

                11KB

                MD5

                a33e5b189842c5867f46566bdbf7a095

                SHA1

                e1c06359f6a76da90d19e8fd95e79c832edb3196

                SHA256

                5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                SHA512

                f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

              • C:\ProgramData\mozglue.dll

                Filesize

                593KB

                MD5

                c8fd9be83bc728cc04beffafc2907fe9

                SHA1

                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                SHA256

                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                SHA512

                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              • C:\ProgramData\mozglue.dll

                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • C:\ProgramData\nss3.dll

                Filesize

                320KB

                MD5

                4df2bf0ae4cdb77998d0c70281d3ca12

                SHA1

                935d164feabd42243aa34f96e8b6af39c93b6306

                SHA256

                e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2

                SHA512

                bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138

              • C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

                Filesize

                3.0MB

                MD5

                5c64ecde29da99c3f8e2fb087d86873e

                SHA1

                a9f30fcb14242d577b36eef78071c100499fbf99

                SHA256

                a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261

                SHA512

                50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

              • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

                Filesize

                4.1MB

                MD5

                d122f827c4fc73f9a06d7f6f2d08cd95

                SHA1

                cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5

                SHA256

                b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc

                SHA512

                8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

              • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

                Filesize

                704KB

                MD5

                cc756fc6afdbbb3c22e6ff4803639f60

                SHA1

                d3966429c97b0cc9771f17cbb5a38e975a172998

                SHA256

                4cac574a06392103aa79a6b3f9c0cf73a4b6fe8f4d5e3aba8241147a8506b704

                SHA512

                48f1d14da05e7314c66947093d4307505ac04c09abfd26276b337f414fed557e3ba0376990a4ce6d3b91bba20f8ce78ce032644a66b3d3b248eb6eb55e092b25

              • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

                Filesize

                2.9MB

                MD5

                d5fa60c20f0697651ebbd4e0877011c4

                SHA1

                5b226c73d6e3cbcf2d4a2d218d0246222296b146

                SHA256

                ca30187f134e499bcbe173cc6545c2a5997c47ee10b52a914fa6c78880c330c2

                SHA512

                8377148ef0804e3fe73fd233eb9104e58a70a3c9006c36173f022733c7de8e811488a9070c4302f980db2232f57d0745205aceed606d8cf89898d3dff04c7866

              • C:\Users\Admin\AppData\Local\Temp\80E8.exe

                Filesize

                1.9MB

                MD5

                398ab69b1cdc624298fbc00526ea8aca

                SHA1

                b2c76463ae08bb3a08accfcbf609ec4c2a9c0821

                SHA256

                ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be

                SHA512

                3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

              • C:\Users\Admin\AppData\Local\Temp\9442.exe

                Filesize

                6.2MB

                MD5

                98032e01a07b787b4416121c3fdf3ae5

                SHA1

                65c8dc24c8b5d416c1e51105e190c440762069f3

                SHA256

                8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7

                SHA512

                3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

              • C:\Users\Admin\AppData\Local\Temp\96D3.exe

                Filesize

                554KB

                MD5

                a1b5ee1b9649ab629a7ac257e2392f8d

                SHA1

                dc1b14b6d57589440fb3021c9e06a3e3191968dc

                SHA256

                2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65

                SHA512

                50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

              • C:\Users\Admin\AppData\Local\Temp\9CC0.exe

                Filesize

                2.5MB

                MD5

                8b0b0943877aa89cf021d5d5e2cbb1aa

                SHA1

                7a64ea593c231fb4b1d7c584980a6650960ac32b

                SHA256

                b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905

                SHA512

                d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

              • C:\Users\Admin\AppData\Local\Temp\B058.exe

                Filesize

                4.8MB

                MD5

                4c20a0b3bfb264f2bbf5807d76d51b31

                SHA1

                1bbddb7721d4361348c17f2dbee3bb5545521f35

                SHA256

                e572f57c60f8c833ce16571af58e5c000af408f2d6c051588e47b16ef699c2bc

                SHA512

                ff90c869e44e7c9c9fba20c92c928552e46ab0980a05ddd05e8c602074b7206462ac77db91258021bbd3aedf352824028acbd161cca419528c2af386a836ccff

