Malware Analysis Report

2024-10-18 23:12

Sample ID 231210-3ettpsfbgk
Target 0709c265fa8e91c4fc88c9b4ebc32747.exe
SHA256 8c490d6ddb6088af87d6e487397113a54d4e23ace17159fdd514b4a39849d929
Tags
redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan eternity
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c490d6ddb6088af87d6e487397113a54d4e23ace17159fdd514b4a39849d929

Threat Level: Known bad

The file 0709c265fa8e91c4fc88c9b4ebc32747.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps livetraffic up3 backdoor evasion infostealer trojan eternity

RedLine

Eternity

RedLine payload

SmokeLoader

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Runs ping.exe

Checks SCSI registry key(s)

Runs net.exe

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-10 23:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-10 23:26

Reported

2023-12-10 23:28

Platform

win7-20231201-en

Max time kernel

146s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D653.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1720 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\SysWOW64\WerFault.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\SysWOW64\WerFault.exe
PID 1112 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6345.exe
PID 1112 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6345.exe
PID 1112 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6345.exe
PID 1112 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\6345.exe
PID 2560 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6345.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6345.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6345.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6345.exe C:\Windows\SysWOW64\WerFault.exe
PID 1112 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D653.exe
PID 1112 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D653.exe
PID 1112 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D653.exe
PID 1112 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D653.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe

"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\6345.exe

C:\Users\Admin\AppData\Local\Temp\6345.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 532

C:\Users\Admin\AppData\Local\Temp\D653.exe

C:\Users\Admin\AppData\Local\Temp\D653.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp" /SL5="$50174,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231210232807.log C:\Windows\Logs\CBS\CbsPersist_20231210232807.cab

C:\Users\Admin\AppData\Local\Temp\E2F2.exe

C:\Users\Admin\AppData\Local\Temp\E2F2.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

memory/3060-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3060-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/3060-1-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3060-4-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3060-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3060-6-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1112-5-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6345.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2560-16-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/2560-21-0x0000000073AD0000-0x00000000741BE000-memory.dmp

memory/2560-22-0x0000000073AD0000-0x00000000741BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D653.exe

MD5 cbc72f4b45b1ff769d4eef31b3318b4e
SHA1 beea755faeacd88e15deeb0cfd4edb376b4f251b
SHA256 87810c1011886126e40cdaa6dc3b4b9d5fa23aa052ed7c44cf9f87bbc2a02acf
SHA512 736cc642fa99446b87084720ffa3a54d865b2c1974bfef790e062df4c520a90f3619a46bbf592b7f5d6b7c148c16133eb016a85c00f1fbe3264090afdd4af6c5

C:\Users\Admin\AppData\Local\Temp\D653.exe

MD5 d94f1cac685ff84ef1ebc06baeaecc25
SHA1 cdac56b68cb417f2c38aa9a4c3f18cde36a32f22
SHA256 23b2fea194c19dcf63ea84542117d81878e172d6baf73c8c3e821e9329c548df
SHA512 c5158aa2e58155dab5bf0a29aa74cebac0d9f2404c8c46dacdbe233812b53b7279fabad9b53be6642ff594b3f87d24eb0bf2b61722136437b5de580c8a1c07cd

memory/1616-28-0x0000000073AD0000-0x00000000741BE000-memory.dmp

memory/1616-29-0x0000000000CD0000-0x0000000002186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4d8b4be7a03155a32383cde0eb31593c
SHA1 0135eeab435dcae613ad0eab820c0c202082e9ab
SHA256 ec19d4756ebe4cef65e58a13383d511e6b6e77a02a739168ff297619ecf269bd
SHA512 8c560ea8ffdbacfaf7ee44ea2459e05c57efbd9029adc169919aeeeb79f9fcf26496a216ef1e6abd40e35e45e42d0a6d87a6de31aadb570f5e5d09b266794ed6

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4190cea4425c1784c6b723e339abb038
SHA1 44659ba029a5d6a5b16e559b53fc805e178aea4c
SHA256 859f5532cf3f6a0aaa1ffd3f94b2aa85f5d50f7c74a27ede45d25d2e9870a751
SHA512 07b92958c31e85b1e208672e853c98f8ad2e1065405e8aad59fa27d344bd99246ec4a24c7905ead8b41dd4fadf06b0be14b17bfeb404d26be836f2327080cbfd

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 58da96e1b7fa4ebc6c48fd50826f259b
SHA1 225e4f8e33c0f4ee294bf1d4ca3baa2706fb62ea
SHA256 d6ce3c8b2375579946b4bb0d6f3b939ddc15c7c0e010255282174b79a9044a78
SHA512 ff4201be6802cd3b089497fda3deccf3d4450c4217744d4f39dc547da380d5b1a241a91701ec54fa3b499b0be931549e7ffc968efe134faf1fb2f961387f90e1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ceb654f11b77f58bbc7e69ea25b5073
SHA1 e465fbe119755d431eb4023e0c18fb0cf8e66c81
SHA256 d32aed69f1891f02dca3bbb0893fb6f19ed36b47c921ee1894c6da7b885b0f7f
SHA512 061672be6cf12bc964d89f02b6e8f0ac69e53ffd6915960f426defd238068b6d3834c6237fc02417475ded98c63b959ebe32071fd683584996a84930cecd0c36

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f41b392c88207cc19213d23d84f1a3f4
SHA1 35e7e668080b53403c0cad155eeed3e364cfda83
SHA256 b6c037b7800d772012ea376998857f7b20a3b89f62f820836d52c0dbbe96df67
SHA512 b4ca87fd43fb489f84240d135d312385ca87f67955e1a2a80d0ae1e730b71009fe1d4dbb4021d3c48ae08c0d1a381ed04f40e78c2e0658e5afd6df1d49908323

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a6b4307f17ddf0652911b970e6f19513
SHA1 09777135736c2a4fa00c205ff33000b3b50e7101
SHA256 35f717bfa252c1ef73fd6899b4779219fb9317636c0eb8871f67c3aec30d81f1
SHA512 300b42d8bacaae79e47c670d4fc577c5a49f8e510bdbfe98a47d61c64b5140dc1a9fe91aeee9db5793f1d45368156a72364d0afc3d491a4b770a19128474ffb5

