Malware Analysis Report

2025-03-15 05:20

Sample ID 231211-dfx53sbbgq
Target b846f0bb8a677991d85807fded1e9007.bin
SHA256 62f28fb67834679ed133e70158c6b89327de331af2e89ee895da8f43d2bb13a2
Tags
smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62f28fb67834679ed133e70158c6b89327de331af2e89ee895da8f43d2bb13a2

Threat Level: Known bad

The file b846f0bb8a677991d85807fded1e9007.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader glupteba redline @oleh_ps livetraffic up3 backdoor discovery dropper evasion infostealer loader spyware stealer trojan

RedLine

SmokeLoader

Smokeloader family

Glupteba

Glupteba payload

RedLine payload

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 02:57

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 02:57

Reported

2023-12-11 03:00

Platform

win7-20231023-en

Max time kernel

104s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F68F.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\F68F.exe
PID 1204 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\F68F.exe
PID 1204 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\F68F.exe
PID 1204 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\F68F.exe
PID 1204 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe
PID 1204 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe
PID 1204 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe
PID 1204 wrote to memory of 1536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\C728.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\C728.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\C728.exe
PID 1204 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\C728.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
PID 1536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1536 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1536 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\BC2F.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe

"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"

C:\Users\Admin\AppData\Local\Temp\F68F.exe

C:\Users\Admin\AppData\Local\Temp\F68F.exe

C:\Users\Admin\AppData\Local\Temp\BC2F.exe

C:\Users\Admin\AppData\Local\Temp\BC2F.exe

C:\Users\Admin\AppData\Local\Temp\C728.exe

C:\Users\Admin\AppData\Local\Temp\C728.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp" /SL5="$901C6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211025914.log C:\Windows\Logs\CBS\CbsPersist_20231211025914.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\102A.exe

C:\Users\Admin\AppData\Local\Temp\102A.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\33A2.exe

C:\Users\Admin\AppData\Local\Temp\33A2.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1764-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1204-1-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/1764-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F68F.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2272-12-0x0000000000160000-0x000000000019C000-memory.dmp

memory/2272-17-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2272-18-0x0000000000CF0000-0x0000000000D30000-memory.dmp

memory/2272-21-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2272-22-0x0000000000CF0000-0x0000000000D30000-memory.dmp

memory/2272-24-0x00000000747B0000-0x0000000074E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC2F.exe

MD5 d0c59443e41e1160209139841fa39c9f
SHA1 76be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256 de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512 d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

memory/1536-30-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/1536-31-0x0000000000830000-0x0000000001CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C728.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1640-38-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/1640-37-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

memory/1640-40-0x0000000007270000-0x00000000072B0000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f81be07058935d224ab3843bff94fec0
SHA1 1a7360901f8cb5017f7a41ca1a6984227b712b16
SHA256 8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512 342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

memory/2592-72-0x0000000002760000-0x0000000002B58000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1f40433778e799319ae0ece36d28f00f
SHA1 4ce947e15182e61e379fbfbf52b6625cb0528c69
SHA256 1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c
SHA512 30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f

memory/2844-78-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/868-92-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2592-101-0x0000000002760000-0x0000000002B58000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2592-104-0x0000000002B60000-0x000000000344B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2592-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1536-119-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2880-120-0x0000000000230000-0x0000000000231000-memory.dmp

memory/944-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1684-124-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/944-130-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1640-131-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/944-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1684-126-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2880-134-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2592-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1640-135-0x0000000007270000-0x00000000072B0000-memory.dmp

memory/2844-136-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2592-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1204-139-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/944-140-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2592-145-0x0000000002760000-0x0000000002B58000-memory.dmp

memory/2592-143-0x0000000002B60000-0x000000000344B000-memory.dmp

memory/868-146-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/868-148-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\102A.exe