              • C:\Users\Admin\AppData\Local\Temp\B058.exe

                Filesize

                4.6MB

                MD5

                93b61d3c6975382f22c8e5665e2a3068

                SHA1

                0abf90a9b5d4cc1aec20c68387dc42741ed0697d

                SHA256

                01e2d78afe1e5b0885f984f94bcb0826b4fa93b2e133beb94192c450809ac42e

                SHA512

                4a362868adf24af78469b7ceb2a84c2f70d74b998a0fa25e6f9af5a8bec3b8ae3419dd522de5c2a93fd91c04e2b622beff2c061e5e85148d05b1cb4adb4b209e

              • C:\Users\Admin\AppData\Local\Temp\BFBB.exe

                Filesize

                246KB

                MD5

                b2c14d5c21130dc795b521206c0b97d4

                SHA1

                3cfe837b022d15fd869e6262813e38ed8efb92dc

                SHA256

                ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37

                SHA512

                bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

              • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

                Filesize

                4.7MB

                MD5

                5e94f0f6265f9e8b2f706f1d46bbd39e

                SHA1

                d0189cba430f5eea07efe1ab4f89adf5ae2453db

                SHA256

                50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

                SHA512

                473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

              • C:\Users\Admin\AppData\Local\Temp\C922.dll

                Filesize

                64KB

                MD5

                29eb6d30843e8be8868fa094be34ce1d

                SHA1

                9bfb7fa1d52b4747597c89fadbb2ed783955fcc2

                SHA256

                5ef77adb0b5b0981d5c1f14c7a1623d5b49f38ef441ed7cd1f660ed675e17548

                SHA512

                191b68119ab6388b5775d9981b8c2537e42306709ed4c33fe2463dca8015abc48fe90b66394d3f70ffe38200c1b211feb24e9df3c6136566b001488daf06e3e9

              • C:\Users\Admin\AppData\Local\Temp\C922.dll

                Filesize

                2.0MB

                MD5

                9b1697d40dfd386fdd7e9327844f301a

                SHA1

                e75defb119e2c7b7d3f75ab70a100ec504af5ebf

                SHA256

                69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d

                SHA512

                3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69

              • C:\Users\Admin\AppData\Local\Temp\FourthX.exe

                Filesize

                2.5MB

                MD5

                b03886cb64c04b828b6ec1b2487df4a4

                SHA1

                a7b9a99950429611931664950932f0e5525294a4

                SHA256

                5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc

                SHA512

                21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

              • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

                Filesize

                2.0MB

                MD5

                28b72e7425d6d224c060d3cf439c668c

                SHA1

                a0a14c90e32e1ffd82558f044c351ad785e4dcd8

                SHA256

                460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98

                SHA512

                3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozaueobh.kl5.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp

                Filesize

                690KB

                MD5

                a1b45df2ed6b73416fdf10a62a69f8f0

                SHA1

                053d566b3d1d4ec47d4dff670611a20802b1a366

                SHA256

                0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d

                SHA512

                bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

              • C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_iscrypt.dll

                Filesize

                2KB

                MD5

                a69559718ab506675e907fe49deb71e9

                SHA1

                bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                SHA256

                2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                SHA512

                e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

              • C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_isdecmp.dll

                Filesize

                19KB

                MD5

                3adaa386b671c2df3bae5b39dc093008

                SHA1

                067cf95fbdb922d81db58432c46930f86d23dded

                SHA256

                71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

                SHA512

                bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

              • C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp

                Filesize

                246KB

                MD5

                da812d63d6637fbc245339e746ccf1f9

                SHA1

                1d5c645e81e96606b26aa56526fb0022bb68c4b0

                SHA256

                4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba

                SHA512

                05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

              • C:\Users\Admin\AppData\Local\Temp\nsuB799.tmp\INetC.dll

                Filesize

                25KB

                MD5

                40d7eca32b2f4d29db98715dd45bfac5

                SHA1

                124df3f617f562e46095776454e1c0c7bb791cc7

                SHA256

                85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

                SHA512

                5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

              • C:\Users\Admin\AppData\Roaming\Temp\Task.bat

                Filesize

                128B

                MD5

                11bb3db51f701d4e42d3287f71a6a43e

                SHA1

                63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

                SHA256

                6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

                SHA512

                907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

              • memory/836-23-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-24-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-110-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-18-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-21-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-22-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-275-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-116-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/836-25-0x0000000000400000-0x0000000000848000-memory.dmp

                Filesize

                4.3MB

              • memory/1228-16-0x00000000038A0000-0x0000000003A5F000-memory.dmp

                Filesize

                1.7MB

              • memory/1228-17-0x0000000003A90000-0x0000000003C47000-memory.dmp

                Filesize

                1.7MB

              • memory/1588-173-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1588-62-0x0000000000400000-0x0000000000414000-memory.dmp