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 1774e8bc852e0eeac688a5b46f3b7d01
SHA1 e19e6ceb9c1dd6df2c9dd468400da012d5c3a33f
SHA256 1a87f95f93bb45059ce76006ff27ff3f56863a336ecde1f72d0350b637024383
SHA512 644bf9a089101940e372484ca5a5424b3aacc5240b787c707a5b25be2c0adb6129a40751de5b22f0a55c1e460e24053fd4f5f2b210432bce0533f67e33d28e6b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d530fddaf297837cdf5a4a4b3e250310
SHA1 2e673bee84a603d6926887325ecc640b5bf96519
SHA256 94285d2fe93348cd155473344d7791bc8108d6db2a875b3ff8bdf1fd1e32dd62
SHA512 6c4be5eefe4a81b11e11e3acaf4bc01b07dea3f88bd577592d20ae00547454d289c811d5a8ea7a400b6322ca429654cd361533e446eecee065251e4f94289bc0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 af7266153eff5f0e406d5811dc4df039
SHA1 b796fbfb51dbebe39f01307906c54d3b088b4519
SHA256 6970ffb993312ad7d2bbbc32ee4b0e6f1627c8e7f7e654ea912ae1b4194a3f8f
SHA512 fe8d9f8c08115e3e9779ec4f9a7c09035bf787bfb518ce15451892b27a7b9161d823ec4964f6b88f1042bed060750fb8d5bcf6bb08e7c5dd458a0992aed977d1

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b9288e5304f2b2365bf76a82e0f62058
SHA1 2a98962cd9a8f464360ddb45ae485eb0161e5459
SHA256 bb7c1b780d189fb41f4f6d0804d3789820f65059b4e380ca5772b998782eb09c
SHA512 f0b8b8189a1ae61635c33a37f1c14b0ec1309bb28e1676596cee9c8a0aebe18c4e535dae2a595c286512799cc4ff56138daa2801a000e617a9c9f044f750cc3f

memory/488-62-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7edf8755e4321aab04bfa7b62f053f0b
SHA1 e86de95a2fc1ef73f8ab1221a2e37545f0e2073c
SHA256 57a8d4a1e95b8fba1b6434c9437fb398b2f853c979d5807ff67748e4b10ecd4a
SHA512 9888cb1210391d60616cc5fa033dcde8b22ccd125df9d93e937649708801563a1ad3ee5e9aaf739356147a1f9e075f29b6a84ddeb8b19d6fe48126aaa4cba041

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d0cf061ece987588f0a4b63d4751cc85
SHA1 9b061b9a788e77724ca48101ba8c4b68d23e6b89
SHA256 a038dce990ab19524b19e6c57673258e20650f6b2a89139828f4bcbb65e77e0f
SHA512 c210e7ae5baafa050418cab0e2585c5b59d596e9fbeb4261c90705d21ec0219781194b0914a1500757e82f1a90e71aaba0e720f3fdc4cf2cf5cdbdf395bd1b4a

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 245b877e3ae990f2b30829ef092f0b2d
SHA1 94c9056b706049a2774b4646b77d12967d9d070b
SHA256 c16c590d336390b33b9d02796ce58a7924a171160f071699416c6b9ca5cb19a3
SHA512 7a2c8b01fd6408e4936ec19b258730ab5ed530d4e41994c52c22748579b0663e706e3a2ac841105d13aa2958cb787bd627c2e0297050f781491a4b68510f24ae

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1e257fcf27b289ddaa33f5c07820f658
SHA1 45f00d851d99ca3960185bf057401cf99e8d3ded
SHA256 e7136bdc895b87e2a0a3f9bf3b8eafccb6a782db46f2b1f2c15f528118376925
SHA512 8290d8b380c5bf966ce63b47a2936c553b8d06c24b161d7202bb75fed67c1456b70edfcb0d27eb08e22540103d3aedbabb52cc0319d9a5e581ab78af7df2f887

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 dced17fa66f96e2203a31538969ffbbb
SHA1 e25f5dc2e0f457826214164043a76087eaccca22
SHA256 cfd9fd5653cab5974eaca9910cc38ea777d09c3ed8156f5e284b7f3767336322
SHA512 e79f4f40af3ac1c30d286fc4e868201117fa52353ae9f17bc7f7a5b718da8724a658565c65103d1c77bbb82df7a4298b824e827e051a83ac85271ac6b310a46d

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 840da75f2f27c989809cee05b061531d
SHA1 4d1f6f718e2d399d7bededd1334912ab14f869e8
SHA256 9a063752fef4cddce7f0d4809830453a707f0a44d990d71be93083d7bf934221
SHA512 721c4eb366f144603af996618170187a7aa2152d7695d08ae0ef8983b102a149bd0be1d8e04193b88655c0f692e7107a2091be5153603df8ca2d7aaa4f9981ea

C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp

MD5 37a43af1e7ccb15b02b5b08fabadb95e
SHA1 416a108d04dd09921066bb6395bd168bfbbd392a
SHA256 282d7e3f41fa563d077a431e028f164e3451023ded76070ac135ed1b3d43d046
SHA512 dc4aa8ad187d103e68bc9e3928763d0be38dfd44130ecf5a8fb9de19f62bd3f56ffa78070bac05e2ecca4be249d60dab73c3088cdeaa2fa28e0c3209141d59ae

\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8404cfb7a73b1877e567165b96f13278
SHA1 c4aa20a5a958e1a810c02cac9801b0cc80f0cf10
SHA256 ad56e458f1143e352ac24797995f04c7c9ab5b8c345e1e51ac70b58c10a2f427
SHA512 1eaf8be061b6086b42d189bc9d897f8e99bcbe0a30ce151e42b0e8cde6931ffc9fd5cbb197a4f1b0ffa541e426e1d051fba7762196fbfad382543121728878e9

memory/1224-105-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2516-106-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/1616-104-0x0000000073AD0000-0x00000000741BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 69703ec573166055f9f5b1b5fbd0ed57
SHA1 c1e693627e9c82830e328e2625b8fb98d3a545f9
SHA256 40ba219077d3392b1e362f2597f9a397c34832860745fef062c074aa43206c44
SHA512 9e7998890ec815e52489aa0cd023ea21af348857798c93e1471b9e09f783df2d56db5e21c83baf5622a55cab80f859b5d771ea49a0130697a8d33460276a2dbc