MD5 2e47689f4002fe68d190b2f939f683c7
SHA1 f389e3443edaf6886220427b65a0688cd87de873
SHA256 dab540109675f8680f497b14f62913bc6ffa21c28dd4604f480ea5a9beffaff4
SHA512 398a682c426be43396894cd8d5dda25f6308f191dab236496522e524a69ceacd31019f238034e27af8af2155b017bd50397a6b3b939441a0e2fdbc034f22b57b

memory/2344-154-0x0000000000FD0000-0x0000000001582000-memory.dmp

memory/1328-153-0x000000013F490000-0x000000013FA31000-memory.dmp

memory/2956-155-0x00000000025E0000-0x00000000029D8000-memory.dmp

memory/2344-156-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2344-157-0x0000000005310000-0x0000000005350000-memory.dmp

memory/2956-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2956-159-0x00000000025E0000-0x00000000029D8000-memory.dmp

memory/2880-161-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2956-171-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 02:57

Reported

2023-12-11 03:00

Platform

win10v2004-20231201-en

Max time kernel

79s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9451.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\729C.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\9451.exe
PID 3464 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\9451.exe
PID 3464 wrote to memory of 1752 N/A N/A C:\Users\Admin\AppData\Local\Temp\9451.exe
PID 3464 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\729C.exe
PID 3464 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\729C.exe
PID 3464 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\729C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe

"C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"

C:\Users\Admin\AppData\Local\Temp\9451.exe

C:\Users\Admin\AppData\Local\Temp\9451.exe

C:\Users\Admin\AppData\Local\Temp\729C.exe

C:\Users\Admin\AppData\Local\Temp\729C.exe

C:\Users\Admin\AppData\Local\Temp\75E9.exe

C:\Users\Admin\AppData\Local\Temp\75E9.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp" /SL5="$601CC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\BED9.exe

C:\Users\Admin\AppData\Local\Temp\BED9.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp

Files

memory/1100-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3464-1-0x0000000000850000-0x0000000000866000-memory.dmp

memory/1100-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9451.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\729C.exe

MD5 bb2020dbcc2c8bdea19bade91c4595fb
SHA1 5b18b608796b708b500b3007e6863b67bb33f95d
SHA256 fbe36e45621fea85ee0ab12e84529177993ac32be83c8c23e303813ff43bb5ec
SHA512 e268ae13efd03c09d66871a6b44e15f67d91e752a52e53e421bbf31aa880bfe31505cbd4f7a078cd32283b09cae3065b02775090a369a06eedde14d3ea2f8d3c

C:\Users\Admin\AppData\Local\Temp\729C.exe

MD5 e48f6d63e08545ebebb69a65348b520b
SHA1 4baaa7cdfae4715e841dc432a908c6db9a86cc8a
SHA256 3957108b4e53297db0322fafa6c59802436c0a43cf350deb3b409bd41d847723
SHA512 e0d11045e12da1c137e12e6744583cd75a1649b223cdbf513c72f354873f426bdd0c9854a87e427a18cf543c19ab77c48c2a735de89d0378b5912247a5396dd6

memory/3832-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3832-17-0x00000000002E0000-0x0000000001796000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6c0f52a5d64d63342a75809dad01db84
SHA1 696201a40d3b0fd5d782d9a7ce72414ec572fb53
SHA256 0cd5e005d5016f47ccb32765a03e3ebda937f7d8d567fcff7e40729f17e0b508
SHA512 fdf4894ac2ace4dd902367ff5d501635befdc22c143ded4b0ac4efa5d6d0a6a9b35332a481a587500d5d301847cec8d1b4d96f0356a3c927db1e4e7ca431774b

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 eacdc697edea97484089d4785b4963f5
SHA1 c7eab58051c1b851b26216829bd05593628bfeac
SHA256 6d2d4445b1a0b9c6949020a350c141cc5e8bb7f15ce1a65cb3cdae92d77e2a03
SHA512 937c4c26bf1bee2e5b48325f48963ba1ca7e356226a4d134edea66caecc97ba448188323285ac483ba5831e2b12343d726e39ff24d3ff3474654435ffbfefb1e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2c54e350d78801b5c8b812d43763f5d8
SHA1 0773a7069c9e642dd18dd0782644db62c7f88721
SHA256 add2b419000589b279d5ad6ad65eaf1e524117eeccd68e277bdcb8338d99eaeb
SHA512 46c9c758754ad54c18fdfae933c0847ba78491077d3d0f7df8207c107008d2f7990b76b48712b577a75c24c43c6a4b4cd09ac21627c77ee5307035157b121cae