                Filesize

                80KB

              • memory/1912-54-0x00000000035B0000-0x000000000361B000-memory.dmp

                Filesize

                428KB

              • memory/1912-164-0x0000000000400000-0x0000000001A77000-memory.dmp

                Filesize

                22.5MB

              • memory/1912-56-0x0000000000400000-0x0000000001A77000-memory.dmp

                Filesize

                22.5MB

              • memory/1912-55-0x0000000001D10000-0x0000000001E10000-memory.dmp

                Filesize

                1024KB

              • memory/1912-53-0x0000000000400000-0x0000000001A77000-memory.dmp

                Filesize

                22.5MB

              • memory/1912-163-0x0000000001D10000-0x0000000001E10000-memory.dmp

                Filesize

                1024KB

              • memory/3140-39-0x00000000034C0000-0x00000000034C1000-memory.dmp

                Filesize

                4KB

              • memory/3140-38-0x00000000034B0000-0x00000000034B1000-memory.dmp

                Filesize

                4KB

              • memory/3140-104-0x00000000008B0000-0x000000000135D000-memory.dmp

                Filesize

                10.7MB

              • memory/3140-35-0x00000000008B0000-0x000000000135D000-memory.dmp

                Filesize

                10.7MB

              • memory/3140-36-0x00000000018C0000-0x00000000018C1000-memory.dmp

                Filesize

                4KB

              • memory/3140-34-0x00000000018B0000-0x00000000018B1000-memory.dmp

                Filesize

                4KB

              • memory/3140-52-0x00000000034F0000-0x0000000003522000-memory.dmp

                Filesize

                200KB

              • memory/3140-51-0x00000000034F0000-0x0000000003522000-memory.dmp

                Filesize

                200KB

              • memory/3140-37-0x0000000001A00000-0x0000000001A01000-memory.dmp

                Filesize

                4KB

              • memory/3140-50-0x00000000034F0000-0x0000000003522000-memory.dmp

                Filesize

                200KB

              • memory/3140-49-0x00000000034F0000-0x0000000003522000-memory.dmp

                Filesize

                200KB

              • memory/3140-40-0x00000000034D0000-0x00000000034D1000-memory.dmp

                Filesize

                4KB

              • memory/3140-42-0x00000000008B0000-0x000000000135D000-memory.dmp

                Filesize

                10.7MB

              • memory/3140-41-0x00000000034E0000-0x00000000034E1000-memory.dmp

                Filesize

                4KB

              • memory/3412-120-0x0000000072820000-0x0000000072FD0000-memory.dmp

                Filesize

                7.7MB

              • memory/3412-121-0x0000000000840000-0x00000000010F6000-memory.dmp

                Filesize

                8.7MB

              • memory/3412-156-0x0000000072820000-0x0000000072FD0000-memory.dmp

                Filesize

                7.7MB

              • memory/3480-241-0x0000000000670000-0x0000000000686000-memory.dmp

                Filesize

                88KB

              • memory/3480-4-0x0000000002560000-0x0000000002576000-memory.dmp

                Filesize

                88KB

              • memory/3552-181-0x0000000002100000-0x0000000002101000-memory.dmp

                Filesize

                4KB

              • memory/3552-69-0x0000000002100000-0x0000000002101000-memory.dmp

                Filesize

                4KB

              • memory/3552-196-0x0000000000400000-0x00000000004BC000-memory.dmp

                Filesize

                752KB

              • memory/4220-222-0x0000000000A70000-0x0000000000A76000-memory.dmp

                Filesize

                24KB

              • memory/4220-301-0x0000000002C40000-0x0000000002D4D000-memory.dmp

                Filesize

                1.1MB

              • memory/4220-300-0x0000000002B10000-0x0000000002C38000-memory.dmp

                Filesize

                1.2MB

              • memory/4220-218-0x0000000010000000-0x0000000010202000-memory.dmp

                Filesize

                2.0MB

              • memory/4220-308-0x0000000002C40000-0x0000000002D4D000-memory.dmp

                Filesize

                1.1MB

              • memory/4584-278-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4584-221-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4584-114-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4584-198-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4804-225-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                Filesize