\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-VUDRU.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1832-76-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp

MD5 b94fefeee801315f57f3b44a86e0a972
SHA1 6b934f1bc5df39d60b974a143e5de8c42f4c2b86
SHA256 773f3d55c7acdf9e78a7e4d93611973a33a63d94ed334372af22d705329b2566
SHA512 fe36f9596451b36e1ec73ba902138433bb1430b3dd96f7fe2e8e3a1646bbafd273db03667998cc1a601c7d95223c53d1db26b3a837a2f65487e9a265733d0bfb

\Users\Admin\AppData\Local\Temp\is-SHL2V.tmp\tuc3.tmp

MD5 e84743205ca9cd1fc87595a6e9120da0
SHA1 8f684e0c64609959f5ad773bc8fb22bb4020234c
SHA256 a730fd83e20a9f50fba802602b51bf4ce69e948384201e12362b514489a376da
SHA512 b042b14c671c8a81e246b3610f806f89c96625435da2d616e8aac72c0aaa8fbe6d8cd321f63aa8d5cc8d3951dee81a6d06cc63935f7de42f46c5dab29a2b67bf

memory/2516-108-0x0000000002840000-0x0000000002C38000-memory.dmp

memory/2516-109-0x0000000002C40000-0x000000000352B000-memory.dmp

memory/2516-110-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 eb8e7dbaccf3e1eb654a7d5a59886249
SHA1 2ad5ac61b3b91156c2ef34f1bbedb98a3a36637d
SHA256 7c977af7c92811910443b2871e6256130dfda3309ce3e60d8b7906e85963fd84
SHA512 a382927ec4ea00237755fe4a6a1e1436b30c58eeb03267ba917c1a93230ae0bd281c00b6236e687b79a5007978412c86df4ef00037e2721f007b6c7ab5a1a3e3

memory/2160-114-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/1580-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a8b8a92f34d019f4b1c69ae77ba50d3b
SHA1 4c0db805804266d34aa814837b39889ba608aabc
SHA256 6ab302ad5c0d61bd29b1581808051733abad0cc943aa3ebc4317d9dfa21fa719
SHA512 0759f837fe39171d731da24e34cf65d72314d1f37b4236d2709a3749f46cc523fc93f21cefea8f0422cbf3c52480bb4ae04be7431fec705fe9500912c71499a7

memory/1580-119-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e4d1cd833b1825f370a60f381353b414
SHA1 7fa4a76a65372efce9c50c41a999ab50bc8f5185
SHA256 3c73128cda575df8a55adb355984cb6d8d66b832d3edf1932427c2cf6f4ad45a
SHA512 be4a28bafe3ff7162f88f11fdb5b769f9fc7bd43f11eff23d6c7ec459e5e0dbb63e288690fca62c84318db37946669281dab005a2700dccc94d6d4fe19af29c7

memory/1580-117-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2F2.exe

MD5 bf25d617542994eb0b10af8bb65d40ac
SHA1 4bbdbac82ead50d235835287f289b61e79ab198d
SHA256 9e758ff5360157f33489a47ff1354112af20e778a9ac3fb98ce275d84118f851
SHA512 6f9293e40c4b97c9b02659874d092b1aac135f42668fcab6f0c5969a21f650ab29751815586008aace88bf0da09b5e6409811f4f363376fa5d95f6bab095edf3

C:\Users\Admin\AppData\Local\Temp\E2F2.exe

MD5 6a8b3c0fb5cf44f9cee87832464634b1
SHA1 7611ff3e8f059cb27c7d806ba9c3dfcb513d7534
SHA256 1967688d1af42ada2582dad05943a3269a9750b324c686b8cc82a5ea4066eba2
SHA512 c6ec7bcc4ea7b605fff2b42031a984e3d3f0835b22ba30caeb75dc018e3eea0d802b168ca27330f0ea32d5d04126235279840fdf21d74b2061e1373939a8bbc7

memory/2160-116-0x0000000000220000-0x0000000000229000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/2516-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2516-129-0x0000000002C40000-0x000000000352B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 426b99aad86bf49deb3d41f63156b1ad
SHA1 8641bab37f64fe40d5e530f83a8de7f1b07e77b8
SHA256 d5ec3187f05ca7d9c57ba1fa3e09be372cccc16e0c2d073f18bae07127784904
SHA512 3c26cd45098abe4922222a5452ee6bb6442dce34af770fe24aaac0dd2c7ce6be9ba907833d8b3d2ad29d9ddd672ee9e3bd0a44d66337580e019b9c18fb48d077

memory/1536-136-0x00000000003C0000-0x00000000003FC000-memory.dmp

memory/1536-135-0x0000000073AD0000-0x00000000741BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 32626afc5d6644d531ebe44caa9a6bbd
SHA1 66b2a75ee482f98158c12b7036ae8ea34a8b97d4
SHA256 a936065b524714d449df52f35236c1b131301791eabb0d34d57d15d2472ed1fe
SHA512 fb28c0dfc23a6a163fe60dd688af53da904f8e30c38a6e510d0f73e98e8f73d4ec2de90e8b29e458feb551249eee3f6a4e7b049bcca560ade5887c7b37e4e5fa

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3a9954506330f8b1441465be83a4dd46
SHA1 4c2084170286d9f23366b2654be6f8ebae129379
SHA256 7cf6c99269ba2556547f227707c97d36468e5e6a206879c0b1105381f7e16d5e
SHA512 48524e18d23391d4e7966f647fb5cb227773bbdbabc3f8b42643be84e24632a1cc88ae26a9cabd2620dcd156260eed91d0ae3ff2565d783ee008adbbf9aab37b

memory/1536-137-0x0000000000AF0000-0x0000000000B30000-memory.dmp

memory/1672-138-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/1672-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/488-141-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1672-139-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/1672-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 27934bf41664b72b5e8c99b0bad0d3cb
SHA1 64463737b49e216163b917977cce2a72888168ec
SHA256 93c3eb07d2dad65b69e2c2296cccc39655bc0655c754821375179f3f87c9eb81
SHA512 b6b6e08e9e494a388ddb33adac0fbe5173701a851b5b01b99b42bda09776c15311d05fe4093ecce6a17fdd6d1d1a5b09cb060eaaadbec47fc42f82fc8ddc25ee