C:\Users\Admin\AppData\Local\Temp\75E9.exe

MD5 12604a75ffe9fe85b4cd9c1159ada9e6
SHA1 ab1b4205e30e3b8a2254bdb802d48dbd0717475e
SHA256 5ef1e8c54f031274792caf78292d4c84602e16cf1a668afef0e79e167ca29aa7
SHA512 a99f79bc16e28c58ac0a6659dc14ddcf7dea3356bbdfafc20d4f3e9904ab53e69b82bf0759de45e063aa68b9d67de20ece6224a06ffed01da92fd4342642b614

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 325f0e75259426949c1e7e00704c4015
SHA1 dc3bb01728ac749d57e98bbb43bcf1d2ea5d3603
SHA256 ffe10958e9b757bb25efe72f0aa04c434530a4582e9d6946b0c977de97ea2d84
SHA512 cfc5e224b36d567f52de01bad7e9a39ab0fbfd1d6b5a8367b4ca4d0804db7a86fa68c2a3ca19e77006b08325eca888b820036b2784f63d7f859d018ac82ab214

memory/4988-51-0x0000000000D50000-0x0000000000D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a0516776a9453ef04e1930e9e932f8f9
SHA1 772c22f42ce2032d5efb573d6514f61da2b1ec8a
SHA256 445d5fe629e2f1085379b971e03252b3e27fc3bd49c6fd46deb284715e07102d
SHA512 f83fce7f92b48a5cc94b0a59d761bc03f19e933e06ee8ab9b7e424673bc50d6c19b34d5a474ee2b53ce35879e09a68de5f0ab4d905ce75c9d99619abf9638e99

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 da69fe1ec72c66d6d5cb4660d2aa0096
SHA1 f4c9532bbcdae456d9b3102e01197e8032ae906d
SHA256 d12c519c7de09e7a7eacb8a9fcce77a8c49ddb249875e2ce9cbbb2d0e46eb015
SHA512 1e4dca9098cd5f8dc96216b9a618eabb59eea04bb3ba7e262d617eac8c3478c3911963a933a3693990f2ac17a65c7d4912d96bc1a7ddeb071eb1fe3a1ed45e80

memory/4988-64-0x0000000007FD0000-0x0000000008574000-memory.dmp

memory/3300-62-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 7ac959499451f7a26df5179017c465c1
SHA1 f453852aa78c890293eee4523ea60a8aeaa4374b
SHA256 29d36952ba9b58e17f7384f9ea3d24ccc93f0d28a579dd1a96abb2c343fa77d9
SHA512 843e926a26a663878b82bc20b3002cea940924d2bf7ef0b06ed32c200a3fff477873fa4940e20e4bbb12d4df235dd89329df2640c9895a4acec029c3db5a25fd

memory/4988-81-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

memory/3832-82-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4988-83-0x0000000008BA0000-0x00000000091B8000-memory.dmp

memory/4988-86-0x0000000007E80000-0x0000000007F8A000-memory.dmp

memory/4988-89-0x0000000007D90000-0x0000000007DA2000-memory.dmp

memory/4988-90-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

memory/4988-103-0x0000000007E30000-0x0000000007E7C000-memory.dmp

memory/2368-191-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 de917e5b08803c3af4c64bf7a59b7c4c
SHA1 59960fedf2117b33f50529893d53c98ca437759b
SHA256 d7a1b547ce2ba11f13cf57db709eb66478163c0d39663e3ae72d5c114a7f3e20
SHA512 e0cf30a924726dbeba06e813c4f630eb66173c1ceb040a66fd4e75730777d8aeb103d8b1df7ab5a761dd410b55494279285c4f4439e4793f2562441561e44267