                972KB

              • memory/4804-194-0x0000000001D80000-0x0000000001E80000-memory.dmp

                Filesize

                1024KB

              • memory/4804-193-0x0000000000400000-0x0000000001A2A000-memory.dmp

                Filesize

                22.2MB

              • memory/4804-192-0x0000000001B80000-0x0000000001BA7000-memory.dmp

                Filesize

                156KB

              • memory/4932-165-0x0000000002B20000-0x0000000002F27000-memory.dmp

                Filesize

                4.0MB

              • memory/4932-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

                Filesize

                9.1MB

              • memory/4932-335-0x0000000000400000-0x0000000000D1C000-memory.dmp

                Filesize

                9.1MB

              • memory/4932-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

                Filesize

                9.1MB

              • memory/4932-166-0x0000000002F30000-0x000000000381B000-memory.dmp

                Filesize

                8.9MB

              • memory/4960-106-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4960-107-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/4960-111-0x0000000000400000-0x0000000000700000-memory.dmp

                Filesize

                3.0MB

              • memory/5148-190-0x0000000000400000-0x0000000001A2A000-memory.dmp

                Filesize

                22.2MB

              • memory/5148-244-0x0000000000400000-0x0000000001A2A000-memory.dmp

                Filesize

                22.2MB

              • memory/5148-182-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

                Filesize

                1024KB

              • memory/5148-183-0x0000000001AB0000-0x0000000001ABB000-memory.dmp

                Filesize

                44KB

              • memory/5428-5-0x0000000000400000-0x0000000001A2C000-memory.dmp

                Filesize

                22.2MB

              • memory/5428-1-0x0000000001A80000-0x0000000001B80000-memory.dmp

                Filesize

                1024KB

              • memory/5428-3-0x0000000000400000-0x0000000001A2C000-memory.dmp

                Filesize

                22.2MB

              • memory/5428-2-0x0000000001BF0000-0x0000000001BFB000-memory.dmp

                Filesize

                44KB

              • memory/5744-162-0x00000000026A0000-0x00000000026A1000-memory.dmp

                Filesize

                4KB

              • memory/5800-276-0x00000000073F0000-0x0000000007422000-memory.dmp

                Filesize

                200KB

              • memory/5800-296-0x0000000007540000-0x000000000754A000-memory.dmp

                Filesize

                40KB

              • memory/5800-204-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

                Filesize

                136KB

              • memory/5800-277-0x000000006E640000-0x000000006E68C000-memory.dmp

                Filesize

                304KB

              • memory/5800-264-0x0000000007880000-0x0000000007EFA000-memory.dmp

                Filesize

                6.5MB

              • memory/5800-252-0x0000000007180000-0x00000000071F6000-memory.dmp

                Filesize

                472KB

              • memory/5800-279-0x000000006FCD0000-0x0000000070024000-memory.dmp

                Filesize

                3.3MB

              • memory/5800-232-0x00000000063D0000-0x0000000006414000-memory.dmp

                Filesize

                272KB

              • memory/5800-291-0x000000007F260000-0x000000007F270000-memory.dmp

                Filesize

                64KB

              • memory/5800-290-0x0000000007430000-0x000000000744E000-memory.dmp

                Filesize

                120KB

              • memory/5800-292-0x0000000007450000-0x00000000074F3000-memory.dmp

                Filesize

                652KB

              • memory/5800-271-0x0000000007230000-0x000000000724A000-memory.dmp

                Filesize

                104KB

              • memory/5800-224-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

                Filesize

                304KB

              • memory/5800-223-0x0000000005E60000-0x0000000005E7E000-memory.dmp

                Filesize

                120KB

              • memory/5800-302-0x0000000072350000-0x0000000072B00000-memory.dmp

                Filesize

                7.7MB

              • memory/5800-197-0x0000000002880000-0x00000000028B6000-memory.dmp

                Filesize

                216KB

              • memory/5800-220-0x0000000005A80000-0x0000000005DD4000-memory.dmp

                Filesize

                3.3MB

              • memory/5800-199-0x0000000072350000-0x0000000072B00000-memory.dmp

                Filesize

                7.7MB

              • memory/5800-201-0x0000000004FC0000-0x00000000055E8000-memory.dmp

                Filesize

                6.2MB

              • memory/5800-202-0x00000000028D0000-0x00000000028E0000-memory.dmp

                Filesize

                64KB

              • memory/5800-216-0x0000000005920000-0x0000000005986000-memory.dmp

                Filesize

                408KB

              • memory/5800-206-0x0000000004F40000-0x0000000004FA6000-memory.dmp

                Filesize

                408KB

              • memory/5800-200-0x00000000028D0000-0x00000000028E0000-memory.dmp

                Filesize

                64KB