\Windows\rss\csrss.exe

MD5 1b8008ced56c08fb6d25714cb846dd95
SHA1 97c12c4086efc8fb7c3133221d1d92c419573c96
SHA256 43ae1cf6232bf75ff9b16c99ec12b6a4ca2460405b01211dc5bb52856cf7ed20
SHA512 e01dc1b314bead2629bd4e259634180836e541196bb1b90a39733b7c62d0a593f1ce7a74f93222b07b386050d29023956af950c16d10e5eae801bd43fe965497

\Windows\rss\csrss.exe

MD5 3d62e0ca5b29ad8f99f0b813773bada2
SHA1 3db448d288e33752e249f4ae308debf9e7023458
SHA256 226ff8a33cb616d883cff988adadd26d742584adfd76fb56562ffc06dbedd205
SHA512 59f16da13cbcb4e11f240ca5b054fa2e7bc830947a93e5f20166b8fc8cfe77dd87264e8d8b7089a224302366e2ce75448c62d28d30979234d8fa1b83fea78e00

memory/1672-151-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/1508-152-0x0000000002620000-0x0000000002A18000-memory.dmp

memory/1112-153-0x0000000002F00000-0x0000000002F16000-memory.dmp

memory/1580-154-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1832-158-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1508-160-0x0000000002620000-0x0000000002A18000-memory.dmp

memory/1508-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b563144d971349cccf6e2b19985a40d0
SHA1 cb82cce8bb3a7b29c9e9d7b5ea746e2ac6e6ed49
SHA256 a13534398553b27a76a2e840641526fc4e7e380b406769b9b24796b8da8ec088
SHA512 cda8a722d18e50fee30c2accd57f423e61c8aca004fc38f8cd620d1270957b57ab0d30eef80ec619e700538df38c36e43361623deba7fb562db85f9ec7794ccd

memory/1224-159-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 064751c1e9126a04a7ca9be19dcc401e
SHA1 8c5e646c12350b67c5c883921cd0277494dc5457
SHA256 8a1b2e204d4d6b73a08654564368abfb1d787ecdf455ce9af2eff5d165fb3f86
SHA512 fe0e4aa652bfd9598e513752b0896c77be220bba7691b2c1161de09a7a1f6c053f7c4241f1bd15d06186efb92bafe3336f51b351d857dab936b979235dd63a08

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 f305bbf6897afe4633311de8120182bf
SHA1 2a3dc597ae1fab42e965e0ff9bf196c4722453b4
SHA256 3e287720350bb9bd9edf77673ab363f1a592a53a576394eaef4a077735ea59b2
SHA512 14582bd32b9ea0bf03289a0f29f5e4a446abe92aecef87f0fef21918ac6c3be73643b8e242bf0cf4637290f04bc651e81bf5ab72b16646ba9cf2e39a37eeeaf2

memory/1656-182-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1656-180-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 df51333900748b4c299edf07dbf3edbb
SHA1 c35253224154b06dd983292734d246cd8073f7bc
SHA256 14ab5a37fcd1d34ee410afc7f5b5e0e5128230e61be08c03a05dcaead1517daf
SHA512 1d7e40ae185047d49610fdd57fc59399ad329f80de98501fbc99a8d8cd28a386379ca18e3b5d112aaca32e4675fb35d69b6605cb3bf73c3d108733010aa33f52

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 90d592272c6e5a8717415ba4f21a64ab
SHA1 33a60bd81f9b8deb52bc27eb2129d2cb7e37ee10
SHA256 8d12ae4c194fb1ef853117068a17816da6ea635848b019a316c43c6e5bc04b71
SHA512 c746d445e1485db7903e41fee0c14717b8414df4d3293029a6409aeeed7b82f16adba39d1e90df360d82b34e1b38c1c8f9863f6b563c0e8470d126d1294a7637

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 7893bfdb8afa9389c719d5299684d288
SHA1 a43ff0a7b687b6bd22e323cc6e1bd46cd5bb37f4
SHA256 d977dd09f49b163c14aca86079667d825e2a599bd9ba724969a87b5da1121670
SHA512 46f19b5dc38581abd8bd369096307a16033f3dbd97274f08483643c7882764707a8436a4b0a3db53be5e32457e79be1a7e4d169a2b14fbc7e08207a4c148059a

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 7f8569257c33eec9cceb921b26074820
SHA1 980b4a5923860e8566ce1ce4a321457aa55a0505
SHA256 4f1d94ab312feba0574c7eb206194a0dc5df2781677fd85e2b94886454d4f0e8
SHA512 eb1546cc7ce12c4d3d7b38dd19d546f0b1b659822a01d98dcb121d55d31eab5c6a70ca3dca9fb70cb64420568fccda19cc0782c5bc77f6b76341bfcf5b5a4cce

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 55a23f1716d797bdb16d391e0c059b65
SHA1 514f5bf0c0c171c5505d09546a4140266bd99b1a
SHA256 b2c7275dca0a6575f1bb4de035d50ac83883fe042583786726748690a656a047
SHA512 f498fe00266ede5e93a5f322eef2c62f5ebc55129326df6bb0303cf7a22c2bb08b1e4c5f8d7e61bfa89df8fc2f9229bf8fb76c88eabd2238a4266525515b3565

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 a5c923ba6dd7970384e9c93a87180560
SHA1 65991ff468b34545e1c8e11ae86c1dd7d11f6795
SHA256 481b874ecad314c25b71746bb736547f11b400bbf6de886ab62b51578d2643ad
SHA512 9e45dc031437ea09934acf6e31f3fcc5c351e08c27705be9f6bfb6888b93a2f2d2587d6e4face832c0472844be4f4d139334fd97fce67ecb76436743e9b692bd