memory/5008-239-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 db25f32c3da4a24eb2d3a2b914086c3b
SHA1 6d26643a644bc47bc77817183a9da5efc7715acf
SHA256 87b68b186fd253126681dbbb99c18ffeebab106563c7767f55d62a9bfa512e8f
SHA512 82a1e8f5671ec1a8f2d9ba8415e3da167efcffc7a0b4ac7607bcaa1379dd3a9f35af03feece785d3c39121c9b68a2a6b592ea2d2c4d1e87d2a28efd61a7b4a89

memory/5008-236-0x0000000000400000-0x0000000000785000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 a9f2cac980ad1faf203e3abdedf4da8f
SHA1 a3bce8f22593ba96fa66599420fe71ea35299a66
SHA256 32286c1b0e661bc214365865ce9174b8aa62a290e1c6dfe0b9eff997f28e8259
SHA512 eb047fb04acf3990c8e244c917d69f29a06891bd27b2866ae419390846fa7fc232bdd088491eacea3c43a1ff458c810e41a10320a4a540f82a469b9a9cc02ad6

memory/3376-243-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Program Files (x86)\xrecode3\xrecode3.exe

MD5 1e01a8b59c9004e06988208ad09f8cfb
SHA1 dc6d336b324fa15dee2a904e7563e9900e9ec2f7
SHA256 9d04a88a17c4d4b3cfb33ee91466b41e150515621b910ea64557307c06262e10
SHA512 44317208e0a93c7c4eb2b59fa36652cdaff98a042d4570d9873c6a26c58c9f1f4edabde2319c354921d679f8f17b806d05d30f49fcbe05134c4a2cd6018fdfbc

C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-OJRH5.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp

MD5 2b49a33d1cc1b143882bfb7adb7fef9e
SHA1 f2852260d929b7a5cec513958e9ac69ad670ad56
SHA256 1b9c228b701dde25f89a134efc7cfbea5cf20f32d4e5be5674c2036ac8945041
SHA512 0c549846d63c29d284b70369752aa978917331e6e71ce0f9423716a3c0d0db7f2243aabf97ac8f613bccd6e273c7cd531bd35298eef72d0af721b1b1f9d86942

C:\Users\Admin\AppData\Local\Temp\is-SGTPU.tmp\tuc3.tmp

MD5 21b22731aaaed5b39ee226ee1590ac84
SHA1 72dad7fb65a97a38fce0e8f73df7b1df5e014b97
SHA256 488dad1446ad7315106ad1dd5fabc1c0dc1ea762cb5854bb3628c417e2e1cf80
SHA512 a5caac6fd36085562dacbf8e3ae9bfb89622369f9f2cd09b423ebb12d2e91587c6aa421e492c175892bfc4f26dd46a7e6084f67a81bc697512dcd0b660b285b9

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 8ef3f23097b21e33afc41b74b37a9637
SHA1 f5507d6eb0c921994399516d4cb26084cee76f32
SHA256 3e9756d1fc8a51ac35a84222c5687d553e38a0077a4212893547a0a53222340b
SHA512 38b32a8ca8ffe5149c9f7597ee418b25fd0f2c59220e38d5de8bd3e6670aa33bf1818c77182efa1c382695b222799cbacca26ca704fde07ea2e343026a8f624e

memory/4988-79-0x0000000007AF0000-0x0000000007B00000-memory.dmp

memory/4988-70-0x0000000007B00000-0x0000000007B92000-memory.dmp

memory/1832-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4928-246-0x0000000002980000-0x0000000002D7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 61ae590d86d99d5dbc950d6c71a2879b
SHA1 87df214d2ae251fcea9940b69121d2b50b44391d
SHA256 7a8586dab123346ee9ec8fd0d51e8c02238873529cd08329f4336e62375bc5cd
SHA512 a3db59df7071dd8eb81826148a8fb031ff8666803f72f5de3cab6a25094543b61effa50dfb8e6a7c9bad6a1c08fca8ef60d461e08a502f4f4676289544295ee6

memory/4988-248-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4928-247-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4928-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f6d782cd811b9d321a80c5e106b81aec
SHA1 33f0ad05b9fd11778b3056be69928e8c2b132f3b
SHA256 7b7d5dbd9a4edd21885c11cc77f7130cb732dac41c4fb6401cc87e1cbcf383a8
SHA512 f0148aac5f5fa0090432bcec152eb19838f02ea6a75db2fd0213402a74de34b34d12d361cd5350ba93879e0e2d44ecc99924481ebbd5f2b31cb72f2234952691