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 4dec58496214f01b60d85b370d21837c
SHA1 c3588a14d832e5348ce0d023a9488335d6c90f73
SHA256 84bd856bc1fdd43c539631a4ced5a108c26ae6a476a53d5464f3beeaf1d4ab0b
SHA512 28fba07f008a0f0d487a4770afd3c1baaf3d342cf1b8d6c0b1e5105ad36e0c48b37d0e24293ccf3f86f889d94d1baac2f2988a8d77548e399c4a33a0efd41094

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 e85844d8177b20a03c45a8417d8bb251
SHA1 26be8fa590178c0fad0a1c022df3522c886aa58b
SHA256 63958a62b4f3ae562a9e2bbbcd246a69ec31c2f710a4d5f49b1825f723a3a1e4
SHA512 39432edf49f84902d336b85a197ba56605426ad5ab51c2f14fd8e8b3d0d2f2f48410eebc968b8b48f114479186915a0a81d49d9dc9910184e34934331672ac0d

memory/1832-201-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1968-203-0x000000013FD30000-0x00000001402D1000-memory.dmp

memory/1536-204-0x0000000073AD0000-0x00000000741BE000-memory.dmp

memory/1224-202-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9B3.tmp

MD5 c6fe7807f2ce1c9d62523472ec75187f
SHA1 4630669dd842049473aec1da0caa789f729c1f98
SHA256 89c15c64d5e6fb9a94698ff32cc53d401b655328f3236ee1629fee3ca041de95
SHA512 89378e5d7be452652595d48a3409170da371d5673cb36e5cb0576ff9303c76304a7ae3c87e39149d319d17b9cf2ad3726493b2cbfd38b5c17b2c51111f2d7cf8

C:\Users\Admin\AppData\Local\Temp\TarA43.tmp

MD5 0bc9a8930efc520c6653d2305672c652
SHA1 ad99181d2e0e453feeb159c58455e12105944d8f
SHA256 e489b0323588eb85e254045eb762e8c0149c221e395ba42ba1ef80bcadff7a52
SHA512 0ba71d9909baf061ec0fe26360cdab544d54c14ccae3839a8c0d0a00a1563e67fc9a8ad9469c28f4ce1d039df1e6ec901e733615fc5d6443f70cacb1bda0d536

memory/1536-255-0x0000000000AF0000-0x0000000000B30000-memory.dmp

memory/1508-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4435.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-10 23:26

Reported

2023-12-10 23:28

Platform

win10v2004-20231201-en

Max time kernel

148s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"

Signatures

Eternity

eternity

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\97BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33F8.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3376 set thread context of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3376 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3464 wrote to memory of 2328 N/A N/A C:\Users\Admin\AppData\Local\Temp\97BC.exe
PID 3464 wrote to memory of 2328 N/A N/A C:\Users\Admin\AppData\Local\Temp\97BC.exe
PID 3464 wrote to memory of 2328 N/A N/A C:\Users\Admin\AppData\Local\Temp\97BC.exe
PID 3464 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\33F8.exe
PID 3464 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\33F8.exe
PID 3464 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\33F8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe

"C:\Users\Admin\AppData\Local\Temp\0709c265fa8e91c4fc88c9b4ebc32747.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3376 -ip 3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 324

C:\Users\Admin\AppData\Local\Temp\97BC.exe

C:\Users\Admin\AppData\Local\Temp\97BC.exe

C:\Users\Admin\AppData\Local\Temp\33F8.exe

C:\Users\Admin\AppData\Local\Temp\33F8.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp" /SL5="$F0058,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\4791.exe

C:\Users\Admin\AppData\Local\Temp\4791.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2560

C:\Users\Admin\AppData\Local\Temp\4500.exe

C:\Users\Admin\AppData\Local\Temp\4500.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

"C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 332

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp

Files

memory/512-1-0x0000000000400000-0x000000000040B000-memory.dmp

memory/512-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/512-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3464-2-0x0000000000850000-0x0000000000866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97BC.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2328-13-0x0000000000780000-0x00000000007BC000-memory.dmp

memory/2328-18-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2328-19-0x0000000007D30000-0x00000000082D4000-memory.dmp

memory/2328-20-0x0000000007820000-0x00000000078B2000-memory.dmp

memory/2328-21-0x0000000007950000-0x0000000007960000-memory.dmp

memory/2328-22-0x00000000078E0000-0x00000000078EA000-memory.dmp

memory/2328-23-0x0000000008D50000-0x0000000009368000-memory.dmp

memory/2328-25-0x0000000008D30000-0x0000000008D42000-memory.dmp

memory/2328-26-0x000000000A610000-0x000000000A64C000-memory.dmp

memory/2328-24-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

memory/2328-27-0x000000000A650000-0x000000000A69C000-memory.dmp

memory/2328-28-0x000000000B260000-0x000000000B2C6000-memory.dmp

memory/2328-29-0x000000000B560000-0x000000000B5B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33F8.exe

MD5 e76072f64f46e1992356238a24e5de03
SHA1 fffbda973a6961279119a80aaf9109bb9980b1da
SHA256 5b3481a94cedc402458a3a7c2c7f727b0ba15e4c6e776552862cd30903bfc5e7
SHA512 97f4cdcb203b9b2958dd13a5f1d497da5398e53f7733d088ed2af1c52b02f6a35b3b727136553c44fc2c4d76058b4887b24f0c4dfe11ee53c189913d15740105

C:\Users\Admin\AppData\Local\Temp\33F8.exe

MD5 fa96456f4faef64e9c9801582ccf6755
SHA1 90cbbd97996154029e184f40cff373b5841522b3
SHA256 8ba6704edc59e53ad33fc5aca03e22c8e2ba58abf57dc5428eddd5f189430f0e
SHA512 5c2f0c647945fdb36749ac222acd151de6581860be9f12c3890413cdb163f9904b7df244589b0e552e8b6a4dfc90cc6936d860577b25e59f11e1649c52979574

memory/3004-35-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3004-36-0x00000000009F0000-0x0000000001EA6000-memory.dmp

memory/2328-34-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ac70208e89d877e38017aa87dc35ddb6
SHA1 85429b3462fe2034a8b5089b79da3d7736784c94
SHA256 fb396223b6b90ae62ebd970f6ae74e27c9197a67d668842739cc414ef7bf5170
SHA512 82993c3e541a6335e7497eee92d86498fcf7ffdc1af3131c7a01c886f0987d1df9d7abc5e205bd6417690f4a37954da70dd3665d1259b01302ddcc9b71ceff46

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 816a765679bcc369e43989ccc23d1013
SHA1 d99b3da1ae7af9467a6adbc23cf109f530624321
SHA256 1ccaa134c505ae9afc4793f47515f3434976afe291d731bc64627f5b14858086
SHA512 9d9fde553b84173a9691845f360914502bf5d6382cdc95e42fb0d18e614d89f513299d60df03c0e2d34b81bfae1e38d0fb7b866ddaa8f89dc7f2ef7643cda1eb

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 882ea3c91a8419d368f0a099f5306639
SHA1 902bede9542a531cf0f5f5010fe008af695f95d2
SHA256 69765c4953ec498627e45511ce69426472e095059822186062360cb050304bc6
SHA512 80e4f147d2d3ccb0e75259bc930e43685a286cc280dffacaf15fba7ac4d04a4a86d9817bc95f3542aabcc5dd94a0281c54af576e6dd5d6d767f2d2a235582457

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e3355326a5b0176b1eeddb041b8450f8
SHA1 77da2215f4e92da4fcd0c6618a630f4e601f02ec
SHA256 23aaeeea936039a7586f13a69eb86ec19c604b80b2d2bddb9f1eec2fd86afa1a
SHA512 7fe683c8bd82d96ff771dbacafc7078d2bc683c42d6313840ef5ee5c7e9d657a86afc206de62abd40de4f8b765ee9269fc9cde13ae90ced19a2ec2d5c3d52a16

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5a3110379903bd8d9ac9696703ed549a
SHA1 a2a97641cd16867be9d8386cc1faa96a7571ff7f
SHA256 621d20ee0a160a55521fa834f22fd4a93275314406da357554b4562b6718cd22
SHA512 2b6adb6f0b3a563ec3603215dc47264b0a6f7c0bbc4c951dec6c9ac1ee4fb1a37262b6c17147b1bda865e7a8b9adcc3b8dddc1b2e4a9a50e234595507df26b5d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 16879ee8a51ab934d7b9a36b0d9a6290
SHA1 1d5325273172eb91427cadd4c0336e8009bcc414
SHA256 3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b
SHA512 7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c

memory/2916-79-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 4ccd6ba28c60242ff6e79b48dc85bfb9
SHA1 5b80348f7cf70e1d6746a6d12a8f953763ae2cab
SHA256 9f510126449f42015e4695f725a4536f40fb37f2ae546db69df4aab42803221b
SHA512 fba08b7a4f3531a7d7e204870248a4312df7ae03480b53af250d3f7b3f62da61ddade56d9c0d6fd5a41ad1dc3379e14aee98ba611cb0d870145cb77e57977497

C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp

MD5 4da268755795e3a4229b3bdf6badcc16
SHA1 fe73949f896a416932309a1c14a9db1e61fbf095
SHA256 69ad2da38613101bf61ab8884dfac12cc641182d057aeb6be4a33cbdd8a32ea1
SHA512 d37a96e3e705386fa74a18535db52f678c27e380ea356a72154ba74ea9c0897437e16798a4ac07f997606c34c7dc281b4e91786a1a9ac0b0e73d20929be8a9ed

C:\Users\Admin\AppData\Local\Temp\is-36MEP.tmp\tuc3.tmp

MD5 eca99c637946bf9065619b32442830b1
SHA1 38cc3e9e2f0297bcb2a22b9160076bc003628152
SHA256 e6fb9cd68f85ae05c2f1c9d7511dad870fe3cdf019fd3ddaade3bd8ba76a4418
SHA512 b2b5834f40f1c3026393fc7146e53e6761253a9497149e6ae0c2eeb4009f4d9ba7446d4d733472c71bca68629d2328046aee90a2481e563592e18fcfdf30d865

memory/3004-92-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3120-110-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A2V8I.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-A2V8I.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8ad12620fa676b985656d3da685e6422
SHA1 48b42192f293965a85edd2ed6a9c80ba69d7e63d
SHA256 72ec3d6558759a21cf7316fbb1bf13c5722c3c005a3de46b59376db647953e02
SHA512 cfc88dd56f4290120be582de9b785d106fbd025d147e0711d702e14147c4e088bc3fd1c1237f5fa1fbe600cad0f851f0f6930291149de9a8b36e11669410e2eb

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 f3ca66d8aac23dd6a6561760fd875923
SHA1 5ce8c5aa6237ac178d504423f2cfbc647b80e57a
SHA256 bbde57d4ad2bc862e0adfa9029a3a40d9c48ca055d27e1ffccb8f6ecfa2b0c4f
SHA512 e7a38a378446567bc8248688de321bd422602577780b6e01f2af4250ea60646f1598605f262c1d5ccd226c0730de0022fe1404ccd0d0e20959efbb0ada09d5a3

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 a28fc63967f44deb0abe1755103f2605
SHA1 19c6f153921050f4b31c22365963b6e3f43e88ac
SHA256 794aa3635f79f22ebb345af34261393eec50a4318f0e494e9a5735fb1e0b3b9a
SHA512 52c22b0fe655533c645c599f201142e77ce40e97d602878c3360ea382a7337da3a5afa037b84afebda9c6b03615e4be8d5c594ac48cecf0781520003920963a8

memory/4440-239-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 68eb05685c5b30672ad2f95cd2fcc3c7
SHA1 bf203302b7b937b528113f0fd1fa16c90d142b45
SHA256 20f88f95f7c2891bc342a56c37a612c682748d1c4ee04814ce66e61fcf461690
SHA512 fa82d027df1a2c0ceb8b3bbb03957ff0ceb0d3c88411199d2ac992068cc725ffd8e356ba762a8c70d7dfac52c1275eb954202e52b48f2d1b30ec0abbf21b408c

memory/640-246-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4440-242-0x0000000000400000-0x0000000000785000-memory.dmp

memory/640-248-0x0000000000400000-0x0000000000785000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 17ffe9e8583ec0323daf1ffcd1c398b0
SHA1 a3da3e152d711519836be45452316419c8230625
SHA256 71a3d6d4b8f48e11c98fd8a6ce6ea49ad88460c0dc3894791c76f2a09053159a
SHA512 f33ec3665daa3e028895674e9ed7a4a90cf905de648838bd2ca0887c5f4868171c1e0bb926f9c4c6a302e07f7cb692bcfe2ac32a7ae55e134d05be049d8a5f3e