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 a8e8188aeacbdda049680a6e01045890
SHA1 8e7550c10838f8fb8c3c110c7e592c920016af7d
SHA256 4899f4608a2cdeb7d09ad3aa499b5736a5e2457c7f22e3ce3a52436d1a709866
SHA512 580773e099612eeacda8b58a10805d9e61cbac5fb489519b1e86b6f6d6aacec0b956bfd6ab8e3e627ad7ae6173fa5cf84361d1e6cb9cdc0a705e958be372793e

memory/1488-250-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2416-254-0x00000000009F0000-0x00000000009F9000-memory.dmp

memory/1488-255-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2416-253-0x0000000000A20000-0x0000000000B20000-memory.dmp

memory/3300-252-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d024c5050ec8b9873965c0488a6c3d6a
SHA1 1c32a24d1db43cc0d8c9567150f6a62428e4da1a
SHA256 0c7399c9bb7a539bdec5ed0313b073398c51a632937ab866e1ae05a63ae58c37
SHA512 34fe95efe9ef2ec83371f1d11078ca0bb07bb05469807a23914fc1a1b841291e68fd3b140d150349b197345a797a72d78f9e34b4bbb2c61e8a402358ca774e7f

memory/4988-43-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 16af3551c222f6847d365b2a07bdad7a
SHA1 b0db2964261a78dbcafd83b4aa2c1f9651a23c58
SHA256 8a4df24b49f2087b66865dd360edccac935a7fc7fdadffcebd4e6c1d6daca2a1
SHA512 ce071fed772c971e3207552f52c08870be757883c1b5490ad3087eef92bfecea69d6a35f62b17a44fcb1f574d907d14805f2faf3e4d773ab7fd9923bd0fa69a1

C:\Users\Admin\AppData\Local\Temp\75E9.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2852-257-0x0000000005270000-0x00000000052A6000-memory.dmp

memory/2852-259-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4988-261-0x0000000007AF0000-0x0000000007B00000-memory.dmp

memory/2852-260-0x0000000005300000-0x0000000005310000-memory.dmp

memory/2852-262-0x0000000005F70000-0x0000000005F92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuq42npw.czl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2852-273-0x0000000006330000-0x0000000006396000-memory.dmp

memory/2852-274-0x00000000063F0000-0x0000000006744000-memory.dmp

memory/2852-263-0x0000000006120000-0x0000000006186000-memory.dmp

memory/2852-275-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/2852-258-0x0000000005940000-0x0000000005F68000-memory.dmp

memory/1832-256-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d1738894304dbfec20865c0f6c3e5476
SHA1 5ba51bf18b55b65d927c9f5f1245baecaad1f131
SHA256 601e730369184de36a4ccc1a489786404fb2cac1674807b945f7b1d2e6d0dc12
SHA512 ebc07d2c55f4d67bf7cf55610696c75b410e566a539325e24fbccdd60d4482c608c6bae1bffc0732074f597aaa7eddc823f527155356e34a2cc6c1c27839942d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/2852-276-0x0000000006D50000-0x0000000006D94000-memory.dmp

memory/2852-277-0x0000000007B20000-0x0000000007B96000-memory.dmp

memory/2852-278-0x0000000008220000-0x000000000889A000-memory.dmp

memory/2852-279-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/2852-280-0x0000000007D70000-0x0000000007DA2000-memory.dmp

memory/2852-283-0x000000006C410000-0x000000006C764000-memory.dmp

memory/2852-293-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

memory/2852-295-0x0000000007DD0000-0x0000000007E73000-memory.dmp

memory/2852-294-0x0000000005300000-0x0000000005310000-memory.dmp

memory/2852-296-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

memory/2852-282-0x0000000071440000-0x000000007148C000-memory.dmp

memory/2852-297-0x0000000007F80000-0x0000000008016000-memory.dmp

memory/2852-281-0x000000007F650000-0x000000007F660000-memory.dmp

memory/4988-299-0x0000000009590000-0x0000000009752000-memory.dmp

memory/4988-300-0x0000000009C90000-0x000000000A1BC000-memory.dmp

memory/2852-298-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/2852-302-0x0000000007F30000-0x0000000007F44000-memory.dmp