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 4be2fab214040c359e45db19697cde05
SHA1 34e9fc5c6146016df4d96f7248caeb06857921a9
SHA256 5ec5dfd1d1c041af33c2d393f23975ad828648c52a5ea48372c0af10d4e5f209
SHA512 7db0c87f222f151e25242556770e63bddc8d66bef1448ee97a89b393453d9dc9d25b7ab6e4183c50abaa1bba11f646817690a13bc62c628e9d370405b1c19284

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 63d9006d677a0fb0aa8a5ae6367382c4
SHA1 b44d078962fb6ca818a26676e21d7fd0ec4751c1
SHA256 df04a41b2dadc635cea208600b6f35c6ab053252f88e5947f9e1a5b3808af286
SHA512 fcbabc6145a0fbd2ebd719b485776c9092c178a700081d4fb2fcabdf70c342e2f0d9d58fe5ea324c748d1404ba255998c39f31e1d8ce417c4f514463299ff570

memory/1252-250-0x00000000029A0000-0x0000000002D9D000-memory.dmp

memory/4904-80-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/1252-251-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/2328-75-0x0000000007950000-0x0000000007960000-memory.dmp

memory/1252-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1544-253-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2472-256-0x0000000000B58000-0x0000000000B6B000-memory.dmp

memory/2916-259-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1544-258-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2472-257-0x0000000000A30000-0x0000000000A39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 49a1af290d6872907fa9a9b8f6063488
SHA1 0b51db3a930dea02373001bc30386ba893f89004
SHA256 586a47562027d3960e90f24b343e07a42f9e2847c7687153b295d55972dfb719
SHA512 c7e0c39d3ce392c0b65e8dfdb5a8bb718c5326642240c8378956026a90bbe566d1c4a49447075cb95452d8e411e0d998a9f1269ebdb99fd47dcca182a3af7fce

C:\Users\Admin\AppData\Local\Temp\4500.exe

MD5 a2a5b44e78b4f5f40df8743585a229c0
SHA1 be91187a6141d5a0868519d56c8037c306f83aeb
SHA256 75d8db7f015279a0ab7a746a4f91dfb8672bb9807a3cf7bc9ac05bdd0bcb3d9f
SHA512 39c35ab4774d46cd2bd95da0498320e7cdb18c2f0dc0dab66655ea3f07e963f05ec782b11a5b157885058d1a31bd224973ca0a287be25550de1b59e141a688fd

memory/1604-266-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4700-267-0x0000000005080000-0x0000000005090000-memory.dmp

memory/1604-271-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_samuq4sx.suv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1604-286-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4791.exe

MD5 505f6ca1bd3e4f642d0df62e6d291ab9
SHA1 bb825500e3c3f4e7feb90d57884023647839969d
SHA256 a0e5e8b955d2e65db41b355266074a2365801eb05312d54e3fa173dbe29db3c9
SHA512 d56edcc06cea88e526dbff830865d7e2e7d59d023a028aee660874e6c457e0256c2072252b6aca04845c25abd8215e624b3c02f33ca5d75fca51989537b1c4ae

C:\Users\Admin\AppData\Local\Temp\4791.exe

MD5 b2b2e2458c84067ac965d7f4900fafef
SHA1 c7324a16e6284b50ebf2900d28da27eff21cb93b
SHA256 343adb788608da289d770815895a118ee8f03d69fce7ca6cb94fcaf0102cce38
SHA512 77d03ed244856ab0feb06525c72c832d44f9c058a8ff038afcf9696392797a8c340be1fc87cb9b6a410cc9dc0f2fddd325febdf086e8b2a154d565d7353f1474

memory/1752-293-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/1752-292-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/640-294-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1752-295-0x0000000007380000-0x0000000007390000-memory.dmp

memory/4700-288-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/4700-296-0x0000000006A10000-0x0000000006A54000-memory.dmp

memory/4700-285-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/4700-274-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/4700-273-0x00000000054F0000-0x0000000005512000-memory.dmp

memory/4700-297-0x0000000007810000-0x0000000007886000-memory.dmp

memory/4700-272-0x0000000005080000-0x0000000005090000-memory.dmp

memory/4700-270-0x00000000056C0000-0x0000000005CE8000-memory.dmp

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/4700-299-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/4700-298-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/4700-265-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4700-264-0x0000000002EF0000-0x0000000002F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4500.exe

MD5 aff0bef0a7f650d38cc5244b59b7d03c
SHA1 df0f889d72d534c9ba8e0d4cadaa6ac8002eddb4
SHA256 0b31552b3e88af7968d70a414056943ef509bd5f81c1908da3ed75bed2417b21
SHA512 25ed635b2d12434c6695b14ef41f071c9979e9be77cd965916e1dc6db0408b61922fc85cf2a82b41e421ebc4b374d006e50c7f7f525033d4641aec784c63bb0c