memory/2852-301-0x0000000007F20000-0x0000000007F2E000-memory.dmp

memory/2852-303-0x0000000008020000-0x000000000803A000-memory.dmp

memory/2852-304-0x0000000007F60000-0x0000000007F68000-memory.dmp

memory/2852-307-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 16879ee8a51ab934d7b9a36b0d9a6290
SHA1 1d5325273172eb91427cadd4c0336e8009bcc414
SHA256 3ccf19097a58b6480513591b977231ce2548274027bf805e85619aa62933839b
SHA512 7fcc5733e0151c967b1e0564b92863dc21fb7db4b9bd0e71656ed2995661888055e24c257cf7e7313538b00610b8aabccf1f7cddd565baa3bcba9dbaa0014c3c

memory/4988-309-0x000000000ACC0000-0x000000000AD10000-memory.dmp

memory/3464-310-0x00000000023D0000-0x00000000023E6000-memory.dmp

memory/3300-314-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1488-315-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1480-319-0x00007FF769EF0000-0x00007FF76A491000-memory.dmp

memory/2368-320-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/4736-321-0x0000000002950000-0x0000000002D53000-memory.dmp

memory/4928-316-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3376-338-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 623c6adef0ccf0148227d52201b422c4
SHA1 c8905c734c8e0f9c3e61386f4605059c2a677c20
SHA256 630eb97ff99677084eb6842d87cc2f01e1466c15b5b9226195fef6d205a40b0c
SHA512 ccb5255c72c51f11b17730e6c976d97a2a98de256aa200830e428e2fe8b5a83a4ff97cc4bc25d437abe346d1276eb9a8d22adcc77c45595c560473ae7768d004

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47e9e212f6b2f89bb4c68312d944b3f3
SHA1 31efc7fbb5e6279fc46165ddaa15262564d0b0e7
SHA256 3850b510d5ce3de0e6a4706ae358e36c9f49a17406d51c22152c1d9cdcaabc21
SHA512 0457ab49ace23ac68db196ee72578ba3f57ff7c98e3d174b49b8e6900c6fe64d3d885eec46ccbbdc90651f05d2c16ee31473d6e24d7e65535463ee985fd7591d

C:\Users\Admin\AppData\Local\Temp\BED9.exe

MD5 aea4a3521885b37a1c8980c57b302a64
SHA1 5c1cd6f4fe19cb915eb3a9b3e1d9cab7ee6ff066
SHA256 3d1ece4cee96c27d631b70743ca0942df77d2a4803a2a51e415ae4a061889fec
SHA512 67445b50ffd4745bdd8d62cf05ee6c45dea641ec0eafd6802a9d94843a5c1282248c65bb69cb9653f220e163c98f256b63f56fdddc73f062b3d1cea11d170b01

C:\Windows\rss\csrss.exe

MD5 de0dd35b3899dae68747a9dbbd934d34
SHA1 35d84875b44b556b97f6f745ca8295e143cd1fb5
SHA256 35932ee4f0b02fc344fd732693ade07c3555d1e69b3e80f4c1d951768a1fa230
SHA512 4a870ba45c16be213a9d6b2b02b069639a3352201290edb02129a1d1f5c355b3fda876cb987f4e18785ec803039fddb8aa6fa7f369e34395abd96278a4ed7cb1

C:\Windows\rss\csrss.exe

MD5 53bbd25330d69c35def552abef17c727
SHA1 d33e31b708892c76da146c283b806e1c301a1199
SHA256 10c74d04d16111135e5b82f5f507d652d5b4d72b99ff26071d28083e1ce671c1
SHA512 56966fbd3784f93dcf47fb5e0f39515ad65577c3a2ce01a5e8d5f54bb4b50c07ef97ebf7c9811d230954ce26048449635404558fdf1c28276f4ca4f39a57311d