memory/4700-303-0x000000006D9D0000-0x000000006DA1C000-memory.dmp

memory/4700-315-0x0000000007AB0000-0x0000000007B53000-memory.dmp

memory/4700-316-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

memory/4700-314-0x0000000007A90000-0x0000000007AAE000-memory.dmp

memory/4700-304-0x000000006C080000-0x000000006C3D4000-memory.dmp

memory/4700-302-0x000000007F230000-0x000000007F240000-memory.dmp

memory/1252-301-0x00000000029A0000-0x0000000002D9D000-memory.dmp

memory/4700-300-0x0000000007A50000-0x0000000007A82000-memory.dmp

memory/4904-254-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4700-317-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ac9afc0ca17e46ce3be94e70c1161bba
SHA1 851d5829e9f1a9ef499d44b9b5b562f7f886895b
SHA256 c6eefc2f87a8c7acfca5c1ccd48c972ffed073dc9f05ca7e5d92665b0195ce27
SHA512 92e8302e5b9498a441c0d8c074f761f05b4ee18c5f32c4c9491610ac62302ea6c75cf9954b229e7ae21418e34d5eabf4d2f3a7866e157d9ee31b89138be3669e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 69b86cb944e2d865b33c2e839b4e10b3
SHA1 65163a313a7509fcc8a72cc9fd8b8e57fe1dd122
SHA256 12ef8f48d296d1d1f2377a004c422d07f8d1a60de075c1241bfd1e126a128b06
SHA512 34380e12443c6e094d64736668759ab61e4c38f670118eba668f81f96f3ee66166328f40196c6081b19b8cff9ee9b5888b24a8cad75de6d523e03fc1ea05c72e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2264d77194cb550fd290c9b334abffe4
SHA1 d6f85c34ac3cb7a181f3418c2d6cdcd6c72c3e90
SHA256 518a62a9fedebb7cf95872e1caf4e6178b91ec6f6449b7eb7176c9cbea413e14
SHA512 adbefe28cbb918d4ec971e1c2133d2baf347e41326f78fd11ee204ddb9c4a4a075c28c7b5aac2db312e2a758d3f9be4c57a9eec5d973f49aaa19b7b462c4191d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 a05631fca833b127898a82c242f72e7e
SHA1 aed3d548b98b67908e8341a78043097beeafb7a9
SHA256 cc18048e5a858ee4b94c2c2b8e2de047f457e6e1679e9508bd52fe9dec911230
SHA512 50a2bfacbbf72f0f172a7e7b1e207221e1c8174d55bba59c971f6ad499d4e7db3a7128f5ee79a3cf4b9de3fb8bc5a3b69338ff78882752c0fb68b40964640268

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

MD5 c7df2f4dd646f87d3a65918890ce6dce
SHA1 02c87315015bf0a1fd5faaed52640f833f250cce
SHA256 caf0fc38dc3acfc3a7108a262d03dfc49d6b2670108d1087c780c67482fe101d
SHA512 823eb67e289a89fe1d6f26cba281d1ea8f86c4900dfa8719612371039b3680c8a8d104d628c283811d1bea14358d1b259458e0dfc7888769144b463bf30cdee7

memory/4496-324-0x0000000002A20000-0x0000000002E25000-memory.dmp

memory/1252-325-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1252-323-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/3464-329-0x00000000023C0000-0x00000000023D6000-memory.dmp

memory/1544-343-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4904-369-0x0000000000400000-0x0000000000965000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3120-373-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1020-372-0x00007FF6EDD60000-0x00007FF6EE301000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 299a9d80721b5dc5f712c254c7705b5b
SHA1 1003c343c0cf286d7c8e9d4c0868025d398888e0
SHA256 5620d2181debb6794c826be5cb31f9cb0001eaff392b7845ca2df9610f1187e5
SHA512 662a1e1176164a3cfb5ebf3d48f449be40ab1a5a272cf8fb1c827c537133543b8ec338b629d1142fcd1fdbc3a419398a367d249c773c0e1698c9200e61ffc1d9

memory/640-403-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 54c61dcae59e5bd43179642d39557ce4
SHA1 2260624e7d7c9e65f4bba8721bf13bd6efd7d043
SHA256 53581ca8f352c455a1311df47428d7cb62623e67d2d63f0db66536dd057c8585
SHA512 7fb48be505b7995663a2335a5a40e32357be5bf6a29e3e371ee442601a11d0dad1542d22c60409d7a06b2250010f4ad8ccba32e62ed67dd77f86079da4253715

C:\Windows\rss\csrss.exe

MD5 d8b7898c06a6cc78aa5103bd70e5ba2e
SHA1 7e1c883a8470253d92d2457ca0ec0ea8a3b2591e
SHA256 b7fbd17d55b98015b9a2d06c33a6221bc00c8b29389413c5b9889d0701cad7ef
SHA512 1e9ea1f7f5987b829b924ee2ef98c5a6b4f09701cd64bc0d5d707e0d1012b1e3ca2bbc4ab931327e960b907c675f1d8ef3f1187622b6a468ea1439876586e555

C:\Windows\rss\csrss.exe

MD5 7329de6715c2dd524d128ce0207963df
SHA1 00c03d310f2200f712e0b9a97a5ece4dd4641f4c
SHA256 cc2b8d8809c2fae7eaf174db10446e61edbd1b591a2ce838c15221a8584d9a43
SHA512 0e461b690150c2be058800e7c1f8793ade8dae72b95a1c2d1484f31c11f3f711b29913a576d1905bd0b3576a9b5b600c71773e5110e1a9f00c36ef557e0b19d4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e07fd6b1fe48ce20913c7b762a895dad
SHA1 c55182b0c5ecaa34b7e579304b497a9dd6d13c18
SHA256 cd10f4ff1b6fd4ebcffc844dc254ed983737904d4f162678f63e38bbc34b5bb9
SHA512 61aa7622f286d54bf40dedc3019cb4eb55e93cb4f43d88b7bb91340355a519f3b0e0fa23768daf26b57cc24d10a730e200550be8f88c4466edf2d049e6edde23

memory/4496-471-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6f7144d14767ffc1c3389ef4634e2c0e
SHA1 5db51b63e9fe93959b17167c2d1759d424f0cee4
SHA256 4b93bd67065300a8ee6fb7fe0d6dcd18ce83b6a9942d7776269a7f73bc9f57dd
SHA512 6efa7068cb158af25a3000d65491fcc39eef6e89720fe05d70ce94a20aa4506482ab310dc812370c2ddad520e1569813cc7204b6eee0ae4918d3ea1a76819e38